Times are changing. While that phrase gets overused in normal years, in 2020, it is an extremely accurate description of what people and businesses are experiencing every day. Dynamic transformations are becoming a regular part of our work and personal lives. Between adapting to a work from home environment and wearing uncomfortable masks in public places (hats off to front line workers who go through that every day) to canceling exciting summer activities, this is a year of firsts for most everyone.
Of course, change also breeds uncertainly. Anxiety tends to rise when people don’t know what may come next, alter their work routines and locations, and worry about the health of family members and friends (as well as their own). Significant changes also increase mistakes and can encourage employees to take shortcuts, both of which should cause concern for businesses.
IT security is one area that organizations cannot afford to let slip. With all the disruptions and displaced workers, businesses must ensure their data protection tools, processes, and policies are up to date and professionally managed. That helps explain why the value of experienced cybersecurity specialists continues to rise.
With so much uncertainty and less than optimal IT environments, the fear factor is also growing among business owners, many who are scrambling to pull together all the new pieces (and protection measures. MSPs should continue to emphasize all the vulnerabilities facing their clients.
Here are ten current cybersecurity threats that should strike fear in the SMB:
- Password management
Face it, unless someone has implemented policies, protocols, and technologies to protect all credentials in your clients’ IT ecosystem, it is just a matter of time before cybercriminals make their move. Poor password management is a tremendous risk on its own. When you combine those practices with a WFH environment, with unsecured networks and devices and lax controls, the resulting breach or attack could devastate any small business.
COVID-19 related email scams are just one of the issues MSPs and their customers have been dealing with over the past three-plus months. With heightened interest in a number of recent activities, people are all too eager to open attachments and click links sent by random strangers disguising themselves as legitimate business contacts. From updates on their PPP loans and other government incentives to the latest information on the July 15th tax deadline, phishing attacks are escalating at an alarming rate. Experts predict the quality and quantity of those fake messages to rise as states reopen and the election season approaches.
- Insider attacks
Most businesses trust their employees will always do the right thing. However, that kind and generous approach can spell disaster for IT systems if workers are left unchecked, a severe concern when so many organizations are adopting a remote work environment. According to a recent industry study, 60% of companies experienced insider attacks in the past year, with 68% of respondents feeling “extremely to moderately” vulnerable to computer-related fraud, theft of confidential information or intellectual property, or system sabotage.
- Social engineering
Imagine what happens when businesses upend the weakest link in their cybersecurity ecosystem? Without proper policies and checks and balances, the WFH movement will fundamentally weaken data protection processes and elevate the risk for workers and their employers. Skilled cybercriminals understand how easily people can be manipulated. From executive email and phone call impersonations approving financial transactions or requesting information to elaborate phishing attacks, business-related scams are typically more successful when employees lack supervision and proper cybersecurity training. Offering and managing end-user training for your clients should no longer be an option, especially for remote workers (make it mandatory)!
- Patch Management
This is one of the most frequent causes cited in network security breaches. Automated patch management software lessens the risks of data compromises and infections, protecting your clients from the easily rectified vulnerabilities in the myriad of applications they use to run their businesses. With so many endpoints in physically inaccessible locations, including remote workers’ laptops and mobile devices, the latest tools are a must for every business and the MSPs who support their operations.
The hits keep coming for vulnerable organizations. A recent Microsoft assessment shows that ransomware attackers are thriving during the pandemic, targeting hospitals, municipalities, and essential businesses when downtime could risk lives and cause other significant issues in already hard-hit communities. Cybercriminals have no morals, just a bottom line, which means MSPs must work more proactively to monitor for, and neutralize ransomware attacks.
- Lack of BYOD Policies
When states required “non-essential” organizations to close or send employees home to work months ago, supply chain issues and IT resource limitations forced many to use personal devices to conduct business. In some cases, workers began accessing corporate systems using unsecured laptops, PCs, and yes, even gaming systems (based on recent podcast discussions with security experts). With weak or no Bring Your Own Device (BYOD) policies, those companies were at significant risk for cyberattacks and security breaches, and many MSPs scrambled to shore up data protection for businesses in this situation.
- Outdated Technology/Hardware
One of the most common risk-factors MSPs are discussing in security forums as of late is the need to replace obsolete equipment. While some of the more humorous conversations involve the rare find of a Windows 7 system, the real risks appear to include hardware that no longer allows updates for the latest patches and security measures. Devices that rely on older applications are also more susceptible to cyberattacks, especially when workers are using those systems on unsecured home networks. During a global pandemic may not seem like the best time to pitch refresh initiatives to cost-sensitive clients. However, with a hardware as a service (HaaS) option and applications to manage warranties and identify outdated systems, you can increase your MSP’s wallet share while reducing capital expenses for many customers.
- Internet of Things (IoT)
Gartner predicts there will be approximately 21 billion connected things by the end of 2020. With so many unsecured endpoints, and many workers using home networks attached to some of these less “devices,” businesses should focus on doubling down on their protection layers. Implement strong passwords and authentication steps for all IoT-enabled solutions, as well as encryption to block access to valuable data from prying eyes (and fingers when hackers are involved).
- Distributed Denial of Service (DDoS) attacks
These incidents prevent authorized users from accessing business systems, devices, and network resources. Attackers may target company email, websites, banking and commercial accounts, cloud services, and other computer-based applications. Denial-of-service attacks overload the host system or network with traffic until the target slows significantly or entirely shuts down and blocks access for legitimate operators.
Businesses should always fear the unknown, especially things that may raise their cybersecurity risk profile. However, with your support and the right tools, even companies with totally remote workforces can enjoy a little peace of mind. Do you have all the bases (in this case, the risks listed above) covered for your clients?
If not, IoTSSA can help. Our Beyond the Curve Cyber Stream Series brings industry experts and MSPs together to discuss the risks and opportunities that lie ahead. This live-streamed event will take place on three consecutive afternoons in two-hour segments for your convenience and is free for all employees of IT Services Provider companies. Check out the sessions and speakers and register today to save your seat for these MSP business-enhancing discussions.
Brian Sherman, IoTSSA Content Director