From your experience, what would you say is the most common reason small businesses fall victim to cybersecurity fraud?

Jack Koziol: There is a common misconception among many small businesses that they are not large or valuable enough to be cyberattack-worthy. It’s easy to think as a smaller organization that you can safely fly under hackers’ radar. Unfortunately, this mindset is the biggest contributor to the rapid growth in Small and Mid-Sized Business (SMB) cyberattacks. Today’s hackers readily take advantage of an SMB’s constrained investment in security controls, or they exploit a false sense of security that in-place protection, detection and response systems will catch all malicious activity — ultimately exposing a vulnerable second line of defense: employees.

Gerry Beuchelt: In a never-ending cycle of high-profile security flaws and breaches, business systems security has never been more important. However, according to the latest PwC Global State of Information Security Survey, security spending has dropped by a third in the last 12 months. It’s clear that the threat is there, but the evidence suggests some businesses are still adopting a “security through obscurity” strategy by wrongly assuming their corporate data is of no interest to hackers because they are a small or medium-sized enterprise. At the same time, even Congress has recognized that small businesses are now being targeted at alarming rates: last year, a report found that more than 14 million small and medium business were attacked in less than a year.

This lack of spending can often produce an unclear IT security strategy, with teams relying on manual processes such as password spreadsheets to keep accounts secure. This problem is exacerbated by the bring-your-own-device or even bring-your-own-application culture and remote working, which is making it difficult for companies who don’t have the right technology to have an all-encompassing view of their security.

In many cases, this results in employees becoming the first line of defense against outside threats to protect company data. According to our data, more than half of IT executives surveyed rely on employees alone to monitor their own password behavior, subsequently leaving the company at risk. While it’s important that employees are adequately trained in security practices, it’s also crucial that IT teams make the right investment of time and resources to take control of company security.

Gill Langston: Attackers know that small businesses are not always equipped to combat cyberattacks and fraudulent activity. The lack of defensive measures and training means that small businesses are even easier targets. In today’s environment, attackers are more sophisticated; not only can they benefit directly from compromising the small business itself, but use it as a stepping stone to compromising other organizations they work or contract with.

While there are many types of fraud out there, what do you think is the most dangerous threat to small businesses right now?

JK: Social engineering — most frequently in the form of phishing, spear phishing or business email compromise — is the most dangerous. The inherent nature of many employees to be efficient and helpful makes them the unfortunate target of malicious emails and other communications. Hackers go to great lengths to impersonate a superior, colleague or partner their target trusts and then make smart, well-researched requests invoking a sense of urgency or even fear. Their ultimate goal: convince their target to provide sensitive information, share credentials or open a malware-laden link or attachment. It’s your job to diligently equip your staff, at all levels, with the skills and confidence to identify and report social engineering attempts.

GB: Weak, stolen or reused passwords are available for literally billions of accounts today. As such, attackers have been able to leverage compromised passwords in 81 percent of all breaches. This means that it is imperative for companies to ensure that there aren’t any gaps in their password management. Many IT teams hold the view that “if it’s not our password, it’s not our problem.” Employee passwords are chosen by the employees, and so they should be the ones that manage and control them. However, we’ve found that more than three-quarters of employees reported that they have problems with password usage or management, at least once a month, with many saying they don’t have the support they need.

GL: From a fraud standpoint, phishing attacks and what is known as “CEO fraud” are enormous risks, and are directly related to each other. An attacker sends an email pretending to be an official within the company, such as the CEO, or even the IT department. Then you get a request to wire money or send sensitive company information. A fake email from your IT department might ask you to enter your password into a phishing site or take you to a site that will install spyware or other malware. At the end of the day, an attacker wants to get inside your company for either access to more accounts or to steal money. Having to admit to a breach like this publicly can have an impact on how you’re perceived in the market, cost you time and/or money and possibly even put you out of business.

What are the best practices/tools that business owners can implement to make sure they are protected from an attack?

JK: There are few easy wins in cybersecurity, but here are three to immediately shield your organization: (1) enable two-factor authentication on any cloud services you use, (2) standardize on a company-wide password manager and train all staff how to properly use it, and (3) implement a security education and awareness program. Regarding the last point, look for a solution with ready-to-use training modules and phishing simulations specifically tailored to your industry, employee responsibilities and overall culture. With content personalized to your employees, you’ll more quickly motivate a change in security behaviors, noticeably cut your social engineering vulnerability and, in the end, save yourself significant program management time.

GB: Risks can be mitigated by using an enterprise password management (EPM) solution, such as LastPass, to create unique passwords for each account. EPM solutions can help enterprises take back control of password management and reduce the risk of a breach. A well-designed EPM will allow IT teams to track overall password quality, identify reused passwords in a privacy-preserving way and provide a strong policy framework to enforce good password practices.

The number of more frequent, sophisticated attacks we’re seeing is another reason why one layer of security is not enough to protect one’s online environment. Multi-factor authentication (MFA), the requirement of a second piece of information before allowing access to an account, increases their security because it adds another barrier to entry, decreasing the likelihood that someone can break in. Rolling out an MFA app like the LastPass Authenticator to your organization makes it easy for employees to use a second factor, reducing exposure to threats and making fraud and hacking more difficult.

Additional online security best practices business owners should share with employees include:

  • Use a different, unique password for every online account

  • Beware of phishing attacks. Do not click on links from people you don’t know, or that seem out of character from your trusted contacts and companies.

  • Turn on two-factor authentication for all services that allow it, like your EPM, bank, email, Twitter, Facebook, etc.

  • Keep a clean machine by running antivirus and keeping your software up to date

GL: From a tools standpoint, it is critical to protect all entry points from attackers with multiple layers. This means protecting email flow from phishing and malware, having a good endpoint protection solution, reviewing web traffic for malicious websites and downloads, performing regular security audits of your passwords and making sure you are applying patches to software. And of course, training your employees on what to look out for in emails and other communications that might seem out of place are components for a strong defensive posture. Contracting a third party to do an assessment from time to time can also alert you to additional items to address in your security posture.

Without being an expert in cybersecurity, is there anything that business owners can look out for in their day-to-day operations that may be red flags to potentially fraudulent activity?

JK: Assign someone (it can be yourself) to take responsibility for reviewing security alerts from any cloud-based services your organization uses. With cloud services as frequent attack points, watch for high priority alerts from platforms like G Suite, Office365, Hubspot, Slack, Salesforce and similar business productivity applications.

GB: No central security function can be all-knowing, even in the most sophisticated enterprises. It is paramount for business owners to develop a strong security program for all employees to help identify threats and fraudulent activities. It will be only through a joint effort that business can thwart attacks and defend themselves against bad actors. Security is a team sport.

GL: First and foremost, if something doesn’t feel or look right, employees should apply additional scrutiny. Some questions to ask:

  • Is this how the company or vendor normally communicates?

  • Would my bank send me a link asking me to enter my password, or would they ask me to go log into my account?

  • Does the CEO usually send wire transfer requests via email?

  • Should I be receiving this type of attachment?