On June 30, 2020, an attorney forwarded an email to a colleague at a different local law firm. The email contained a link to documents with a request to review them. The attorney receiving the email didn’t know anything about the documents and forwarded the email message to two of his coworkers. According to the state’s Cybersecurity Program Coordinator, this started a chain of malicious emails that went to at least 26 people across 15 organizations within one day, including law firms, investigators, and a local TV news station.
The goal of the malicious message was to get people to click on the link and enter their login and password to view the documents. Why? Most likely for money. Attackers know most people reuse passwords, and they use our login and password to steal our money, information, and/or access to our computer systems.
Unfortunately, attackers are well aware that small businesses are ripe targets. According to Verizon’s 2020 Data Breach Investigations Report, 28% of the breaches in 2019 involved small business victims.1 While larger companies get the headlines when they’re hit with ransomware attacks, over 40% of ransomware attacks in Q3 2020 hit both small and medium businesses, those with 1–100 and 101–1000 employees, respectively.2 PTG, an IT services provider, found that 43% of all cybercrime is directed towards small businesses, and the average attack costs them $200,000 to recover.3
What’s needed
Cybercrime Support Network (CSN) is a public-private, nonprofit collaboration created to serve millions of individuals and businesses affected each year by cybercrime. We partner with government, victim service organizations, and corporations throughout the United States to provide information and resources to support cybercrime victims through reporting and recovery. We maintain a resource database for cybercrime victims at FraudSupport.org that guides people and small businesses after an attack.
A website is not enough. At least seven countries have a single, nationwide help center to support cybercrime victims. CSN is advocating for a National Cyber Resiliency Center where individuals and businesses can call and talk to a real person to report cyber incidents, get help with recovery and decrease revictimization. A center would allow the collection of anonymous trend information to potentially issue alerts and help inform our nation’s security posture.
Do something today
It is important to find support and make a plan. Talk to and participate with your local
Chamber of Commerce, Better Business Bureau and Small Business Development Center (SBDC). Congress has mandated that SBDCs provide cyber education and support to small businesses. Utilize free resources from the Cyber Readiness Institute to start improving your security. Start with a few improvements like using two-factor authentication and identifying important data and devices your business operates. Hire a cybersecurity expert to do an assessment of your current security.
With the average attack costing a small business $200,000, can you afford not to make a plan? You don’t need to be a cyber expert, but cybersecurity must be a priority.
1 Verizon. 2020 Data Breach Investigations Report. https://enterprise.verizon.com/resources/reports/dbir/
2 Coveware. Coveware Quarterly Ransomware Report,11/4/2020. https://www.coveware.com/blog/q3-2020-ransomware-marketplace-report
3 PTG. Most Common Cyber Attacks Targeting Small Businesses in 2020, 6/10/2020. https://blog.goptg.com/small-businesses-cyberattacks-2020