As 2022 draws to a close, New Year’s resolution time is around the corner; and for small businesses this could mean the difference between survival and failure. Dark Reading recently reported that, this past Black-Friday alone, retailers lost $360M to 50M fake shoppers, hijacked accounts and fraud ads.
The threat increases for small businesses and enterprises, with over half in 2022 attacked through cloud services, according to SCMedia. After all, cloud services are what transform a small business into a global competitor, with all the associated perks and risks. 67% of these were hit by ransomware, which is fatal for 2/3 of successfully attacked targets.
Boon & Break
Clearly, the greatest impetus to the online economy in recent years has been the stay-at-home environment of the Covid pandemic. It enabled small businesses to become global without investing in global infrastructures and to compete with large corporations. Last year, CRM giant Salesforce reported that global internet sales increased by a third YoY the previous December!
However, with great power comes great responsibility, responsibilities that are not always affordable or even feasible. Sadly, only a third of small businesses can afford the resources required to fight cyber threats. The result—over $8B in losses to online retail at an average cost of over $2m per attack per annum.
TitanHQ describes the glee with which cyberthugs approach “big calendar happenings in the retail world.” According to their research, the six weeks preceding Thanksgiving’s Black Friday sales sees a 13-fold increase in phishing attacks. And, it’s not just small businesses that are attacked.
British Airways, for example, is still smarting from last year’s $27M fine over a breach that resulted in a client data leak. Clients were redirected to a phishing site aptly named ‘baways.com’, to which they uploaded their personal data and banking information.
Breaking Down the Threat
Bitdefender breaks down the threats a small retailer faces, suggesting remedies for each one. These include awareness and education, good password hygiene, and adopting whatever technology you can afford. The attacks can roughly be categorized under:
Phishing—64% of these attacks originate with phishing emails. However, phishing links abound also in push notifications, messaging, social media, and more. Ascertain the sender’s identity and, instead of blindly clicking, copy and paste the link manually, checking the URL to make sure it makes sense and is what it purports to be before clicking enter. Unfortunately, there’s not much more one can do here besides staff, supplier, and client education. If using a mobile device, install novoShield on your iPhones and those of your suppliers and employees to prevent phishing pages from opening on Safari.
Spam—An offshoot of the above, since it often contains a phishing link. With personal details, such as emails and more being sold for pennies on the dark web, you can be sure that you’re on someone’s mailing list somewhere, and that the mailing list has been accessed by countless others. This is a numbers game: spammers send out mountains of emails in hopes of a bite. The pile that accrues in your mailbox can only be partially mitigated by filters, since, here too, we have a game of catchup between spammers and filter makers. Try not to be overwhelmed.
Credit card fraud—The culprit for over $24B loss each year, most identity theft is aimed at stealing credit card information. Here, you have to pray that your bank’s API is secure and well-maintained. Again, we can do the bare minimum and make sure we don’t provide personal or account details to a phishing page. Never enter your bank’s site through a link. Never provide your details to a retailer, shipper or any other member of the supply chain except directly through their site, which you access manually.
Malware, DDoS (Distributed Denial of Service) attacks & Ransomware—Since these embed themselves in a system, only a professional can identify and mitigate such attacks. How the malware enters the system is a different story, especially since most small businesses using cloud infrastructures may find that their service provider is the guilty party in enabling the attack. Once again, prevention is half the remedy, so choose your provider carefully, and make sure your data is backed up in an independent location against theft. More importantly, don’t be the intruder’s gateway by providing your access data nto a phishing site.
Again, unfortunately, institutional response is lacking, since national institutions have been slow in the uptake against a threat that is global in both attack surface and instigator source. Regulators cannot even agree upon a definition of ‘cybercrime’, and international cooperation is in its infancy against an enemy that is spread far and wide. Small-time operators in undeveloped countries, themselves thirsty for tax income regardless of the contributor’s profession, are often employed by crime syndicates in a third country or even by rogue states. However, some countries do present viable solutions from which one may take instruction.
According to the UK’s E-Commerce Association (IMRG), SMEs in the UK account for 99% of all registered businesses! About two-thirds of them report adopting new technologies, such as online sales, marketing, and administration, and practices since the pandemic’s heyday—vastly increasing the attack surface. Consequently, 40% report having been attacked during a one-year period; just over a quarter experience at least one attack per week—83% of these in the form of phishing; and the average cost of a breach is about $9K.
The British government established the National Cyber Security Centre in 2016 and claims to have made Britain the “safest place to live and work online…” The NCSC provides news and information, an SME advisory, and free online tools to help businesses assess their resilience and cybersec requirements.
And in the US…?
Meanwhile, here in the US, White House officials are still promising some form of collaboration with the private sector. Unaware that cybercrime is a global problem, officials are having a hard time creating a federal strategy. Protection is up to the small business owner and, given its price, solutions such as novoShield are a simple and affordable solution.
Install it on an iPhone and you can stop phishing and its consequences before the hook hits the water.