Today’s cyber thieves aren’t lone hackers working from their basements. Cybercrime increasingly has become full-fledged enterprises, complete with CFOs, HR teams and research and development budgets—and this “professionalization” of cybercrime presents a growing risk for small businesses, Microsoft Canada’s National Security Officer warns.

Data from the Insurance Bureau of Canada found that 41 per cent of small businesses that experienced a cyber attack had losses greater than $100,000. And Microsoft’s John Hewie says the target on smaller organizations is only getting bigger.

“Over the last few years, we’ve seen a whole new ecosystem of criminal players in this space,” says Hewie. “It’s become easier and more cost effective for attackers to target small businesses.”

Leaving the loot unguarded

Many small businesses really embraced digital during Covid to stay afloat, Hewie says, but they may not have considered how to do with security in mind. 

“Smaller organizations are typically focused on their core business which is their passion,” Hewie says. “They’re making beer. Running a retail store, a legal practice or a dental practice. Traditionally they haven’t had to focus on these types of things, so they don’t have cybersecurity professionals on staff, they don’t have a lot of knowledge about cybersecurity best practices. They typically haven’t invested a lot of their time into securing their accounts or implementing great backup strategies.”

But staying safe doesn’t have to mean bringing on a team of expensive in-house IT experts. According to the Canadian Small Business Cybersecurity Survival Guide, which Hewie authored in partnership with the Canadian Chamber of Commerce, businesses can protect against 98 per cent of cyber attacks simply by putting some best practices in place. 

“There are a lot of things smaller organizations can do,” says Hewie. 

Thieves don’t break in, they log in

“The important thing to know,” says Hewie, “is that attackers typically don’t have to break in—they can simply log in.”

What Hewie means is that most cybercriminals exploit common weaknesses—things like easy-to-guess passwords or use deceptive phishing emails—to obtain employees’ legitimate login credentials and gain access to businesses’ networks. 

“Once they have a foothold in the organization and the right level of access, they’ll use different extortion models,” Hewie says.

Ransomware scams, in which thieves hold a company’s data captive unless they pay a large sum of money, are becoming an increasingly common tactic. “We’ve seen a number of patterns criminals are using to increase the victim’s motivation to pay. This includes not only encrypting a victim’s data and demanding a ransom for the decryption key, but also threatening to leak or sell your sensitive data,” says Hewie. 

Another common scam is business email compromise. “This is where someone within the organization falls victim to a phishing attack and inadvertently gives away their login credentials which compromises the account. The adversary then uses that account to target other employees. This might involve sending an email from the compromised user’s account to the finance team to change the banking information for a legitimate supplier, so the next invoice payment goes to the criminal’s bank account. Or if they succeed in compromising an account of a senior manager, they’ll might send an email to a subordinate requesting that employee ‘Go buy gift cards for a marketing event and send me the codes.’ Business Email Compromise is one of the most financially impactful scams we see impacting small and medium businesses,” Hewie says.

Security by default

The good news is it’s also getting easier for small businesses to protect themselves without a huge security investment. For starters, Hewie recommends using multi-factor authentication (MFA) to make it much more difficult for criminals to gain access to accounts using usernames and passwords alone. “That’s the number one recommendation,” he says. “Protecting your important accounts using strong and unique passwords along with MFA prevents most account compromises.”

To that effect, Microsoft is continually investing to make security more intuitive by implementing best practices within the native settings of its solutions. “We make every effort to ensure the most secure configurations are employed by default. Using Windows Hello to logon to your laptop using facial recognition is a good example of improved security with a simpler user experience. Our cloud solutions also are designed to guide users towards secure configurations.” Hewie says.  And while he acknowledges that cybercrime isn’t going away anytime soon, “when small businesses invest in the best practices outlined in the Canadian Small Business Cybersecurity Survival Guide, they have a much greater chance of staying safe.”