Ransomware stands as the biggest existential cyber threat to small businesses, with other threats on the rise.
Cybercrime affects everyone, but small businesses feel the impact the most. While cyberattacks on large companies and government agencies dominate the news, small businesses, typically defined as organizations with fewer than 500 employees, are more vulnerable to cybercriminals and suffer proportionally more from these attacks. Factors like a lack of experienced security operations staff, underinvestment in cybersecurity, and smaller IT budgets contribute to this vulnerability. When small businesses are hit by cyberattacks, the cost of recovery can be so high that many are forced to shut down.
Small businesses are crucial to the economy. The World Bank reports that over 90% of businesses worldwide are small- and medium-sized enterprises, accounting for more than 50% of global employment. In the United States, small and medium businesses generate over 40% of overall economic activity. Throughout this report, we will use the terms small- and medium-sized businesses or organizations interchangeably, reflecting their similarity in our data.
In 2023, over 75% of customer incident response cases handled by Sophos’ X-Ops Incident Response service involved small businesses. This data, along with telemetry from our small- and medium-sized business protection software, provides unique insights into the daily threats these organizations face.
Our findings, based on this data and Sophos threat research, reveal that ransomware remains the most significant threat to smaller organizations. However, other threats also pose serious risks to small businesses:
- Data Theft: Most malware targeting small and medium businesses focuses on data theft. Password stealers, keyloggers, and other spyware accounted for nearly half of malware detections. Credential theft through phishing and malware can expose sensitive business data on cloud platforms and service providers, and network breaches can be used to target their customers as well.
- Web-based Malware Distribution: Attackers are increasingly using web-based methods, such as malvertising or malicious search engine optimization (“SEO poisoning”), to distribute malware. These tactics help them bypass the blocking of malicious macros in documents and use disk images to overwhelm malware detection tools.
- Unprotected Devices: Unprotected devices connected to networks—including unmanaged computers without security software, improperly configured systems, and outdated software—are a primary entry point for cyberattacks on small businesses.
- Abuse of Drivers: Attackers are increasingly exploiting vulnerable drivers from legitimate companies or using malicious drivers signed with stolen or fraudulently obtained certificates to evade and disable malware defenses on managed systems.
- Sophisticated Email Attacks: Email attacks are evolving from simple social engineering to more active engagement with targets. Attackers use email threads and responses to make their lures more convincing.
- Mobile Device Attacks: Attacks on mobile device users, including social engineering scams on third-party services and social media platforms, have grown exponentially. These attacks affect both individuals and small businesses, ranging from business email and cloud service compromises to pig butchering (shā zhū pán) scams.
Small businesses must stay vigilant and invest in robust cybersecurity measures to protect themselves from these evolving threats.
Your Data is the Prime Target
Protecting data is the biggest cybersecurity challenge facing small businesses—and organizations of all sizes. Over 90% of attacks reported by our customers involve data or credential theft in some form, whether through ransomware, data extortion, unauthorized remote access, or outright data theft.
Business Email Compromise (BEC) is a significant issue for small-to-medium businesses. While our sister publication, the Active Adversary Report, does not currently cover BEC, the authors estimate that in 2023, BEC incidents were identified more frequently by our Incident Response team than any other type of incident, except ransomware.
Stolen credentials, including browser cookies, can facilitate business email compromise, grant access to third-party services like cloud-based finance systems, and provide entry to internal resources that can be exploited for fraud or other monetary gain. These credentials can also be sold by “access brokers” to anyone looking to exploit them. Sophos has tracked offers on underground forums claiming to provide access to the networks of several small and medium businesses.
Small businesses need to be aware of these threats and take proactive measures to secure their data and credentials, safeguarding against potential breaches and their damaging consequences.
Data Theft Dominates Malware in 2023
In 2023, nearly half of all detected malware targeted victims’ data. Most of this malware falls under the category of “stealers”—programs designed to grab credentials, browser cookies, keystrokes, and other valuable data that can be sold or used for further exploitation.
Due to malware’s modular nature, it’s challenging to categorize it solely by functionality. Almost all malware can steal some form of data from targeted systems. These detections don’t include other methods of credential theft, such as phishing via email, text messages, and social engineering attacks. Additionally, macOS and mobile devices are targeted by malware, potentially unwanted applications, and social engineering attacks, especially those aiming for financial data.
Small businesses must recognize the pervasive threat of data-stealing malware and implement robust security measures to protect their sensitive information.
Diverse and Dangerous: The “Other” Category of Malware
Nearly 10% of detected malware falls outside the four major categories we commonly see. This “other” category includes malware that targets browsers to inject advertisements, redirect search results for profit, or modify and collect data in various ways to benefit the malware developer.
Some stealers have very specific targets. For instance, Discord “token” stealers are designed to steal credentials from the Discord messaging service and are often used to deliver other malware through chat servers or Discord’s content delivery network. In contrast, other leading stealers like Strela, Raccoon Stealer, and the RedLine stealer family are much more aggressive. They collect passwords stored in the operating system and applications, as well as browser cookies and other credential data. Raccoon Stealer even deploys cryptocurrency “clippers” that swap crypto wallet addresses copied to the clipboard with an address controlled by the malware operator.
Small businesses need to be aware of these diverse threats and take comprehensive steps to protect their systems and data from this wide array of malicious software.
Rising Threat: Information-Stealing Malware Targets macOS
We’ve seen a rise in information-stealing malware targeting macOS, and we believe this trend will continue. These stealers, some of which are sold on underground forums and Telegram channels for up to $3,000, can collect system data, browser data, and crypto wallets.
As macOS users become more targeted, it’s crucial for individuals and businesses using these systems to enhance their security measures and stay vigilant against these evolving threats.
Ransomware Remains a Top Threat for Small Businesses
Ransomware continues to be a major threat for small businesses. Although it represents a relatively small percentage of overall malware detections, its impact is profound. Ransomware affects businesses of all sizes across all sectors, but small- and medium-sized enterprises are hit most frequently. In 2021, the Institute for Security and Technology’s Ransomware Task Force found that 70% of ransomware attacks targeted small businesses. Our metrics confirm this trend, even as the total number of ransomware attacks varies year to year.
In 2023, LockBit ransomware was the top threat in small business security cases handled by Sophos Incident Response. LockBit, a ransomware-as-a-service delivered by numerous affiliates, was also the most deployed ransomware of 2022. These attacks often exploit unprotected servers, personal devices, and network appliances connected to organizations’ Windows-based networks. While defense-in-depth strategies can prevent these attacks from taking entire organizations offline, they still leave businesses vulnerable to data loss and theft.
Windows systems are not the only targets. Ransomware developers increasingly use cross-platform languages to create versions for macOS and Linux operating systems. In February 2023, a Linux variant of Cl0p ransomware was discovered to have been used in a December 2022 attack. Since then, Sophos has observed leaked versions of LockBit ransomware targeting macOS on Apple’s processors and Linux on multiple hardware platforms.
Small businesses must remain vigilant and implement comprehensive cybersecurity measures to protect against these evolving ransomware threats.
Protect Your Business from Cyberthreats with Intech Hawaii’s Cybersecurity Solutions
At Intech Hawaii, we specialize in empowering businesses with robust cybersecurity solutions to safeguard your operations. Our tailored approach integrates advanced technologies and expert guidance to protect sensitive data and maintain operational continuity. Whether you’re aiming to enhance data security, mitigate risks, or meet regulatory requirements, Intech Hawaii provides comprehensive IT solutions that support your business goals. Learn more about how we can elevate your cybersecurity posture at Intech Hawaii.
