Startups are easy targets for cybercriminals unless the founders have been careful to instil security as a core value in the organization from the very beginning. Vulnerabilities may take root in the very idea of how a product should work.
Hackers count on startups and small businesses to lack maturity in terms of security. They do not expect employees to receive security and data privacy training. And they are mostly right in their assumptions. Small businesses are targeted in 43% of cyber-attacks. The key to survival is preparedness.
This post discusses the most common and dangerous types of cyber threats that startups may expect to face in 2023.
Common cybersecurity threats faced by small businesses and startups
91% of all cyber attacks start with a phishing email. Hence, it is fair to start off the discussion with phishing.
Phishing is a type of social engineering attack that uses communication channels like emails, and SMS to coax people into sharing sensitive information or downloading a malware payload. It is the most common type of attack regardless of the size of a business.
Startups are especially vulnerable to phishing owing to the absence of advanced security measures in the early stages.
How does phishing work?
The attackers impersonate a reputable organization or a known individual to send an email to the targeted individual. The email might ask the individual to share a piece of sensitive information, click a link that will take them to a malicious site, or click on a PDF link that will download some malware on the targeted system.
Suppose a person has an account with an HR management software. Now, she receives an email from that HR management software that tells her she has been logged out of her account. It also tells her if she doesn’t log back in, she might lose access to her account, leading to obstruction of pay. The email also has a link that she can click to enter the login portal.
Struck by the sense of urgency, she clicks on the link and tries to log into her account with her credentials.
Unfortunately, the email was from a phisher and the link was to a malicious site that is (almost) identical to the original site. When the victim entered her credentials, they were stolen.
Thus, the phisher will have access to her account on that particular software, leading to the leakage and deletion of crucial data. The attacker can hold the account hostage for ransom or create a backdoor to maintain and escalate access.
Why is phishing dangerous for startups?
Phishing is especially damaging for new businesses as they are less likely to have adequate preventive measures like exclusive access to resources through a password manager and multi-factor authentication for all applications, among other things.
For instance, in the previous example, if the victim’s account was protected by multi-factor authentication, the hackers wouldn’t be able to gain access to it despite having the credentials.
Phishing can be used to perpetrate more dangerous cybercrimes than just credential theft. They can be used to deliver ransomware, create a backdoor, and conduct supply chain attacks.
Ransomware refers to malware designed to encrypt information systems and/or the information contained in them so that such systems and data are inaccessible to legitimate users. The attackers demand a ransom (mostly in Bitcoin nowadays) in exchange for the decryption key.
Ransomware gangs frequently target small businesses; the average ransom demanded is $116,000.
On average, 1.7 million ransomware attacks occur every day in 2023, almost 20 attacks per second. A very tiny fraction of these attacks find success. There were 490 successful ransomware attacks reported in March 2023.
Ransomware attacks can be carried out by delivering the payload through email attachments, exploiting injection vulnerabilities or weak input validation on websites, or exploiting outdated/vulnerable software applications.
Organizations can avoid paying the ransom if the decryption key for specific ransomware is already available. The best bet is to be proactive and back up all data crucial to business operations.
Explaining human errors is easier than breaking through a computer’s security systems. Password-related malpractices allow hackers to achieve that. In fact, 74% of successful data breaches in 2022 involved the human element.
It is common knowledge that passwords need to be complex and hard to guess. Humans have processed that knowledge and adopted a strategy of creating passwords that are hard to guess for humans. The poor quality of the passwords is not among the biggest password-related security threats.
Passwords are reused
The behavior of using one password for multiple accounts enables the credential stuffing attack where hackers stuff stolen email and password combinations into a large number of applications to gain unauthorized access.
Passwords are shared in plaintext
Sharing sensitive personal data, including but not limited to login credentials in plaintext, can lead to the theft of such data through network sniffing, man-in-the-middle attacks, and Evil Twin attacks.
Passwords are forgotten and reset manually too often
When you click on the forgot password button to reset the password for your account with a third-party application, there is a minuscule chance that the link sent to you via email is malicious and you end up downloading some malware by clicking on it. It can compromise your system, steal your data, or open a backdoor for another attack.
Password managers are not mandatory in all workplaces
A robust password manager can remediate almost all password-related threats to a startup. It can automate the login process, eliminate the need for creating and remembering passwords, protect all login details with encryption, and prevent phishing attempts.
However, only 25% of employees across the globe are required to use a password manager for work, and only 34% actually use a password manager.
DDoS stands for Distributed Denial of Service and it is a startup’s worst nightmare.
A denial of service attack is performed by sending large amounts of fake traffic/requests to a server so much so that it becomes unresponsive to its legitimate users.
A distributed denial of service attack has an additional step. Hackers control thousands to millions of computers through malware infection and use all those compromised systems to create a botnet army. This entire army of computers spread across continents sends traffic to the targeted server.
DDoS attackers can demand a ransom to stop the attack, perpetrate the attack simply to disrupt business, or try to distract the security systems with the DDoS while preparing for a different attack. Similarly, it can be used to cloud the network activity logs to hide other more critical anomalies.
DDoS attacks can cause severe business downtime which can be fatal for a startup already grappling with finances.
SEO poisoning and malvertising
SEO poisoning is the process of using search engine optimization to place malicious websites high on the search engine results page.
Hackers target moderately popular keywords and try to get the top 2 or 3 places on the SERP when an internet user searches for the keyword.
They can also create a clone of a legitimate website and ensure that the clone appears ahead of the legitimate site on the SERP by optimizing its content and keywords. Startups pushing hard for the top place on niche keywords are especially targeted with SEO poisoning.
Some hackers take it a notch further by using ads to promote their malicious websites. This is called malvertising.
A cryptojacking attack starts with identifying and exploiting a vulnerability in a startup’s information systems, website, or people. Then, the attacker uses a code injection attack to inject crypto-mining malware into the startup’s system. This can be done by exploiting vulnerable channels – a user input field, a phishing email, etc.
The malicious code is designed to use the target’s CPU and GPU to mine cryptocurrencies by solving complex mathematical problems and adding new blocks to a blockchain. The hacker receives crypto rewards as a startup inadvertently invests computational resources in the cryptocurrency network.
For the startup, crypto-jacking leads to
- Increased energy costs
- Reduced productivity
- Damaged reputation
These cybersecurity threats discussed so far are pretty common for businesses of all sizes, especially fatal startups. Nevertheless, these attack types are quite old and can be thwarted relatively easily by implementing security policies, taking cybersecurity measures, and deploying high-quality application security software.
However, endpoint security solutions designed for corporate workstations may not work well on computers with developer tools installed.
Developers usually have privileged access to data and systems, they also enjoy certain security loopholes created to make their work smooth. These are reasons why developers are rapidly moving to the forefront of the list of targets.
Read more on how to choose the right cybersecurity tools for your startup
AI adoption by hackers and its impact on the cyber security threats
Open access to generative AI and LLMs has suddenly transformed the threat landscape. Security threats facing startups will change based on AI adoption by hackers.
AI to discover zero-day vulnerabilities
ChatGPT can be used to discover a zero-day vulnerability. It has been demonstrated by Steven Sims, the offensive operations curriculum lead for SANS. Sims provided ChatGPT with a piece of code that was vulnerable to the recently found SigRed DNS flaw. He used a handful of prompts to make the chatbot explore the code and find the vulnerability.
AI to write ransomware
ChatGPT does have protective measures against writing malicious code. But if you’re smart, you can break the process down so that the AI writes the malicious code without understanding the intent. This too has been demonstrated by Steven Sims.
AI for social engineering attacks
One of the key flaws in phishing emails was their grammatical incorrectness and generally bad language that didn’t fit with the individual or organization hackers tried to impersonate.
AI has solved that issue for malicious actors. With the ease with which ChatGPT can adapt styles and language usage, it has become easier for hackers to produce high-quality social engineering content to fool users.
In terms of defense against AI-based cyber attacks, startups must rely on preparedness, training, and a culture of security that makes it harder for threat actors to get in.
Improve your data breach response skills by exploring this comprehensive blog post on Data Breach Response Strategies for Small Businesses and Startups.
Security challenges are evolving. Hackers have more sophisticated automated tools now to identify vulnerable businesses. The DDoS attacks last longer now with a larger number of bots. Phishing sites are getting better every day. Smaller businesses cannot expect to avoid security incidents just because they are small.
Even a startup may be handling a good amount of data. Moreover, it may be connected to a bigger company for business. Hence, hackers have a lot to gain through a successful data breach in a startup.
As a CIO, CISO, or founder, you can install proper cybersecurity measures and deploy security tools like Attack Surface Monitoring systems, Intrusion Detection Systems, and Password and Access management solutions. The goal is to be more secure than the next business.