Act now: Watch out for these five small and medium-sized business threats in 2023

• Kaspersky experts examined SMBs’ potential weak areas and listed severe cyber threats that they need to be aware of.
• SMBs can protect themselves by putting in place strong password practices, regularly updating and patching their software, and giving their employees cybersecurity training.

Small and medium-sized businesses (SMBs) in the Asia-Pacific (APAC) region are increasingly being targeted by cyberattacks. SMBs can suffer significant repercussions from these attacks, including monetary loss, reputational harm, and loss of private customer data. According to Mini Me Insights, the first half of this year saw more phishing email instances in Malaysia, the Philippines, Thailand, and Vietnam than in any other four of the six APAC countries combined.

Phishing is a standard attack where attackers use fake emails or websites to deceive employees into divulging sensitive information. Ransomware is a different attack in which perpetrators encrypt a company’s data and demand money for the decryption key. According to Australian Cyber Security Magazine, the average sum corporations are willing to pay has increased and nearly doubled to AU$ 1,288,608 from AU$ 682,123 in 2021.

In a world where cybercrime never sleeps, organizations need a cybersecurity plan that is “always on”. The need is even greater for SMBs, as cybercriminals’ attention on these organizations has grown significantly in recent years. And according to Kurt Baumgartner, a chief security researcher at Kaspersky, there are five main threats that small and medium-sized businesses need to be aware of.

Here are his predictions and suggestions for SMBs who want to prepare for a cyberattack.

There’s a saying that those who own the information own the world. However, speaking about information security, the whole “world” is not enough – cybercriminals’ needs are confined to other people’s data, money, business. Don’t think that attackers are in a constant chase for big fortunes or tabloid scandals: as the statistics show, more than 60% of all small and medium businesses have experienced cyberattacks over the course of 2022.

Small and medium-sized companies are great contributors to the global economy: according to the World Trade Organization, SMBs represent more than 90% of all businesses worldwide. Due to cyberattacks, businesses may lose confidential information, finances, valuable market shares – and there are plenty of ways criminals are trying to reach their goals. The least we can do is count them; what’s more important is to define the threats the SMB sector might be exposed to – and ways they can be detected and prevented. Additionally, small enterprises consider a cybersecurity incident as one of the most challenging types of crises.

Kaspersky experts analyzed vulnerable points small and medium-sized businesses might have and outlined some major cyber threats for entrepreneurs that they must be aware of.

Data leaks caused by employees

There are different way a company’s data may be leaked – and, in certain cases, it might happen involuntarily.

During the pandemic, many remote workers used corporate computers for entertainment purposes, such as playing online games, watching movies, or using e-learning platforms – something that continues to pose financial threats to organizations. This trend is here to stay, and while during 2020, 46% of employees had never worked remotely before, now two-thirds of them state they wouldn’t go back to the office, with the rest claiming to have a shorter office work week.

The level of cybersecurity after the pandemic and initial adoption of remote work by organizations en masse has improved. Nevertheless, corporate computers used for entertainment purposes remain one of the most important ways to get initial access to a company’s network. Looking for alternative sources to download an episode of a show or a newly released film, users encounter various types of malware, including Trojans, spyware and backdoors, as well as adware. According to Kaspersky statistics, 35% of users who faced threats under the guise of streaming platforms were affected by Trojans. If such malware ends up on a corporate computer, attackers could even penetrate the corporate network and search for and steal sensitive information, including both business development secrets and employees’ personal data.

There’s a tendency to blame ex-workers for possible data leaks. However, only half of recently surveyed organizations’ leaders are confident that ex-employees don’t have access to company data stored in cloud services or can’t use corporate accounts. An ex-colleague may not even remember they had access to a certain resource. But a routine check by those same regulators might reveal that unauthorized persons do in fact have access to confidential information, which would still result in a fine.

Even if you’re absolutely certain you parted ways on good terms with everyone, that doesn’t mean you’re out of the woods. Who can guarantee they didn’t use a weak or non-unique password to access work systems, which attackers could brute-force or come across in an unrelated leak? Any redundant access to a system – be it a collaborative environment, work email or virtual machine – increases the attack surface. Even a simple chat among colleagues about non-work issues could be used for social-engineering attacks.

DDoS attacks

Distributed Network Attacks are often referred to as Distributed Denial of Service (DDoS) attacks. This type of attack takes advantage of the specific capacity limits that apply to any network resources – such as the infrastructure that enables a company’s website. The DDoS attack will send multiple requests to the attacked web resource – with the aim of exceeding the website’s capacity to handle multiple requests… and prevent the website from functioning correctly.

Attackers resort to different sources to perform acts on organizations such as banks, media assets, or retailers – all frequently affected by DDoS attacks. Recently, cybercriminals targeted the German food delivery service, Takeaway.com (Lieferando.de), demanding two bitcoins (approximately $11,000) to stop the flood of traffic. Moreover, DDoS attacks on online retailers tend to spike during holiday seasons, when their customers are most active.

There’s also a growing trend towards gaming companies gaining scale. The North American data centers of Final Fantasy 14 were attacked in early August. Players experienced connection, login, and data-sharing issues. Blizzard’s multiplayer games — Call of Duty, World of Warcraft, Overwatch, Hearthstone, and Diablo: Immortal — were also DDoSed yet again.

Something to note is that many DDoS attacks go unreported, because the payout amounts are often relatively small.

Supply chain

Being attacked through a supply chain typically means a service or program you have used for some time has become malicious. These are attacks delivered through the company’s vendors or suppliers – examples can include financial institutions, logistics partners, or even a food delivery service. Such actions may vary in complexity or destructiveness.

For example, attackers used ExPetr (aka NotPetya) to compromise the automatic update system of accounting software called M.E.Doc, forcing it to deliver the ransomware to all customers. As a result, ExPetr caused millions in losses, infecting both large companies and small businesses.

Or take CCleaner, one of the most famous programs for system registry cleaning. It is widely used by both home users and system administrators. At some point, attackers compromised the program developer’s compilation environment, equipping several versions with a backdoor. For a month these compromised versions were distributed from the company’s official websites, and downloaded 2.27 million times, and at least 1.65 million copies of the malware attempted to communicate with the criminals’ servers.

The recent examples that drew our attention are DiceyF incidents, that were performed in Southeast Asia. The prime targets were an online casino developer and operator and a customer support platform, that were attacked in Ocean 11 style. Or the SmudgeX incident comes to mind: an unknown APT compromised a distribution server and replaced a legitimate installer with a trojanized one, spreading malicious PlugX within a South Asian nation to all federal employees who had to download and install the new, required tool. Surely, the IT support managing the distribution server and the developers were affected.

Malware

You can encounter malicious files everywhere: if you download illegitimate files, make sure they do not harm you. The most emerging threats are the encryptors that chase a company’s data, money, or even personal information of its owners. To support this, it’s worth mentioning that more than a quarter of small and medium-sized businesses opt for pirated, or unlicensed software to cut costs. Such software may include some malicious or unwanted files that may exploit corporate computers and networks.

Additionally, business owners must be aware of access brokers as such layers of groups will cause SMBs harm in a variety of ways in 2023. Their illegal-access customers include cryptojacking clients, banking password stealers, ransomware, cookie stealers, and other problematic malware. One of the examples is Emotet, malware that steals banking credentials and targets organizations around the world. Another group that targets small and medium-sized businesses is DeathStalker, best known for its attacks on legal, financial and travel entities. The group’s main goals rely on looting confidential information regarding legal disputes involving VIPs and large financial assets, competitive business intelligence as well as insights into mergers and acquisitions.

Social engineering

Since the onset of the COVID-19 pandemic, many companies have moved much of their workflows online and learned to use new collaboration tools. In particular, Microsoft’s Office 365 suite has seen a lot more use — and, to no one’s surprise, phishing now increasingly targets those user accounts. Scammers have been resorting to all sorts of tricks to get business users to enter their passwords on a website made to look like Microsoft’s sign-in page.

We’ve uncovered many new ways that phishing scammers are trying to fool business owners, which sometimes turn out to be quite elaborate. Some are mimicking loan or delivery services – by sharing false website or sending emails with fake accounting documents.

Some attackers masquerade as legitimate online platforms to get profit out of their victims: it may be even quite popular money transfer services, such as Wise Transfer.

Another red flag discovered by Kaspersky experts is a link to a page translated using Google Translate. Attackers use Google Translate to bypass cybersecurity mechanisms. The senders of the email allege that the attachment is some kind of payment document available exclusively to the recipient, which must be studied for a “contract meeting presentation and subsequent payments.” The Open button link points to a site translated by Google Translate. However, the link leads to a fake site launched by attackers in order to steal money from their victims.

In summary, cybercriminals will try to reach victims in any way possible – through unlicensed software, phishing websites or emails, breaches in the business’s security network or even via massive DDoS attacks. However, a recent survey by Kaspersky showed that 41% of small and medium-sized businesses have a crisis prevention plan – thus, do care about cybersecurity and understand how challenging IT security incident remediation can be is a good tendency that hopefully will result in reliable protective measures implemented within these organizations.

To protect businesses from cyberattacks, Kaspersky recommends the following:

• Implement a strong password policy, requiring a standard user account’s password to have at least eight letters, one number, uppercase and lowercase letters, and a special character. Make sure these passwords are changed if there any suspicion that they have been compromised. To put this approach into practice without additional efforts, use a security solution with a comprehensive built-in password manager.
• Don’t ignore updates from a software and device vendors. These usually not only bring new features and interface enhancements, but also resolve uncovered safety gaps.
• Maintain a high level of security awareness among employees. Encourage your workers to learn more about current threats and ways to protect their personal and professional life and take relevant free courses. Conducting comprehensive and effective third-party training programs for employees is a good way to save the IT department time and get good results.

---

---

---

---