Verizon’s 2018 Data Breach Investigations Report (DBIR) makes clear that data breaches and cyberattacks can affect business of all types and sizes.
Yet small business owners may want to pay particularly close attention to this year’s results.
For 2018, the company’s findings were drawn from 53,308 incidents and 2,216 confirmed data breaches. Well over half (58 percent) of the data breaches tracked by Verizon’s security researchers occurred at small businesses, organizations with 1,000 employees or less, cementing the notion that cyber-attackers don’t discriminate between large and small prey, for the most part.
“Nobody is immune to this,” Verizon security researcher and report co-author Mark Spitler, told Small Business Computing. “Everybody can be a target of opportunity.”
Even so, there’s a certain a logic to ensnaring small businesses, noted Spitler. They are often innovators and developing new technologies, thereby catching the attention of state-affiliated cyber-espionage groups. And echoing the hopes of ambitious entrepreneurs, many “won’t be small businesses forever.”
Yet, there are still some types of businesses that are getting hit more often than others. Small business owners in the accommodation (think hospitality) and food services industry should know that their point-of-sale systems are often in the crosshairs of scammers.
For 2017, Verizon recorded 368 incidents, 338 of which resulted in confirmed data disclosures. Ninety percent of breaches in this industry vertical can be traced to POS systems, and unsurprisingly, nearly all (99 percent) were financially motivated. Somewhat encouragingly — at least for employers who like trusting their employees — the vast majority (99 percent) of those responsible for these breaches are external threat actors rather than insiders.
Stolen credentials are the biggest source of trouble (81 percent). Typically, they are stolen from POS service providers and then used to compromise the POS systems of their customers, the unsuspecting hotel or restaurant owners.
In fact, among all confirmed breaches, only databases outranked POS terminals and POS servers in Verizon’s list of top assets involved in a breach.
Beware Financial Pretexting
Spitler also warned about financial pretexting, a social-engineering attack that takes a little more finesse than the typical phishing or spear-phishing campaign.
Attackers have two favorite targets in mind when they make their pretexting attempts: the finance department and human resources (HR). In both cases, the attacker will impersonate an executive, high-level employee or trusted colleague, often using legitimate email accounts that were compromised, to engage in a little back-and-forth with a target. Failing that, they may use spoofed accounts that bear a strong resemblance to the real thing.
Workers in the financial department may be pressured to transfer funds quickly or settle fake invoices at the insistence of the CEO, Spitler said. Someone in the HR department may get a request for a batch of completed W-2 forms that seems to come from a payroll service. In the wrong hands, that information can be used to commit tax fraud.
Scammers are very motivated to stage these types of attacks. According to the report, financial pretexting has been the cause of “numerous six-figure losses.”
In 2017, pretexting accounted for 170 incidents (and 114 confirmed data breaches) compared to 61 incidents in the prior year’s report. Much of the increase can be attributed to an increase in incidents, 83 in fact, that involved HR staffers.