The FBI is worried about a wave of cyber crime against America's small businesses
- As more large businesses and corporations invest in cybersecurity tools, hackers are increasingly targeting small and medium-sized businesses, FBI Supervisory Special Agent Michael Sohn said at CNBC's Small Business Playbook event on Wednesday.
- In 2021, the FBI's Internet Crime Complaint Center received 847,376 complaints regarding cyberattacks and malicious cyber activity with nearly $7 billion in losses, the majority of which targeted small businesses.
- The losses from hacking incidents were up 64% year over year.
Small and medium-sized businesses face a big threat from cyberattacks and hackers, according to a special agent in the FBI's cyber division.
"The large businesses continue to invest in their cybersecurity and enhance their cybersecurity posture," FBI Supervisory Special Agent Michael Sohn said at CNBC's Small Business Playbook virtual event on Wednesday. "So what the cybercriminals are doing is they're pivoting, they're evolving and targeting the soft targets, which are the small and medium businesses."
In 2021, the FBI's Internet Crime Complaint Center (IC3) received 847,376 complaints from the American public regarding cyberattacks and malicious cyber activity, a 7% year-over-year increase. In total, potential losses from those attacks exceed $6.9 billion, a 64% increase compared to the previous year.
"Unfortunately, the majority of those victims were small businesses," Sohn told CNBC's Frank Holland.
But even as small businesses are increasingly being targeted by hackers and cyber criminals, CNBC and SurveyMonkey data has shown that most small business owners are not concerned.
Sixty-one percent of small business owners polled in the most recent quarterly survey said they were not concerned that their business will be the victim of a cyber attack in the next 12 months, up from 58% last year.
Only 4% of small business owners said that cybersecurity was the biggest risk facing their business, while 64% said they were confident that they could quickly resolve a cyber attack, according to the CNBC|SurveyMonkey Small Business Survey for Q4 2022.
Sohn said his key message for small and medium-sized business owners was to stay vigilant.
"A lot of the cyberattacks that we have witnessed from our investigations, almost all of them could have been prevented by doing very basic cyber hygiene," he said.
Here are some of the pointers from Sohn for small and medium-sized business owners to make sure their basic cybersecurity practices are up to date.
Start with the obvious cybersecurity steps
Sohn said that basic cyber hygiene should be like "wearing a seatbelt" for small business owners, and most of these efforts can be done "today and implemented with very minimal cost."
That includes basic password good practices like using multi-factor or two-party authentication, and not using the same password across multiple logins or accounts.
"That sounds very simple, and a lot of people will disregard that as, 'Why does it matter if I use the same password?'" Sohn said. "What we see across the board is if they use a password for your email and that is compromised, they might take that exact username and password and try to compromise your payroll and other financial institution accounts."
Sohn acknowledged that basic password management isn't a "silver bullet," but said it should be "one of many layers including using a good reputable password manager."
Rely on reputable services
Going beyond a password manager, Sohn said small business owners must ensure they're relying on a good technology-based backbone.
"The best thing to do is to use reputable services, reputable laptops, hardware, email, and other services that have been tested and that have been in the industry for a while," he said.
He also noted that small business owners should make sure that they are updating their devices and other technology with the latest patches to ensure that their systems are as protected as possible.
"These updates to your systems are actually patching holes and vulnerabilities in your corporate networks, or your business desktops, laptops, or tablets," Sohn said. "This is one of the critical steps that we ask our users to do, and then using a reputable anti-virus and a firewall system on your network."
Back up critical systems and data
As ransomware attacks grow and evolve – in 2021, the IC3 received 3,729 complaints identified as ransomware with adjusted losses of more than $49.2 million – Sohn said it's important to make sure that your data is encrypted and backed up offline "so you could access it even if the criminals steal it and take it away."
"We see this time and time again where a lot of businesses do not back up their critical system, your crown jewels, and that kind of leads to the businesses being forced to pay the ransom to the cybercriminals," he said.
The FBI does not encourage paying a ransom to criminal actors, according to the IC3's 2021 report, nor does it guarantee that the files or data will be recovered.
Don't trust email requests for money
If you receive an email from a colleague, client, or vendor about deals or asking for money where something doesn't feel right or you are suspicious, Sohn said that should be a reason for concern.
"That is something we see time and time again, where the cybercriminals are reading your emails," he said. "Something is not quite right, but because of the sense of urgency on the email they [the business owners] do it, not knowing that the wire was money to somewhere else or to a fraudulent bank account."
If there is anything that feels off, Sohn said that small business owners should always follow up with an in-person meeting, call, or video call "to make sure that the money is going where it's supposed to be."