Amid supply chain delays, inflation and renewed COVID-19 fears, business owners may not be saying “happy new year” with renewed gusto. And let’s not stop there: 2022 is likely to be a landmark year for advanced cyberattacks at both the corporate and small business level. As your business begins to take on 2022, don’t let cybersecurity slip to the bottom of your priority list. In the eternal cat-and-mouse chase between cybercriminals and protective tools, it is essential that small business owners are keenly aware of the types of cyberattacks most likely to affect them. The most effective means of threat prevention is the knowledge to identify tell-tale warnings of a cyberattack or data breach. Small business owners must be as equally vigilant as their larger counterparts to these trending cyberthreats, as they are often even more likely to be a targeted.
Ransomware attacks are a type of cyberattack in which cybercriminals hold a target’s files hostage by intricate locking or encryption and agree to remove the lock only after they pay a cash ransom. These types of attacks are profoundly frustrating for corporate entities and small businesses alike, as there is relatively little a person can do once their files are encrypted.
Ransomware attacks are not expected to slow down in 2022. And on the contrary, attacks like the Solar Winds breach in 2021 may prove to become commonplace. Increasingly, advanced ransomware programs have made their way onto unsuspecting computers. The nature of ransomware attacks also makes it exceedingly difficult to prevent attacks outright since encryption methods for such attacks are constantly changing
Industry experts also warn of new types of ransomware programs called “human-operated attacks” where cybercriminals groom and target a specific quarry. These types of attacks profile their targets to see what kind of devices are on the quarry’s network and incrementally lay plans for the attack before activating the ransom. These types of attacks are especially brutal; cybercriminals often learn their quarry’s financial standings and then use that info to set a ransom they are likely to pay.
These sophisticated attacks also have the risk of becoming a double extortion attack which means that the encryption attack is not isolated to one machine, but every machine on your network. This can be especially damaging for businesses with multiple terminals.
Social Engineering and Phishing Aren’t Going Anywhere
There is no cybersecurity program to fight social engineering or phishing; this is because the breach is human, not machine. Successful phishing and social engineering attacks function similarly to a traditional heist: attackers attempt to trick someone into giving them sensitive information they can then use to breach a secure system. In the same way a robber might steal a key from a bank manager to kick off a heist, phishing attacks start with the theft of a digital key, often a password.
There are several ways would-be phishers attempt to lift confidential information, but modern phishing attacks are often as targeted as a bank heist. Phishers study the identities of the people they plan to scam and play on their target’s trust of everyday mechanisms, like caller-ID or convincing phony webpages, to trick people into sharing information they shouldn’t.
Social engineering, however, has seen some new trends likely to catch fire in 2022. Scareware is a unique kind of social engineering that tries to convince targets that something is already wrong with their computer and that they then must download a fix ASAP. The trick is, of course, that nothing was wrong with their computer in the first place and their new “fix” is some type of malware ready to wreak havoc. Scareware attacks often show up as pop-ups on untrustworthy websites or in email attachments.
Mobile Security Threats
Years ago, cell phones attained processing power to match computers; yet, cell phones do not have nearly as many cybersecurity prevention methods as their desktop and laptop cousins. And now that more and more businesses integrate cell phones into their daily operations, cybercriminals have been keenly targeting cell phones and mobile devices for cyberattacks.
Cell phones have become the point of access of choice for banking, email, and several other avenues for private information. Cybercriminals have breached mobile phones and successfully eavesdropped, crashed devices, and reaped private information in the past but with the increasing number of remote workers using their cell phones in coordination with laptop workstations, it is especially important that small business owners know the methods cybercriminals use to breach phones.
Anyone can make an app and cybercriminals are aware of this. The most likely way a virus will make its way onto your phone is through an app you intentionally downloaded. Either through copycat apps or seemingly innocent apps with embedded malware, such cyberattacks function similarly to social engineering, tricking users into accidently downloading malicious software.
Traditional methods of virus dispersal, like embedded websites and email links, are just as likely to infect your phone as they are to infect your laptop or desktop computer. Plus, modern sophisticated attacks can infect all other devices on your Wi-Fi network after entering your phone, making it especially important that business owners are vigilant about mobile cybersecurity.
This threat is two-fold. It is devastating for businesses who are targets of defamatory deepfakes, but it can be equally dangerous for businesses who are successfully hoodwinked by modern, convincing deepfake technology. Businesses who are the target of deepfakes meant to defame their businesses must work quickly and definitively to clear their name but deepfakes meant to trick rather than defame are on the rise and likely to hit a fever pitch in 2022.
Small businesses are likely to be the target of voice deepfakes meant to impersonate someone they trust. Such attacks have already successfully scammed massive corporations in the past and as the tech becomes more commonplace, small businesses are likely to be thought of as easy prey. Successful voice deepfakes are quick, targeted calls usually mimicking caller-ID, and much more impressively, the supposed caller’s voice. The fake caller will usually then ask for a quick piece of information, a password or a PIN is usually enough. While even two years ago, technology like this was squarely in the hands of high-level hackers, it is entirely possible that small-time or even local cybercriminals could access tech convincing enough to genuinely trick an employee into giving private information over the phone.
Internet of Things (IoT) Breaches
Fresh off the lot, the Internet of Things or IoT is well on its way to becoming a household name. Justifiably so, as IoT refers to the local network containing all of your “smart” devices like Google Assistants, Wi-Fi-based surveillance systems i.e. Ring cameras, or really any physical object with an active connection to your Wi-Fi network. IoT cyberattacks are especially dangerous for small businesses as this type of attack can happen entirely remotely. Does your business have public Wi-Fi, or do you allow customers to connect to your network while they are in your store? Once their device connects to your network, they have entered your Internet of Things.
A device with malware built to navigate through a network can easily embed itself in other devices simply because they are on the same network. Concerningly, IoT attacks can also hijack the video or audio feed of devices connected to networks, meaning that Wi-Fi-based security systems are vulnerable. The best safeguards against Internet of Things attacks are both to keep traditional cybersecurity methods in good order and regularly updating router, modem, and audio/video device firmware.
Operate on an “Assumption of Compromise” Mentality
If 2022 didn’t seem bleak enough already, yes, our advice is to assume you have already been breached. This method isn’t nihilist, it’s more so accepting. Small business owners should be aware that they are quickly becoming major targets for cybercriminals, and in turn, accept that their systems may need to be upgraded or overhauled to meet modern baselines. Cyber-breaches don’t have the same hallmarks of traditional break-ins, but damages from a successful cyberattack can easily outpace those from old school robberies. Those businesses who assume they are compromised, or easily could be compromised, are the ones who will most effectively probe their current security sphere and are the most likely to see good results in the ever-uncertain future for small businesses and cyber security.