The Current Small Business Threat Landscape

Who knew 2020 would be an Apollo 13 Year?

For anyone even a little familiar with this movie, you may remember the famous line from Ed Harris (playing the flight director in Houston): “Failure is not an option.”

He said this despite the fact so many things went wrong all at once.

It struck me recently that there are interesting parallels for a business trying to deal with all the shots coming out of COVID-19, both early on and over time. They were fast and furious at the beginning; I am sure we all agree.
But what does the small business threat landscape look like now?

I thought about some key elements small businesses need to survive and even thrive in a
COVID-19 world:

• Adaptability and fast movement
• An understanding of the immediate threats and the need for trusted advisors
• Creative solutions (including duct tape, if needed – ha!)

Now for the latest threat environment…

According to my colleague Tom Callahan, who leads the ControlScan Security Operations Center (SOC), the main thing we see within the small business threat landscape right now is the increase in phishing and credential theft, along with private data theft of personally identifiable information (PII) and private health information (PHI). We had a one-two punch this year with the pandemic occurring in tax season; there was a major influx of not just scams to get PII for stealing tax refunds, but also with using coronavirus fears to capture that same data and use it.

Attackers currently have an audience that is scared and vulnerable, and they are trying to exploit that for theft of information, as well as to deploy malicious software to personal and corporate systems through malicious emailed documents, websites, etc.

Beyond that, the COVID-19 pandemic has pushed the capabilities of many companies that were forced to quickly go to “work from home” operations without the relevant security in place. Most companies have spent years building up the security, compliance and protections within the “four walls” of their organizational systems and networks. But the focus has been on the systems and activities occurring in the workplace. Now you have a workplace that is expanded out to home offices, with the sudden introduction of laptops or other mobile devices, and potentially the creation of untested and improperly secured remote access methods.

Here’s what small businesses should look out for.

Many don’t have the expertise—or the budget—to enact these changes in a quick fashion, and in the right way. They have done everything they can to remain functional, but likely have not considered, or accepted the risk, of an improperly enabled remote workforce.

Here are some specific vulnerabilities the ControlScan SOC sees continuously exploited:

• Insecure Remote Access Servers – Microsoft allows you to utilize “remote desktop” to access servers and other systems within your network. Many small businesses are creating firewall rules to enable access to these resources from outside the internal network. The issue is that there have been significant critical vulnerabilities in the past 6-8 months with Microsoft Remote Desktop that can be easily exploited to perform remote code execution and gain access to these systems without needing any credentials. Therefore, the danger level here is critically high, especially if you are not actively patching systems.
• VPN or Virtual Desktop Environments – With credential theft on the rise, we see many small businesses operating without multi-factor authentication enabled for their remote access systems or networks. This includes things like Microsoft Remote Desktop Services, Citrix Remote Access Products, VMware Remote Access/Desktop Products, etc.The critical threat here is that if a user’s credentials are compromised, an attacker is now able to log in as that user and have full access to business systems, networks and all files just like the legitimate user would. And without proper monitoring and detection, the company would never know this access is occurring. From this access point, an attacker can then use a trusted user account to push phishing emails and/or malicious links to other users in the company, to partners and associates, and to customers.
• Unprotected Endpoints – Laptops, desktops and mobile devices may not be properly protected if they were purchased and deployed last minute to keep operations going. This means that standardized policies may be missing. Systems that usually had account control policies (passwords, lockouts, etc.) may not have those policies in place. System encryption could be missing, as well as the software protection could be missing or not properly functioning off the corporate network.These are major concerns, as even companies that have a detection and prevention software suite may not be able to properly function because they are not within the corporate network. Small businesses need to evaluate and understand that malicious software on these devices is now able to freely infect the machines, performing keylogging, monitoring websites visited, and stealing data, credentials, and access to systems or secure websites.

The breach cases—especially those involving payment card data—over the past few years continue to reveal three key issues that show up as a pattern:

• Password management/strength
• Software updating/patching
• Insecure remote access (this could involve you and/or your service provider)

Ask questions of your trusted advisers and keep in mind that the human element is always a key factor. Creating an environment with ongoing education and a healthy skepticism for unsolicited emails is important. Think like a risk manager and start somewhere is our call to action!

Learn more about the current small business threat landscape and get our tips for protecting your business. Subscribe to this blog today.