Small Business. PHOTO: Cybercrime Magazine.

You’re About To Be Hacked. Are You Ready?

Small businesses are sitting ducks, but they don’t have to be

David Braue

Melbourne, Australia – Aug. 31, 2021

The widespread automated scanning of potential cybercrime targets means small businesses can’t hope to hide in obscurity because cybercriminals don’t look them up by name, a senior financial services cybercrime expert has warned while exhorting small businesses to take the initiative to learn how to protect themselves.

Cybercriminals scan Internet ports and services to identify particular vulnerabilities they may be able to exploit, Johan Gerber, executive vice president of security and cyber innovation with Mastercard, told Cybercrime Magazine.

“All of these things are automated,” he said, “so there’s no hiding from them anymore. Small businesses have to realize that you have to do the steps; you cannot rely and hope that this will not happen to you.”

“It’s not like [cybercriminals] go into a phone book and then start looking up names,” he said. “They’re using AI, and things like that, to crawl the Internet to find you.”

In an era where the proliferation of online tools means it’s easier than ever to start up and run a new business, it can be easy for small-business owners to stick their heads in the sand when it comes to cybersecurity.

Concepts like two-factor authentication sound complex to untrained business owners, who may not know enough about cybercrime to educate their own staff to avoid threats such as phishing and ransomware.

“Owners perceive cybercrime to be a complex problem to solve and often don’t take the effort to really educate themselves,” Gerber said. “But two-factor authentication just means managing your passwords well and having an additional layer of security in there. These things are not that hard to get the basics right.”

Cybercrime Radio: Paying Ransoms Incentivizes Cybercriminals

Johan Gerber, EVP Security & Cyber Innovation at Mastercard

Ransomware puts cyber in your face

These days, every business owner should be concerned: with ransomware more widespread and devastating than ever — the cost of ransomware will exceed $20 billion globally this year and $265 billion by 2031, according to Cybersecurity Ventures — every small business must have thought through how it will react when cybercriminals come knocking.

This may mean getting resourceful by looking for any solution other than paying the ransom, Gerber said.

“Every time somebody pays a ransom, you just incentivize the next attack,” he said, conceding that “it’s not always as simple as that if you have a critical business or a business where X number of employees are relying on it for their salaries.”

Cybercriminals know enough about business to understand just how many different pain points can put the squeeze on small-business owners — and “that’s the fear factor that these criminals are banking on,” Gerber said, “that you will pay it.”

“That’s why it’s so important to be preventative rather than waiting until this happens before you start dealing with it. If you’re not prepared, you’re probably going to end up in a place where you have to pay the ransom, or your business goes under.”

Small businesses are also particularly exposed to supply chain risks, which emerge because companies have rushed to become preferred suppliers for their customers but have no control over the cybersecurity postures of other companies in those supply chains.

Such third-party risk has escalated as ransomware criminals progressively refine techniques for malware to move laterally within infected organizations — whose extensive supply chains can quickly become cybersecurity liabilities.

Small businesses “need to worry about who they do business with,” he said, “and whether they are bringing a risk into the equation.”

Thanks to a wealth of online resources targeted at small businesses, the information needed to improve cybersecurity postures is out there for any business owner who is rightly concerned about their potential exposure to cybercrime.

Mastercard’s own Trust Center has been constructed to make cybersecurity issues more approachable for small businesses, offering a people-focused approach that includes webinars, podcasts, written resources and other content.

“There are plenty of resources for small businesses,” Gerber said, “but the concern we had was that a lot of it speaks in a language that is highly technical; you almost need to be a CISO to understand some of them.”

Mastercard’s approach has been to compile a set of resources easy enough that “Joe the barber and Sue the mechanic” can understand them and apply their concepts, Gerber said, “to at least get your basic cyber hygiene up to a good standard.”

Ultimately, the strength of any cyber defense lies along a spectrum, with any new information likely to move the needle in the right direction.

The key, Gerber said, is for small-business owners to not throw up their hands in frustration, but to make the effort to proactively address a business risk that nobody these days can simply avoid.

“The majority of cyber attacks are not based on brand-new, highly-sophisticated new mechanisms that the cyber criminals develop,” he said. “That may be the case for nation-state attacks, but the normal criminal-driven or financially-incentivized criminal attacks are based on the fact of human error — people clicking on things they shouldn’t be clicking.”

Fighting insecure habits is key to building and maintaining an adequate cybersecurity posture, he added, that spans direct technical risks as well as employee comfort levels, third-party risks, and other vulnerability vectors.

“Those are some of the big things that really keep us up at night.”

David Braue is an award-winning technology writer based in Melbourne, Australia.

Go here to read all of David’s Cybercrime Magazine articles.