Over the past few years cyberattacks have grown in both frequency and complexity. During 2020 we saw the sweeping impact of the SolarWinds hack which used a sophisticated supply chain attack to infect hundreds of systems, including several federal agencies. The next year saw new threats emerge, like the Log4j vulnerability which represents an important risk to this day.
The current threat landscape of the coming year shows little sign of improving, with attackers refining their techniques and new vulnerabilities being discovered faster than they can be patched. It is more important than ever that businesses assess their cybersecurity risk and take steps to protect themselves from data breaches and extortion.
In this article we’ll examine the cybersecurity trends which are most likely to impact small businesses and provide some advice on what steps can be taken to offset these cyber threats.
Social Engineering Ransomware will continue to be a big threat.
Looking at 2021, it is clear that ransomware attacks will continue to be a serious threat in 2022. Ransomware impacted thousands of businesses and organizations including Kia, Acer, the Washington D.C. Police Department and more . Millions in dollars of ransoms were paid out and many more millions were lost in missed productivity and lost data.
While many of these high profiles cyberattacks were initiated using complicated zero-day exploits, the reality is that most of these attacks are initiated through social engineering. Rather than hack into your system, cybercriminals instead rely on your employees to gain access to your system. Common attacks include ransomware hidden within links or attachments disguised as invoices or quotes.
Social engineering attacks have become extremely nuanced, often involving compromised email addresses of your clients or suppliers. While once it could reasonably be argued that common sense was all that was necessary to stifle this sort of attack, this is no longer the case.
Educating your employees on how to avoid social engineering attacks, as well as general cyber hygiene, is more important than ever. Research has shown that employees who have been given training on how to avoid the most common social engineering attacks that hackers use are 8 times less likely to fall victim to these attacks.
The past two years of working remotely will create new types of threats that capitalize on a distributed workforce
Over the past two years we’ve seen a tremendous change in how business is conducted. Prior to the Covid-19 pandemic work from home was relatively uncommon, but a study conducted in May of 2021 showed that 70% of businesses were planning on implementing a hybrid work model, allowing their employees to work at least partially from home.
Work from home has proven to be a considerable boon in our ongoing battle against Covid, but this transition opens an entirely new front of vulnerabilities for cybercriminals to exploit. While business networks are able to be hardened, home network security often is an easier target. Between routers in need of patching and the increasing vulnerabilities posed by IoT devices (Internet of Things), businesses must accept that home networks represent a greater risk and vastly expose your business’s attack surface.
Zero Trust and Minimization of Blast Radius
In light of this digital transformation, it is important for small businesses to begin to adopt new risk management techniques. One particularly useful security strategy is Zero Trust. With business networks no longer having clearly defined edges it is important to verify access constantly, rather than only at the time of initial connection.
By implementing a Zero Trust security strategy you empower your employees to be more productive by allowing them to access company resources from their home PC, tablet, or smartphone. Simultaneously, you limit the impact that a threat actor is capable of having in the event that they do gain access.
The principles of Zero Trust are built on constant and explicit verification, granting the least amount of access necessary, and always assuming breach. Any cybersecurity strategy that businesses implement in 2022 need to incorporate all three of these elements. With these data protection principles in place companies are able to mitigate the potential damage of intrusion.
Ransomware will continue to be the largest threat to small businesses
In addition to the threat posed by social engineered attacks, cybercrime relying on zero-day exploits and unpatched vulnerabilities continues to be on the rise. During 2020 and 2021 we saw the rise of Ransomware as a Service (RaaS), where cyber criminals develop apps or identify exploits that are then available for purchase and use by relatively unskilled attackers.
One of the most common types of malware used in these attacks is ransomware, a program which encrypts your system files and only promises to release the decryption key after the victim pays up.
While small businesses might feel safe from this sort of attack, essentially hoping to fly under the radar, the reality is that they are often the most vulnerable to attack. Small businesses make up the majority of the victims of cyber extortion, with over 70% of ransomware attacks targeting them. This actually makes sense as small businesses are generally less prepared to handle these attacks, often lacking a Chief Information Security Officer (CISO) or even a dedicated IT team to address these security issues in a timely manner.
The result of this lack of preparation is that small businesses often feel forced to pay the ransom. The alternative of rebuilding their digital infrastructure from scratch could potentially be ruinous, or at least a tremendous set back for the year.
However, even paying ransoms is no guarantee of data recovery. A recent study conducted by Sophos found that of those businesses that paid the ransom, only 8% recovered all of their data while 29% saw more than half of their data lost forever.
The threat of ransomware reinforces the need for small businesses to protect and backup their critical infrastructure, as now even the sort of technology that used to only be available to nation-states is trickling down to formerly unsophisticated ransomware gangs. Don’t expect your company’s comparatively small size to be protection – everyone is at risk nowadays.
Business will continue to shift to more cloud-based and SaaS type models
Over the past few years there has been a shift towards both cloud-based computing and Software as a Service (SaaS). Both of these changes have offered tremendous benefits for small businesses, doing away with the need to regularly purchase new hardware in order to take advantage of new software, but have also brought with them their own unique set of problems.
One of the most obvious changes wrought by cloud computing is that more and more companies have moved their data centers to the cloud. This has massively streamlined operations and has allowed companies to scale their online operations as needed. In the past, cloud based data centers have also been relatively safe from ransomware attacks – although the cybercriminals have recognized the value of these targets and we can expect this new year to include some brazen attacks against online juggernauts.
The shift to the cloud is also making certain technologies more accessible to average users. While machine learning and artificial intelligence used to be relegated to universities and multinational corporations, today these processor-intensive technologies are available to small businesses on an as-needed basis.
Some of the most common problems of cloud computing or software as a service are simple misconfigurations which can lead to outages or security holes. Thankfully these issues are becoming less common as these services become more mainstream. Cloud providers have ironed out many of these issues and have made the process more robust and secure.
Two Factor Authentication will continue to rise in popularity
The shortcomings of password based authentication have been known for years – they are either too simple to be secure or too complex to remember. Worse, all it takes is a single successful phishing attempt for the accounts to be compromised.
Two Factor Authentication, often abbreviated 2FA, is a way of bolstering the weaknesses of traditional passwords, and works by adding another layer of verification to the login process. This can take many different forms, with one of the most common varieties involving users being asked to confirm a one-time code sent to their cell phone.
A few years ago 2FA was relatively uncommon and may have only been available to log into your bank. Today more and more companies are embracing 2FA and the technology is available in cryptocurrency wallets, social media accounts like LinkedIn and FaceBook, email, and much more.
Small businesses which aren’t currently taking advantage of 2FA will find that it is easier than ever before to add this important security measure to their accounts.
Common types of 2FA
While the most common form of 2FA is text message, the technology actually encompasses a wide range of verification strategies including SMS, Authenticator Apps, Push Based 2FA, and physical security keys.
Weaknesses of SMS Based 2FA
SMS based two factor authentication is the most common variety of 2FA, but it is also the least secure. Attackers have exploited weaknesses in the SS7 telephony protocols to intercept 2FA messages and in some cases have managed to trick phone companies into reassigning phone numbers to new SIM cards. In both of these cases the strength of a user’s security was reduced to the integrity of their password.
Authenticator App based 2FA
Requiring just a little bit more time and energy to set up, authenticator apps offer more robust protection than SMS based 2FA. These apps are produced for a wide range of operating systems including Windows, iOS, and Android, and are very easy to use.
The most common way these apps are set up is by scanning a QR code or inputting a string of numbers used as a seed. This syncs the authenticator with your account. The app will then generate time based one-time passwords, each good for only 30 seconds at a time. When you log into your account users will need to consult the app for the most up-to-date code and then are free to proceed.
Google, Microsoft, and Apple all make their own 2FA applications, and there are numerous third party apps available too. No matter which ecosystem your company works on, you’ll find support for this mode of protection.
Push Based 2FA
In an era where nearly every company offers an app, push-based 2FA makes a lot of sense. Instead of sending you a SMS message, the app itself will deliver a notification to your phone asking you to confirm the log-in attempt. While not every app offers this, this is a more secure method than SMS while offering much of its ease of use.
Physical Security Keys
Universal Second Factor (U2F) keys are a class of 2FA devices that include low-energy bluetooth devices, USB dongles, and NFC enabled cards. Accounts which are protected with these devices will require that these devices be physically present before allowing users to access their accounts.
Cybersecurity Predictions for 2022
While it is impossible to know the future, the cybersecurity forecast for 2022 offers fairly clear signs for the sort of risks that small businesses will face. The threat of ransomware will continue to be the most significant one – this is regrettably a fact of the vast success that cybercriminals have had over the past years.
As hybrid offices and work-from-home continues to be the norm, security teams will have their work cut out for them keeping up with the additional risks this creates. Bristeeri Tech can help, providing managed IT service solutions which will cover everything from server management, system patching, and disaster recovery.