By Joel Snyder

For small businesses, 2020 was especially brutal. For IT teams, ultra-tight budgets and general chaos shifted security to a lower priority — just as work-from-home (WFH) arrangements and transitions to the cloud became top priority. In 2021, we can expect cybercriminals to adjust their tactics to take advantage of these changes in the profile of their small business targets. Let’s look at the top attack vectors, and what small business IT teams can do to stay ahead of the bad guys.

Credential theft

Stealing passwords through malware, impostor websites, keyloggers and other tools has been popular for a while. But 2020 turned up the heat: As IT teams turned on new virtual private network (VPN) services to accommodate remote work, more avenues for attack opened up.

This year is the time to make those stolen or cracked credentials useless to an attacker. The fastest way out is two-factor authentication (2FA), a technology that has become surprisingly cost-effective for small businesses. Just about everyone has a mobile device nearby, and soft token applications are available in app stores at zero cost. Open source options and extensions to existing authentication services like Active Directory and RADIUS offer lots of options to deploy 2FA in less than a day.

Phishing, vishing, smishing

Cybercriminals will try anything to convince someone to open their message or click on their link. In 2020, the increasing availability of data dumps from compromised e-commerce sites helped to link email addresses, cell phone numbers and names together. This is giving attackers even better social engineering tools. Imagine how much more convincing SMS phishing is when the attacker already has your name and email address to pre-fill a form or tell you why you need to reset your password.

Mobile device management for beginners

Small business IT teams need to continuously keep multichannel user education updated to reflect changing tactics by the bad guys. Include examples of actual fraudulent messages your company receives to show staff what to look out for.

Ransomware

Ransomware authors are still on the prowl, and the protections that large businesses have put in place have shifted the focus to small businesses. With today’s WFH focus, attacks are now targeting users far from the corporate network, something for small business IT teams to worry about.

Cracking ransomware is hard, but removing it is easy when you maintain good backups. If someone gets ransomware, simply wipe the disk and restore from a backup and the problem is usually gone. The difficulty is that most small business IT teams have assumed that users will be in the office — and remote work breaks that paradigm. To keep ransomware in check, extend backup technology to WFH users. The easiest approach is to shift to cloud-based services, available on both desktop and mobile operating systems.

Personal devices accessing corporate systems

When checking in with the office was glancing at email on a mobile device, minimal protections were all that small business IT needed. The bad news is that in 2020, users began mixing personal and business computing on the same devices more than ever, and that’s a recipe for a security disaster.

The key is to isolate, even when users are mixing work and Facebook on the same device. For mobile users, it’s easy; smartphone tools offer compartmentalized home/work profile configurations that creates an almost seamless isolation of different uses on the same device. Desktop is a bit more complicated, but it’s worth the effort. You’ll need to set up separate accounts and educate end users on the importance of switching accounts as they go back-and-forth between work and personal tasks.

Cloud computing

Cloud computing products, including Google and Microsoft collaboration tools, or more specialized products such as cloud-based mobile device management (MDM), are a huge win for small business IT teams. Securing end-user accounts doesn’t change when the target is cloud-based software-as-a-service (SaaS) applications. Strong passwords, 2FA and an investigation of the specific features available to increase security are all starting points.

Not unique to 2020, but certainly increasing year after year, is the discovery that hackers are going after the management tools for your SaaS applications directly, because they’re hanging out there on the internet open for anyone to attack.

Protecting against SaaS-specific management problems means that the IT team has to shoot higher and deliver a level of maturity that is uncharacteristic for small business IT. Any use of cloud services needs to have a clear plan for dealing with lost credentials and disgruntled employees, with backup accounts and a way for the business owner to take things over at a moment’s notice. At the same time, cloud services should be set up with maximum security. 2FA for the management interface, dedicated administrator accounts and alerts on security problems going to multiple team members are starting points; IT teams should build on those with more service-specific features.

Joel Snyder, Ph.D., is a senior IT consultant with 30 years of practice.

Leave a Reply

Your email address will not be published. Required fields are marked *

%d bloggers like this: