During the height of the COVID-19 pandemic, nearly 70% of full-time employees in the United States transitioned to working from home. As we venture into the post-COVID world, roughly 58.6% of the U.S. workforce continues to work remotely with minimal chances of returning to a physical office space. Although remote positions offer several benefits, they also present a breeding ground for cyberattacks, exposing companies to increased risk.
According to Right Scale’s annual State of the Cloud Report for 2019, 91% of businesses used public cloud, and 72% used a private one. From company-run platforms, data-sensitive accounts, and increased cryptocurrency transactions, nearly every aspect of a company’s daily operations are digital. This drastic migration causes an array of new and enhanced risks, ranging from cryptocurrency ransomware attacks, data breaches, and online password hacks.
As cybersecurity threats continue to advance, it’s more vital than ever before to assess your company’s vulnerabilities. In this article, we’ll walk you through five prevalent cybersecurity threats for businesses, along with three helpful tips to combat them.
5 Cybersecurity Threats for Businesses in 2021
1. Phishing
Phishing is a hacking scheme that tricks users into downloading harmful messages. This scheme appears like a regular email using legitimate-looking links, attachments, business names, and logos. The email persuades users to take action, whether it’s clicking a link or downloading an attachment. A phishing email may also have a clickbait subject line that catches your eye. Whale phishing is another form of email phishing that’s targeted at company executives. Alternatively, spear-phishing sends emails to other specific members of a business to steal information.
While email phishing is most often noted, phishing takes additional forms. Smishing, for instance, sends SMS messages that garner clicks to dangerous links. In contrast, vishing sends fraudulent phone calls and voice messages that pose as legitimate companies. Search engine phishing is a newer form of phishing where hackers create fake online websites and rank on search engine results to rob customers’ information.
In a recent study from Cisco—2021 Cyber security threat trends: phishing, crypto top the list—86% of organizations reported having at least one user connect to a phishing site. Therefore, a wrong click from an employee can expose a business to massive risk.
2. Malware
Malware, also known as malicious software, hacks devices by either slowing them down significantly or stopping them from working entirely. It destroys computer systems through agents such as trojan malware, spyware, viruses, ransomware, adware, and worms.
Malware can be released into a computer by clicking an infected link, downloading a file or material from an unknown source, clicking a pop-up ad, or downloading an email attachment from an unknown sender. Once malware is released into a computer system, hackers can gain access to your company’s passwords, credit card numbers, banking data, personnel files, and more.
Over the last year, companies reported that out of all of the malware attacks they encountered, 35% of the attacks used previously unseen malware or methods. Unfortunately, this percentage is likely to increase as more employees work remotely.
3. Ransomware
Ransomware is a specific form of malware that encrypts a user’s computer systems. Once a ransomware attack has been implemented, users can no longer access their systems or files. In order for users to re-access their systems, they’re required to pay a ransom fee to the cybercriminals.
Ransom transactions are often made through Bitcoin. Cybercriminals may also request other methods of payment, such as Amazon gift cards. The ransom costs can range tremendously from hundreds of dollars to thousands of dollars or more. However, many organizations that make the ransom payments still don’t retrieve access to their systems.
Ransomware is often spread through a malicious download in a phishing email. An attack can be targeted to either individual employees or entire organizations. Throughout the pandemic, a notable 58% of US companies reported a loss of revenue as the direct result of a ransomware attack.
4. Data Breaches
A data breach occurs when sensitive data is stolen from a system without authorization from the system owner. Confidential user information can include but isn’t limited to credit card numbers, social security numbers, names, home addresses, email addresses, user names, and passwords.
Breaches may be implemented through point-of-sale (POS) systems or a network attack. A network attack is likely to occur when cybercriminals identify a weakness in a company’s online security system and use the weakness to invade the system. Social attacks are also prevalent, where hackers fool employees into granting access to an organization’s network. For instance, they may be tricked into downloading a harmful attachment or accidentally giving out login credentials.
According to a data breach analysis from the Identity Theft Resource Center (ITRC), publicly reported data breaches in the U.S. have climbed to 38% throughout the second quarter of 2021. Once a data breach occurs, businesses must take immediate action to contain the breach and resolve the issue. Failing to do so may result in a tarnished reputation and fines ranging from thousands to millions of dollars.
5. Compromised Passwords
Compromised passwords most often occur when a user enters their login credentials unknowingly on a fake website. Common username and password combinations also leave accounts more vulnerable to attacks. Password reuse across multiple platforms can make your systems even more susceptible to hackers, leaving multiple accounts at high risk.
When creating passwords for company accounts, always ensure that you use unique, hard-to-guess passwords. With 51% of people reporting that they use the same passwords for both their work and personal accounts, instruct your employees to follow specific guidelines for maximum security.
3 Tips to Combat Cybersecurity Threats
1. Build Your Expertise—Internally and Externally
All organizations, particularly small- and medium-sized businesses, may struggle with staffing the right team to ensure an organization is protected from the latest cyber threats and ready to combat an attack. Hiring a security engineer or IT security manager can be expensive, and if you don’t already have the expertise in-house, it may be difficult to assess hard skills. However, an in-house team will give you the most long-term accountability.
Many businesses choose to find a cybersecurity freelancer or hire an outside company. Companies like UpCity can help smaller companies identify cybersecurity companies that businesses can trust and provide guidance on hiring a cybersecurity firm. Two advantages of working with an outside organization are that they can provide 24/7 monitoring for attacks that can occur at any time, and they are experts that stay up-to-date on the ever-evolving landscape of cyberattacks.
2. Educate Your Team
Some best cybersecurity practices may seem obvious to most, but it’s important to educate your entire team and ensure everyone is on the same page. Talk to employees about the importance of strong passwords, how to safely use a shared network, what your internet use guidelines are, and how to handle and protect customer data.
Train your team to recognize phishing attacks by looking for URLs or email addresses that are close but not exact, identifying language with misspellings or that feels a bit “off,” and being cautious of requests for passwords or other personal information. Even savvy security teams can fall prey to a cyberattack. Giving employees things to look for can help catch an attack quickly.
Last year, an UpCity employee noticed many outbound emails from their account that they didn’t send and immediately knew that their password was likely compromised. After promptly changing their password and notifying the IT department, they reviewed all of their email settings. The attacker added a mail filter that forwarded all incoming mail to an external address was discovered and removed. A less-thorough response may have missed that detail, allowing the attacker to potentially regain access to their password or other accounts.
3. Create a Cybersecurity Policy
Your cybersecurity policy should be a living document that is updated as attacks evolve. However, the basics of a policy should include guidelines on protecting devices (including up-to-date operating systems, browsers, firewalls, and encryption), multi-factor authentication (not just strong passwords, but secondary methods of authentication), and data protection (including how to handle customer data and what is appropriate to send via email).
Your policies should be readily available to your employees and reviewed frequently to ensure the entire organization understands and abides by the proper protocol.
Having a cybersecurity plan is more important than ever. With the number of cyberattacks always increasing against an ever-growing remote workforce, it is paramount that all companies — regardless of size — understand current cyber threats and what to do to prevent and combat them.
Having a plan that is executed thoroughly and reviewed regularly is the best first step to keeping company and customer information safe. Whether you build up in-house expertise or find a trusted outside partner, cybersecurity can no longer be a project set on the back burner. Understanding the latest threats and what to do to prevent them from impacting your organization is key to protecting your business.
