CEO Summary
Your primary focus should be on:
- Training your people to recognize phishing and business email compromise.
- Enforcing Multi-Factor Authentication (MFA) on every single cloud service, especially email and banking.
- Maintaining rigorous backups (with at least one set offline) to recover from Ransomware.
- Patching everything relentlessly, especially your core operating systems, key applications, and website plugins.
- Implementing simple financial controls, like mandatory verification for any large/unusual payment or change to vendor details.
- Plan Your Response, have an incident response plan that assumes a you will be compromised - "Assume Breach" mindset
By focusing on these foundational items, you can effectively mitigate the vast majority of the cyber threats you are likely to face.
For cloud hosted in-house developed applications - see the section below, Cloud Hosting Specific Threats.
Popular Cyber Security Attacks Against Small Businesses
Type | Description | Reasoning | Mitigation |
AI-Powered Phishing & Social Engineering | AI allows attackers to create highly convincing, personalized emails (spear-phishing) at scale, making it easy to trick a busy employee into clicking a malicious link or revealing login credentials. A single successful phishing email can be the entry point for ransomware or a BEC scam. | Small businesses typically rely on off-the-shelf solutions and less frequent training. No dedicated security teams to monitor and respond to threats. | Security Awareness Training & Simulated Phishing: Regularly train employees to recognize phishing attempts.
Advanced Email Filtering: Use an email security gateway that goes beyond basic spam filtering. Adopt Microsoft Defender for 365 or similar.
Multi-Factor Authentication (MFA): This is critical, enable everywhere. |
Ransomware | Destruction of data and randomly encrypting files once a malicous application has been launched.
Primary targets are local network file servers, but can also be exploited for OneDrive & Google Drive as well as Azure BLOB storage | A small business often have weaker defenses, outdated software, and—most importantly—a desperate need to get back online to survive. This makes them more likely to pay a smaller, "affordable" ransom. The impact can be catastrophic, causing immediate operational shutdown and significant financial loss. | Backup: Maintain regular immutable backups which cannot be deleted or tampered with (offsite)
Endpoint Detection and Response (EDR): Use modern antivirus/anti-malware that includes EDR capabilities.
Principle of Least Privilege: Ensure users do not have administrative rights on their local machines. |
Business Email Compromise (BEC) | Targets the finance department or anyone who can initiate payments. | A small business might not have strict payment verification procedures (e.g., requiring a secondary sign-off) | Strict Payment Verification Procedures: Implement a mandatory, out-of-band verification process for any transfer or change to vendor details.
Multi-Factor Authentication (MFA) on Email Accounts: This is the single most effective technical control to prevent an attacker from compromising the email account to send the fraudulent requests.
Clear Labelling for External Emails: Configure your email system to automatically prepend a warning to any email originating from outside the organization. This makes impersonation attempts easier to spot. |
Cloud Security Breaches & Misconfigurations | Incorrectly configured cloud permissions and resources & data shared externally by mistake | Small businesses are "cloud-first" by default, using Microsoft 365, Google Workspace, AWS, or Azure. However, they rarely have a dedicated cloud security expert. A single misconfiguration—like a publicly accessible cloud storage bucket, weak administrative passwords, or improperly shared documents—can expose sensitive customer data, financial records, or intellectual property. | Enable and Review Security Defaults: For platforms like Microsoft 365, turn on "Security Defaults" which enforces MFA and blocks legacy authentication protocols.
Enable Cloud Security Posture Management (CSPM): Microsoft Secure Score, AWS Security Hub
Strong Identity and Access Management (IAM): Adhere to the principle of least privilege. Regularly audit who has administrative access to your cloud consoles and remove unnecessary permissions. |
Insider Threats (Often Unintentional) | The negligent insider (Bigger threat for a small business)
This is an employee who accidentally leaks data, clicks a phishing link, or uses a weak password.
With fewer technical controls and a culture of trust, a simple mistake by one employee can compromise the entire business. | Robust Access Controls & Least Privilege: Employees should only have access to the data and systems absolutely necessary for their job.
Data Loss Prevention (DLP) Policies: Use basic DLP features in your Microsoft 365 or Google Workspace subscription. These can be configured to prevent users from accidentally emailing sensitive data like customer lists or financial reports to external addresses.
A Positive Security Culture: Foster an environment where employees feel comfortable reporting mistakes without fear of immediate reprisal. This allows you to contain a breach faster. | |
Software Vulnerability Exploits | Out of date software, operating systems and unsupported hardware | Small businesses are slow to apply security patches. An unpatched WordPress plugin, router, or old version of Windows can be easily scanned for and exploited by automated bots. This is often the initial entry point for ransomware.
This is often the method used to deliver the primary threats like Ransomware or to gain a foothold for data theft. | A Formalized Patch Management Policy: Implement a regular schedule to review and apply updates for all operating systems, applications, and firmware (routers, firewalls). This should be very regular minimum weekly.
Use a Vulnerability Scanner: Use affordable or built-in tools to periodically scan your network for devices with known vulnerabilities that need patching.
Automate Where Possible: Enable automatic updates for all end-user software and for non-critical business systems.
Outsource management of devices: Use a dedicated 3rd party to manage business hardware (laptops, networking) to ensure regularly maintaince. |
Least likely attacks against smaller businesses
Type | Reasoning | Mitigation |
DDoS Attacks | Whilst possible, smaller business are less likely targets - they are unlikely to make the headlines or have significant impact to the end users (low ransom potential).
They may be subject to DDoS if they form part of a wider supply chain of services to larger enterprises.
They may suffer from “noisy neighbour” issues in the cloud where another cloud customer is being attacked. | Using cloud services which can handle the scale of traffic rather than on-premise connections/servers.
Adopting DDoS mitigation services such as Cloudflare |
AI-Driven Deepfake Attacks | This is an emerging threat. While a deepfake could be used to impersonate a CEO and authorize a fraudulent wire transfer, it's still a relatively complex and costly attack. Most BEC scams today use simple email compromise, not deepfake audio/video. | Establish a Verification Protocol: For any high-stakes request involving money or sensitive data made via video or audio call, have a pre-established "code word" or a mandatory call back to a known number to verify the request's authenticity.
Training: Make employees aware that this type of attack exists and to be sceptical of unusual requests, even from a familiar face or voice. |
Supply Chain Attacks | A small business is unlikely to be the target of a sophisticated supply chain attack like SolarWinds. However, they can be an unwitting victim if their accounting software or a cloud service they use is compromised. | MFA on All Third-Party Services
Monitor for Strange Behavior |
Cloud Hosting Specific Threats
1. Excessive Permissions & Privilege Escalation
- Threat: Service accounts, user roles, or functions are given more permissions than they need. If compromised, an attacker can use these broad permissions to access other resources, delete data, or move laterally across your environment.
- Blast Radius: Catastrophic. A single compromised credential can lead to the compromise of the entire cloud tenant, all databases, storage accounts, and other applications.
- Mitigation:
- Principle of Least Privilege: Grant identities only the permissions they need to perform a specific task, and nothing more.
- Just-in-Time (JIT) Access: Instead of standing privileges, require users to request elevated access for a short, specific time window.
- Managed Identities: For applications, use cloud-native managed identities instead of storing static API keys or secrets, and assign minimal permissions to these identities.
2. Insecure Network Exposure & Lack of Segmentation
- Threat: Application components (like databases, caching services, or management interfaces) are exposed directly to the public internet without necessity, or all components are on a flat network where they can freely talk to each other.
- Blast Radius: Very High. A vulnerability in one exposed component (e.g., a web server) gives an attacker a direct path to attack more critical backend systems (e.g., the database) on the same network.
- Mitigation:
- Network Segmentation: Use cloud networking constructs (VPCs, Subnets, NSGs/ACLs) to create isolated network segments. For example, your web servers should be in a public subnet, while your databases should be in a private subnet with no public internet access.
- Zero Trust Network Principles: Instead of "trusting" anything inside the network, enforce access based on identity and context. Use application-level firewalls (WAF) and API gateways as controlled choke points.
3. Secrets & Credential Leakage
- Threat: API keys, database passwords, or other sensitive credentials are hard-coded in application code, checked into public source repositories (like GitHub), or stored insecurely in environment variables or config files.
- Blast Radius: High. A leaked secret gives attackers the keys to the kingdom for the service it protects, potentially allowing them to impersonate your application and access all its data.
- Mitigation:
- Use a Dedicated Secrets Management Service: Always use a service like AWS Secrets Manager or Azure Key Vault. These services securely store, rotate, and audit access to secrets.
- Never Hard-Code Secrets: The application code should retrieve secrets at runtime from the vault. Use IAM roles (e.g., attached to the VM or serverless function) to grant the application access to the vault.
4. Vulnerable Application Dependencies
- Threat: The custom application relies on third-party open-source libraries, frameworks, or containers that contain known security vulnerabilities (e.g., Log4j).
- Blast Radius: High. A single vulnerable library used across the application can provide a universal entry point for attackers, compromising the entire application layer.
- Mitigation:
- Software Composition Analysis (SCA) Tools: Integrate tools like Snyk, GitHub Dependabot, or OWASP Dependency-Check into your CI/CD pipeline to automatically scan for and flag vulnerable dependencies.
- Regular Patching & Version Management: Have a formal process for regularly updating and patching dependencies. Use container scanning for your Docker images.
5. Misconfigured Cloud Services
- Threat: A cloud storage bucket (e.g., AWS S3, Azure Blob Storage) is accidentally set to be publicly readable, a database is not behind a firewall, or logging is disabled.
- Blast Radius: Moderate to High. A single misconfiguration can lead directly to a massive data breach, as seen in numerous high-profile incidents.
- Mitigation:
- Infrastructure as Code (IaC): Define your cloud environment using code (Terraform, AWS CDK, ARM/Bicep). This makes configurations repeatable, reviewable, and testable.
- Cloud Security Posture Management (CSPM): Use tools like AWS Security Hub & Azure Defender to continuously monitor your environment for misconfigurations and compliance with security best practices.
6. Inadequate Logging and Monitoring
- Threat: You have no visibility into what is happening within your application or cloud environment. Suspicious activity, failed logins, or anomalous API calls go undetected.
- Blast Radius: Potentially unlimited. Without detection, an attacker can operate freely for months, turning a small breach into a massive incident ("dwell time").
- Mitigation:
- Centralized Logging: Send all application logs, audit trails, and cloud service logs to a centralized, secure service (e.g., Azure Log Analytics, AWS CloudWatch Logs).
- Use a SIEM solution: Use custom security monitoring products & services to detect breaches.
- Set Up Alerts: Create alerts for specific security events, such as access from unusual locations, too many failed authentication attempts, or changes to security groups.
Summary: "Minimize Blast Radius" Strategy
- Segment Everything: Design your cloud network like a secure building. The lobby (public web servers) is separate from the offices (application logic), which is separate from the vault (databases). Lock the doors between them (firewalls/NSGs).
- Apply Least Privilege Everywhere: Every user, every service account, and every function should have a narrowly defined job and only the permissions to do that job. This is the single most effective control.
- Assume Breach: Operate with a "Zero Trust" mindset. Don't assume something is safe because it's inside your network. Authenticate and authorize every request.
- Automate Security: Use IaC to prevent configuration drift and CSPM tools to catch mistakes. Integrate security scanning directly into your development pipeline (DevSecOps).
- Plan Your Response: Have an incident response plan that assumes a component will be compromised. Know how to isolate it (e.g., by revoking its IAM role, changing its NSG) to prevent the fire from spreading.