The news may cover larger, more dramatic cyberattacks on big businesses but in 2023, one in every ten small businesses in the UK was targeted. Most of these attacks were not hugely technical or sophisticated attacks but they can do enough to damage a business. The most common attack vector aimed at SMEs is social engineering. Adam Pilton, Cybersecurity Consultant at CyberSmart, runs through the types of social engineering, how small organisations are specifically vulnerable and the best way to remediate these vulnerabilities.
When one thinks of a cyberattack, there is a tendency towards large-scale, all-consuming events. Things such as the recent Lockbit seizure by law enforcement or globally exploited vulnerabilities such as MoveIT tend to dominate headlines due to their widespread impact. Less glamorous however, but equally as damaging, is the constant minutiae of cybersecurity activity which targets the small businesses which make up 99% of our economy. In 2023, one in every ten small businesses was targeted.
Most of these attacks were not hugely technical or sophisticated attacks, exploiting software vulnerabilities or gaining remote access to connected devices. The much more common attack vector aimed at SMEs is the far simpler tactic of social engineering.
Types of social engineering
The cybersecurity breaches survey in 2023 suggested that phishing – the most common method of social engineering – had affected 79% of businesses and 83% of charities.
Phishing – the process of sending fraudulent emails for cybercrime – is of particular concern to smaller businesses, which are often more stretched for security resources, including programmes of security awareness training or email filtration systems, which can help to catch or alert employees to phishing activity. The consequences of clicking on a phishing email for businesses can be devastating, leading to the compromise of credentials which are entered into the fraudulent site, or leading to malware infection of the corporate networking due to a malicious link or download being interacted with.
While this may seem like a lower level of cyberattack, the reality is that phishing is simply the beginning of the cybercrime campaign and can have resoundingly devastating consequences for organisations who fall victim to it. One of the most high profile cyberattacks in history was in fact the direct result of a successful phishing attack: The Colonial Pipeline ransomware incident, which caused the shutdown of almost 50% of the US East Coast’s oil supply for an entire week, having disastrous economic impacts and eventually leading the company to pay a US$4.4 million ransom, was all facilitated directly as a result of a phishing attack. Not all phishing attacks will lead to an event this seismic but could still be devastating for businesses unable to weather the storm.
The good news is that despite their popularity, phishing emails tend to be easier to notice; they are usually automated attacks, targeting a wide net of organisations, hoping to ensnare as many as possible. This is unlike the more targeted version, spear-phishing.
These types of attacks are much more dangerous because they aim to target an individual or a business specifically. This usually involves the threat actor undertaking some research into an organisation’s structure and finding out about specific responsibilities within the organisation. The email which attempts to compromise the organisation will utilise this research to tailor the attack, making it more likely to succeed.
An even more impactful subsection of spear phishing is business email compromise or BEC attacks. BEC attacks are spear-phishing campaigns which impersonate a member of staff or trusted entity at an organisation – a CEO, CFO, etc. – and convince a member of staff to make a significant financial transfer, often via a fake invoice, which they have requested while impersonating the CEO, member of the leadership team or a member of the finance team.
Often using this individual’s seniority to create a sense of urgency, these attacks have had notoriously devastating consequences; an individual scammer was recently extradited to the United States for conducting US$6 million of BEC scams.
These scams can affect all organisations, from the very smallest to the very largest. Between 2013 and 2015, one such scam was responsible for a criminal stealing US$100 million from Google and Facebook. The Latvian fraudster discovered that both companies used the same hardware provider, and sent a series of fake invoices, contracts and letters to the companies, which were paid. Equally vulnerable to these kinds of scams are small businesses, which were struggling with the threats as far back as 2018, when Lloyds bank data suggested they were affecting as many as half a million SMEs. Since then, the situation is unlikely to have improved, with more and more businesses developing online components and becoming more and more reliant on social media to generate and interact with customers.
Specific challenges for small businesses: the personal meets the professional
The issues faced by small businesses when it comes to social engineering are myriad. The first, as mentioned above, is that the smaller a business, the fewer resources they’re likely to be able to assign to cybersecurity concerns. In all likelihood, IT will be managed by non-technical teams, with multiple IT responsibilities and less ability to create a coherent security culture.
Additionally, small businesses are, naturally, intertwined more with the personal lives of those who own or work at them; less employees working in smaller teams are much more accessible for a campaign of social engineering than multinational companies with hundreds of employees.
The lines between professional and personal are also significantly more likely to be blurred, with owners or employees doing personal business on corporate devices and networks, or business on personal ones. This means a greater chance of a personal phishing attack spilling into the corporate network, leaving the business vulnerable to more traditionally ‘person-to-person’ scams, such as sextortion or romance scams.
Staying safe
Some key steps for all businesses, but particularly small businesses to take, is to ensure that they have basic cyber hygiene policies in place. Using multi-factor authentication, ensuring that everyone has undertaken some basic cybersecurity awareness training and working to ensure a separation between personal and business activity online.
It’s also important that adequate cyberinsurance is in place. Basic cyber hygiene will reduce the chance of an incident, but nothing can completely protect an organisation from a persistent threat actor or human error; ensuring that you’re covered in the worst cast instance is crucial; for small businesses in particular, cybercrime could be a fatal incident if the appropriate precautions aren’t taken.