Common small business cyber threats and basic prevention methods

While it seems logical for cybercriminals to attack big companies and steal more information, 43% of all cyber-attacks target small businesses, according to Accenture. And out of those SMBs, only 14% are ready to defend themselves against those threats.

Recognizing that securing your cyber ecosystem is within your control is the first step. Together with our partners from Mastercard we hand-picked the most common small business cyber threats and basic actions you can take to keep your small business digital environment as safe as possible.

Credential Theft

Your digital credentials are part of your proof of identity, similar to your paper-based credentials.

Paper-based or non-digital credential examples include documents such as passports, birth certificates, drivers’ licenses, and more. They also include things you own such as keys or badges. These credentials help prove your identity by connecting common criteria such as date of birth, place of birth, gender, eye color, educational institute, etc.

Digital credentials, like paper-based credentials, help qualify and verify your identity. Examples include something you have, such as biometric information fingerprints or irises; something you know, such as your email address and password, or something you own, like a USB token or credit card.

Credential theft is a cybercrime that includes stealing some or all of these credentials. Without them, you can’t cross physical borders or get paid, and you certainly do not want them to fall into the wrong hands. Once other people get ahold of them, they can use them to sell to others or access privileged areas of your business, such as customer financial or personal information.

Passwords are like underwear, you don’t let people see it, you should change it very often, and you shouldn’t share it with strangers.

Chris Pirillo, Author and Tech expert

  • Don’t share credentials with unauthorized people – Don’t share them with unauthorized team members; and certainly not with your customers. According to IBM Cost of a Data Breach Report 2020 report, 80% of cyber-attacks on small businesses involved exposure of Personal Identity Information (PII). This information can be your email address and password login, but it can also include additional identifying factors including date of birth, name of spouse, biometric factors such as fingerprints or faces; and the passwords.
  • Create strong passwords – To help prevent password theft, you can create strong passwords and use separate ones for each application or device. Also, remember to reset passwords from time to time.
  • Use multi-factor authentication (MFA) – Add another layer or level of authentication to prove your identity. Emails and passwords are not enough. Extra security factor examples are things that only you know or have, such as questions you want to keep secret (i.e. name of your first pet) or an image of your face. It’s like adding more locks on your doors. Remember those, when you had face-to-face customers, before lockdowns? And for those businesses that have reopened, it’s still important to use MFA while working online.
  • Store passwords on an external device – Do not store passwords on your computer. Use an encrypted cloud application, a password manager or keeper, or an external drive.

80% of cyber-attacks on small businesses involved exposure of personal identity information.

Phishing Attacks

After stealing your credentials, cybercriminals can carry out phishing attacks. These happen when bad actors impersonate your website address or send out emails on your behalf to your customers or leads.

By trusting the sender or website, recipients can be tricked into handing over their own credentials, thus creating secondary identity theft. With this information, cybercriminals can use financial credentials to make online purchases or commit additional crimes.

ExpertInsights cited phishing attacks as being “the biggest, most damaging and most widespread threat facing small businesses.” Their report cites phishing breaches accounting for 90% of all breaches, having increased 65% from 2019 and causing business losses of over $12 billion dollars.

  • Claim your brand – Brand your email and website with free tools such as DMARC. This authentication method helps you add greater assurance regarding the ownership of a website or identity of an email sender.
  • Educate your team – Educate your customers and team members to report suspicious emails or links, look-a-like logos, or other spoof sites.
  • Alert and remediate – Some free tools can send reports and alerts when phishing attacks are imminent. You can also decide, ahead of time, what methods to use to block or catch the spammer.


Ransomware means malicious software that is aimed at infecting your computer or mobile device. After successfully attacking your system, it will display a message demanding you to pay the hacker to fix the damage in order to resume work. This type of malware Is a cyber-crime to make money by tricking you to click on links in email messages, texts, or on websites. Some ransomware can even lock your screen or encrypt critical files with a password.

Scareware is a type of ransomware that uses scare or intimidation methods to trick victims. These tactics include fake anti-virus software or repair tools. They display text or play audio messages (sometimes with bells or alarms) warning vulnerable users that their computers have been Infected. Then they ask for ransom (payment) in order to “fix” them.

In its Mid-Year Threat Landscape Report 2020, Bitdefender claims that ransomware incidents have risen by 715% year over year.

  • Backup your data – Protect your digital assets by backing up your data on devices or servers not connected to your main network. Don’t keep one copy of all your business information.
  • Separate your devices – If you store and protect the information on a regular basis on more than one device, you can still go on working even if the criminals have threatened to destroy your data.
  • Reset identities – If you have a backup of stolen credentials, you will be able to reset them, thus making the stolen credentials useless.

The latest versions of protection software can help you reduce hacking through hardware or software devices that you normally trust.


Malware is bad software. It’s bad not because it’s poorly designed rather that it’s intentionally meant to hurt a business by damaging its network, website, or devices.

From trojan horses to viruses, worms to spyware, small businesses have a reason to be wary. Hackers can inject infected code into software programs or files that are transmitted to your computer through innocent-looking disk on keys or laptops. While attacks through Bluetooth or tethering can also occur, 94% of malware is delivered via email.

  • Take stock – Keep track of your inventory of devices, including BYOD mobile phones and laptops. Beware of USBs and smart cards that your system does not recognize.
  • Keep up to date – Regularly update antivirus programs, patches, and systems. The latest versions of protection software can help you reduce hacking through hardware or software devices that you normally trust.
  • Be careful online – While working from home or joining video meetings, make sure you’re using a platform that has security measures in mind.

2021 continues to show an onslaught of cyber-attacks including but not limited to ransomware, phishing, and malware. While larger businesses can pay a security vendor to help evaluate what digital assets you need to protect, SMBs don’t always have the budget, IT team, or security officer to set up cybersecurity practices.

But you don’t have to remain open to threats. There are still simple steps that you can take to help secure your cyber ecosystem and help reduce human error.

Check out free cyber security resources and tools recommended by Mastercard:

While no method or tool is 100% guaranteed, you can mitigate attacks considerably and help reduce the extent of their damage. Be proactive and start setting up your cybersecurity ecosystem today!

The unpredictable nature of human behavior and actions make human an important element and enabler of the level of cybersecurity.

Rachid Ait Maalem Lahcen, Mathematicien and Researcher