Hardware Retailing The Industry's Source for Insights and Information
By Luke Vander Linden, Vice President of Membership & Marketing, Retail & Hospitality ISAC
Unfortunately, it’s not unusual for big-name companies to make the news as victims of cyberattacks. But small- and medium-sized businesses (SMBs) are at risk too, though they may not get their fair share of time in the spotlight.
Nearly 60% of small businesses say cybersecurity threats, like malware, ransomware and phishing, are a top concern. The same survey from the U.S. Chamber of Commerce revealed that 27% of small businesses say they are one cyber incident away from being forced to shut down their entire business. Even if your business is small, the stakes are still high when it comes to cyberattacks.
Here’s what to look for on the threat horizon.
Why SMBs Are Uniquely Vulnerable to Cyberattacks
Smaller businesses don’t mean smaller threats. Actually, in many ways, SMBs can be at greater risk of cybersecurity threats than their larger, household-name counterparts who may have more resources to dedicate to cybersecurity efforts.
One common means of attack that proves just as successful for SMBs as it does for large-scale enterprises is third-party vendor attacks, where cybercriminals manipulate a business’s third-party connections with suppliers, vendors and other service providers to bypass traditional security measures. For bad actors, third-party cyberattacks are like a nefarious BOGO; by compromising just one vendor, they can potentially infect hundreds of connected businesses to cause maximum damage with minimal effort.
3 Ways Cybercriminals Target SMBs via Third-Party Vendors
There are many ways bad actors can take advantage of an SMB’s third-party connections to launch cyberattacks. In particular, watch out for these three: malware, ransomware and phishing.
1. Malware
Malware describes any malicious software created to infiltrate, damage or exploit systems. It’s common for cyberattackers to go after SMBs by compromising one of their third-party vendor’s software.
For example, consider the many different types of software your business relies on for daily operations, such as inventory management tools, supply chain systems and payment processing apps. By exploiting known security vulnerabilities, cybercriminals can attack one of your software provider’s systems and infect it with malware. Often, they opt to inject the malicious code into legitimate software updates.
This way, when your software provider sends out a routine update, they are also unknowingly sending out malware to dozens or even hundreds of SMBs.
Once installed on your system, the malware effectively opens the door to hackers, allowing them to steal your company’s data, gain unauthorized access to financial accounts or otherwise disrupt operations.
2. Ransomware
Ransomware is a specific type of malware where bad actors lock a business’s systems or encrypt data then demand payment in exchange for restoration.
According to a recent survey about ransomware attacks, ransomware attacks are becoming more difficult to recover from. Compared to last year’s survey, 136% more organizations were forced to pay a ransom to recover their data—and SMBs continue to be a prominent target with 56% of ransomware attacks targeting small businesses (i.e., those with up to 50 employees).
Hackers launch ransomware attacks by compromising vendor software—but there are other ways they take advantage
of a business’s third-party connections to inflict damage. For example, if hackers compromise a vendor’s email
system, they can pose as the vendor to send SMBs seemingly legitimate documents, such as invoices or contracts. Embedded with ransomware, these volatile documents activate upon opening, automatically encrypting an SMB’s
files, locking their systems and demanding payments to restore order and system operations.
3. Phishing
Posing as a known vendor or other trusted source is a common tactic for cyberattackers to deploy ransomware attacks. But this attack method, called phishing, doesn’t start and end with duping employees into downloading infected files. Bad actors can also pose as vendors to steal sensitive data, initiate fraudulent payments or gain unauthorized access to business systems.
For example, a cybercriminal can call or email an SMB, impersonating their trusted vendor and tricking an employee into making payments or providing sensitive data, such as login credentials. It may seem simple, but these attacks are startlingly effective, as AI and deepfake technology make it easy for bad actors to pose as vendors with uncanny accuracy.
How SMBs Can Protect Themselves from Cyberattacks
In the wake of a cyberattack, businesses can face operational downtime, financial loss, a damaged reputation and even legal consequences if customer data is compromised. But while the repercussions can be frightening, there are manageable, practical steps you can take to fortify your cyber defenses.
- Conduct security assessments:
- Regularly evaluate both your business’ and your vendors’ cybersecurity postures by running penetration tests, auditing third-party access and verifying vendor compliance with industry security standards.
- Establish strong password policies:
- Enable multi-factor authentication (MFA) across all vendor portals and business accounts. Conduct training to educate all team members on good password hygiene and implement a password manager for secure storage.
- Prepare disaster recovery plans:
- Create a comprehensive strategy to respond to cyber incidents, including steps to restore operations, secure offline data backups and minimize damage.
Cyberattackers are intelligent, agile and constantly adapting their strategies to find new ways to circumvent businesses’ defenses. That’s why the best cyber defense for SMBs is a community approach.
By collaborating with other retail SMBs through organizations like RH-ISAC, you can exchange best practices, share cyber intelligence and connect with industry peers to benchmark against each other and build better security for everyone. RH-ISAC’s new LinkSECURE Program, offers a membership for small- to mid-size businesses to help those with limited resources mature their cybersecurity operations. The new program connects every participant with a dedicated success manager who evaluates their cybersecurity posture and guides them through critical security controls and safeguards.
Most SMBs may not be household names—but they’re increasingly grabbing the attention of cybercriminals. To protect your business from malware, ransomware, phishing and other cyberattacks, the best defense is taking a community-centered approach that finds strength in numbers.
ABOUT RH-ISAC
The Retail & Hospitality Information Sharing and Analysis Center is a cybersecurity-focused nonprofit helping retailers, hotels, restaurants and other consumer-facing businesses share threat intelligence and strengthen their defenses.
