Copy to clipboard 
Today’s cyberattacks are more convenience store stickup than elaborate Ocean’s Eleven-style heist, according to Mike Crandall, CEO of Digital Beachhead, a Colorado-based cyber risk management firm.
“Small to mid-size companies often don’t have the same level of online security as large firms, leaving them as prime targets for cyberattacks,” Crandall said. “The attacks are simple and happen frequently — and typically aren’t reported in the news. Most business owners don’t understand this reality.”
That nativity leads to a dangerous it-won’t-happen-to-me attitude among many business leaders, who think their company isn’t important or big enough to attract the attention of cybercriminals. Companies should avoid that trap and remain vigilant to protect their valuable information from online attacks.
1. Ask the Experts. Many business leaders assume that their IT department or managed service provider is responsible for protecting online assets. However, their main role is to provide internet and email services and ensure the platforms run smoothly.
“Although they might have cybersecurity knowledge, they’re often provided as a separate billable service,” Crandall said. “It can be beneficial to bring in a dedicated cybersecurity expert who will give you straightforward advice on what you need to maintain online security.”
2. Avoid Phishing Attacks. Crandall has seen a significant rise in corporate email compromise. He said cybercriminals typically try to access email accounts with a phishing email that looks legitimate and prompts staff members to take immediate action by clicking on a link and submitting their company username and password.
Once the attackers access email accounts, they watch the exchange of messages until they identify someone involved with finance or purchasing. The attackers monitor discussions about an invoice payment and, just before it’s sent, they modify the payment remit details in a fabricated email message so that the money is sent to their account.
“This creates a frustrating situation where both parties believe they have acted correctly, but the payment has gone to the attackers,” Crandall said.
Recently, attackers have been using a new tactic in which they create a domain that looks very similar to a legitimate business to send emails from a fraudulent address.
For example, the domain for Crandall’s company is digitalbeachhead.com. Would you look twice if an email from “digitalbeachead.com” popped into your inbox?
“The message looks legitimate, so you don’t notice the subtle difference,” Crandall said. “You might follow the instructions in the message and unwittingly share sensitive information.”
Cybercriminals often start by compromising one person’s account, sometimes through enticing incentives like offers for free coffee. Once the criminals access the account, they send phishing emails from it.
“This tactic is particularly effective because the emails appear authentic and come from a known contact, making it more likely that employees will follow the instructions and inadvertently provide login details to the attackers,” Crandall said.
Two-factor authentication is one way to reduce the risk of fraudulent access to email accounts but isn’t always effective. Cybercriminals are creating emails that prompt users to log into what looks like a legitimate Microsoft landing page.
However, the attackers control this page. When users enter their login information, the cybercriminals capture it and use it at the real Microsoft site to collect the account’s access token that verifies the user passed two-factor authentication.
This token allows cybercriminals to access the user’s email account because Microsoft recognizes it as a valid login. Access tokens remain valid for up to 30 days. During this time, they could send phishing emails to the user’s contacts and monitor the account’s communications without needing to log in.
“This method allows them to continually exploit your account and deceive others without raising immediate suspicion because the activity comes from a legitimate source,” Crandall said.
3. Employee Education. Staff members are the first line of defense against cyberattacks. Concise and engaging monthly training sessions are more effective than annual “death by PowerPoint” cybersecurity education, which can be overwhelming.
Numerous online resources are available to provide company-wide cybersecurity training. Companies simply input employees’ email addresses into the web-based portal, which auto-generates the online training modules and materials.
Phishing tests are another effective way to hammer home the importance of cybersecurity. Employees who click on links in phishing emails get prompted to undergo a quick training reminder, which reinforces what they should already know. Employees will begin to discuss their experiences and share phishing avoidance tips.
“This approach is more effective than simply instructing employees with a list of dos and don’ts. It creates a proactive learning environment and a strong cybersecurity culture,” Crandall said. “Over time, employees will start to recognize and avoid phishing traps. This builds a more vigilant and informed workforce.”
4. Network Protection. Securing network access is essential for smaller companies, especially as more employees work remotely. Fortunately, Crandall said, many affordable options are available.
“It’s important to set up a cloud-based zero trust firewall login for all remote employees,” he said. “The platforms ensure that employees are not on their home networks. They’re connected to a separate, secure network whenever they access the company’s applications or data.”
This approach creates a controlled environment for remote business activities without significant cost, according to Crandall.
He also suggests adding endpoint management to each employee’s computer. The tools monitor for malware and computer usage and send alerts if, for example, a login is attempted during the overnight hours when employees are typically offline.
5. Password Management. Phrases — or the first letters of the words in a phrase — are more effective passwords than the name of your favorite pet. Crandall often jokes that people who’ve had their passwords stolen need to get a new dog.
The stress people feel about password security is no laughing matter, however, especially with the number of unique passwords that are needed to navigate today’s digital world.
“That’s why working with a good password management system is crucial,” Crandall said. “These cloud-based, encrypted systems handle and monitor your passwords, allowing you to have unique passwords for each site without committing each one to memory. You need to remember only one master password to log into your password manager, which provides access to each site saved in the system.”
