New Star Blizzard spear-phishing marketing campaign targets WhatsApp accounts

By Microsoft Threat Intelligence

In mid-November 2024, Microsoft Menace Intelligence noticed the Russian risk actor we observe as Star Blizzard sending their typical targets spear-phishing messages, this time providing the supposed alternative to affix a WhatsApp group. That is the primary time we’ve recognized a shift in Star Blizzard’s longstanding techniques, strategies, and procedures (TTPs) to leverage a brand new entry vector. Star Blizzard’s targets are mostly associated to authorities or diplomacy (each incumbent and former place holders), protection coverage or worldwide relations researchers whose work touches on Russia, and sources of help to Ukraine associated to the battle with Russia.

In our final weblog publish about Star Blizzard, we mentioned how the risk actor focused dozens of civil society organizations—journalists, suppose tanks, and non-governmental organizations (NGOs)—between January 2023 and August 2024 by deploying spear-phishing campaigns to exfiltrate delicate info and intervene of their actions. Since October 3, 2024, Microsoft and the US Division of Justice have seized or taken down greater than 180 web sites associated to that exercise. Whereas this coordinated motion had a short-term affect on Star Blizzard’s phishing operations, we famous on the time that after this risk actor’s lively infrastructure was uncovered, they swiftly transitioned to new domains to proceed their operations, indicating that the risk actor is extremely resilient to operational disruptions.

We assess the risk actor’s shift to compromising WhatsApp accounts is probably going in response to the publicity of their TTPs by Microsoft Menace Intelligence and different organizations, together with nationwide cybersecurity businesses. Whereas this marketing campaign seems to have wound down on the finish of November, we’re highlighting the brand new shift as an indication that the risk actor could possibly be in search of to alter its TTPs to be able to evade detection.

As a part of our steady monitoring, evaluation, and reporting on the risk panorama, we’re sharing our info on Star Blizzard’s newest exercise to lift consciousness of this risk actor’s shift in tradecraft and to teach organizations on harden their assault surfaces towards this and related exercise. We additionally straight notify clients who’ve been focused or compromised, offering them with the required info to assist safe their environments.

Focusing on WhatsApp account information

Star Blizzard’s new spear-phishing marketing campaign, whereas novel in that it makes use of and targets WhatsApp for the primary time, reveals acquainted spear-phishing TTPs for Star Blizzard, with the risk actor initiating e mail contact with their targets, to have interaction them, earlier than sending them a second message containing a malicious hyperlink. The sender tackle utilized by the risk actor on this marketing campaign impersonates a US authorities official, persevering with Star Blizzard’s observe of impersonating recognized political/diplomatic figures, to additional guarantee goal engagement. The preliminary e mail despatched to targets comprises a fast response (QR) code purporting to direct customers to affix a WhatsApp group on “the most recent non-governmental initiatives geared toward supporting Ukraine NGOs.” This code, nonetheless, is deliberately damaged and won’t direct the consumer in the direction of any legitimate area; that is an effort to coax the goal recipient into responding.

A close-up of a text
Determine 1. Star Blizzard preliminary spear-phishing e mail with damaged QR code

When the recipient responds, Star Blizzard sends a second e mail containing a Protected Hyperlinks-wrapped t[.]ly shortened hyperlink as the choice hyperlink to affix the WhatsApp group.

A black text on a white background
Determine 2. Star Blizzard follow-on spear-phishing e mail with URL hyperlink

When this hyperlink is adopted, the goal is redirected to a webpage asking them to scan a QR code to affix the group. Nonetheless, this QR code is definitely utilized by WhatsApp to attach an account to a linked machine and/or the WhatsApp Internet portal. Because of this if the goal follows the directions on this web page, the risk actor can achieve entry to the messages of their WhatsApp account and have the aptitude to exfiltrate this information utilizing current browser plugins, that are designed for exporting WhatsApp messages from an account accessed through WhatsApp Internet.

Screenshot of the phish attempt displaying a legitimate WhatsApp webpage called To join the US-Ukraine NGOs Group, followed by instructions directing the user to scan the redacted QR code to link their device.
Determine 3. Malicious Star Blizzard phish try utilizing WhatsApp linking QR code

Whereas this marketing campaign was restricted and appeared to have terminated on the finish of November, it nonetheless marked a break in long-standing Star Blizzard TTPs and highlighted the risk actor’s tenacity in persevering with spear-phishing campaigns to achieve entry to delicate info even within the face of repeated degradations of their operations.

Microsoft Menace Intelligence recommends that each one e mail customers belonging to sectors that Star Blizzard sometimes targets all the time stay vigilant when coping with e mail, particularly emails containing hyperlinks to exterior assets. These targets are mostly associated to:

  • Authorities or diplomacy (incumbent and former place holders)
  • Analysis into protection coverage or worldwide relations when associated to Russia
  • Help to Ukraine associated to the continuing battle with Russia

When doubtful, contact the particular person you suppose is sending the e-mail utilizing a recognized and beforehand used e mail tackle to confirm that the e-mail was certainly despatched by them.

Mitigations

To harden networks towards the Star Blizzard exercise listed above, defenders can implement the next:

  • Implement Microsoft Defender for Endpoint on Android and iOS, which incorporates anti-phishing capabilities that additionally apply to QR code phishing assaults, blocking phishing websites from being accessed. 
  • Enable network protection in Microsoft Defender for Endpoint
  • Make sure that tamper protection is enabled in Microsoft Dender for Endpoint
  • Run endpoint detection and response in block mode in order that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus doesn’t detect the risk or when Microsoft Defender Antivirus is operating in passive mode.
  • Configure investigation and remediation in full automated mode to let Microsoft Defender for Endpoint take speedy motion on alerts to resolve breaches, considerably decreasing alert quantity.
  • Turn on PUA protection in block mode in Microsoft Defender Antivirus
  • Activate cloud-delivered protection in Microsoft Defender Antivirus or the equal on your antivirus product to cowl quickly evolving attacker instruments and strategies.
  • Activate Microsoft Defender Antivirus real-time protection.
  • Encourage customers to make use of Microsoft Edge and different internet browsers that help SmartScreen, which identifies and blocks malicious web sites, together with phishing websites, rip-off websites, and websites that host malware.
  • Activate Safe Links and Safe Attachments for Workplace 365.
  • Use the Attack Simulator in Microsoft Defender for Workplace 365 to run lifelike, but protected, simulated phishing and password assault campaigns. Make the most of the QR code payload in assault simulation coaching eventualities to reflect Star Blizzard’s and different risk actor’s QR code spear-phishing strategies.

Microsoft Defender XDR detections

Microsoft Defender XDR clients can consult with the listing of relevant detections beneath. Microsoft Defender XDR coordinates detection, prevention, investigation, and response throughout endpoints, identities, e mail, apps to offer built-in safety towards assaults just like the risk mentioned on this weblog.

Prospects with provisioned entry may also use Microsoft Security Copilot in Microsoft Defender to analyze and reply to incidents, hunt for threats, and defend their group with related risk intelligence.

Microsoft Defender for Endpoint

The next alerts may point out risk exercise related to this risk. These alerts, nonetheless, might be triggered by unrelated risk exercise and usually are not monitored within the standing playing cards supplied with this report.

  • Star Blizzard exercise group

Searching queries

Microsoft Defender XDR

Floor occasions which will have communicated with the Star Blizzard C2s

let domainList = dynamic(["civilstructgeo.org", "aerofluidthermo.org"]);union(    DnsEvents    | the place QueryType has_any(domainList) or Identify has_any(domainList)    | venture TimeGenerated, Area = QueryType, SourceTable = "DnsEvents"),(    IdentityQueryEvents    | the place QueryTarget has_any(domainList)    | venture Timestamp, Area = QueryTarget, SourceTable = "IdentityQueryEvents"),(    DeviceNetworkEvents    | the place RemoteUrl has_any(domainList)    | venture Timestamp, Area = RemoteUrl, SourceTable = "DeviceNetworkEvents"),(    DeviceNetworkInfo    | prolong DnsAddresses = parse_json(DnsAddresses), ConnectedNetworks = parse_json(ConnectedNetworks)    | mv-expand DnsAddresses, ConnectedNetworks    | the place DnsAddresses has_any(domainList) or ConnectedNetworks.Identify has_any(domainList)    | venture Timestamp, Area = coalesce(DnsAddresses, ConnectedNetworks.Identify), SourceTable = "DeviceNetworkInfo"),(    VMConnection    | prolong RemoteDnsQuestions = parse_json(RemoteDnsQuestions), RemoteDnsCanonicalNames = parse_json(RemoteDnsCanonicalNames)    | mv-expand RemoteDnsQuestions, RemoteDnsCanonicalNames    | the place RemoteDnsQuestions has_any(domainList) or RemoteDnsCanonicalNames has_any(domainList)    | venture TimeGenerated, Area = coalesce(RemoteDnsQuestions, RemoteDnsCanonicalNames), SourceTable = "VMConnection"),(    W3CIISLog    | the place csHost has_any(domainList) or csReferer has_any(domainList)    | venture TimeGenerated, Area = coalesce(csHost, csReferer), SourceTable = "W3CIISLog"),(    EmailUrlInfo    | the place UrlDomain has_any(domainList)    | venture Timestamp, Area = UrlDomain, SourceTable = "EmailUrlInfo"),(    UrlClickEvents    | the place Url has_any(domainList)    | venture Timestamp, Area = Url, SourceTable = "UrlClickEvents")| order by TimeGenerated desc

Microsoft Sentinel

Microsoft Sentinel clients can use the TI Mapping analytics (a collection of analytics all prefixed with ‘TI map’) to mechanically match the malicious area indicators talked about on this weblog publish with information of their workspace. If the TI Map analytics usually are not presently deployed, clients can set up the Menace Intelligence answer from the Microsoft Sentinel Content Hub to have the analytics rule deployed of their Sentinel workspace.

Whereas the beneath queries usually are not linked to any particular risk actor, they’re efficient in detecting potential phishing makes an attempt. Implementing these queries may also help you keep vigilant and safeguard your group from phishing assaults

Microsoft Safety Copilot

Safety Copilot clients can use the standalone expertise to create their own prompts or run the next pre-built promptbooks to automate incident response or investigation duties associated to this risk:

  • Incident investigation
  • Microsoft Consumer evaluation
  • Menace actor profile
  • Menace Intelligence 360 report primarily based on MDTI article

Notice that some promptbooks require entry to plugins for Microsoft merchandise equivalent to Microsoft Defender XDR or Microsoft Sentinel.

Menace intelligence reviews

Microsoft clients can use the next reviews in Microsoft merchandise to get probably the most up-to-date details about the risk actor, malicious exercise, and strategies mentioned on this weblog. These reviews present the intelligence, safety info, and really helpful actions to forestall, mitigate, or reply to related threats present in buyer environments.

Microsoft Defender Menace Intelligence

Microsoft Safety Copilot clients may also use the Microsoft Security Copilot integration in Microsoft Defender Menace Intelligence, both within the Safety Copilot standalone portal or within the embedded experience within the Microsoft Defender portal to get extra details about this risk actor.

Indicators of compromise

IndicatorSortFinal seen
civilstructgeo[.]orgAreaOctober 2024
aerofluidthermo[.]orgAreaOctober 2024

References

Study extra

For additional info on the threats detailed on this weblog publish, refer to those further Microsoft blogs:

For the most recent safety analysis from the Microsoft Menace Intelligence group, try the Microsoft Menace Intelligence Weblog: https://aka.ms/threatintelblog.

To get notified about new publications and to affix discussions on social media, comply with us on LinkedIn at https://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (previously Twitter) at https://twitter.com/MsftSecIntel.

To listen to tales and insights from the Microsoft Menace Intelligence group in regards to the ever-evolving risk panorama, hearken to the Microsoft Menace Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.

/by

Hear from Microsoft Safety consultants at these prime cybersecurity occasions in 2025

By Benjamin Lim, Director, Microsoft Safety Occasions

Inspiration can spark immediately once you’re at a convention. Maybe you uncover a brand new instrument throughout a keynote that might prevent hours of time. Or possibly a peer shares a narrative over espresso that makes you rethink an strategy. One dialog, one session, or one occasion may offer you recent concepts, renewed pleasure, and a imaginative and prescient for what to do subsequent.

Within the present AI panorama, inspiration and knowledge are extra vital than ever for safety professionals to remain forward of risk actors. So when you’re seeking to enhance your abilities and keep forward of the risk panorama, be a part of Microsoft Safety on the prime cybersecurity occasions in 2025.

Whether or not you be a part of us at an business staple like RSAC or one among our personal occasions like Microsoft Safe, you’ll be able to profit in a number of key methods:

  • Get insights and techniques wanted to beat obstacles and drive your safety initiatives ahead with confidence.
  • See reside demos of the most recent merchandise, product options, abilities, and instruments you should utilize in your work. Be among the many first to listen to about Microsoft Safety improvements, corresponding to Microsoft’s Safe Future Initiative and XSPA (cross-site port assault) updates attendees of Microsoft Ignite 2024 heard.
  • Study from Microsoft Safety consultants on international risk intelligence.
  • Community with different like-minded safety professionals, be taught greatest practices out of your friends, and meet one-on-one with our consultants.

No matter your function, there’s an occasion for you and a path to efficiently safeguarding your group.

A group of men standing around a table with laptops

Microsoft at RSAC

From our signature Pre-Day to hands-on demos and one-on-one conferences, uncover how Microsoft Safety can provide the benefit you want within the period of AI.

Register now 

Conferences to encourage and have interaction everybody

Large crowd of people attending Microsoft Ignite in Chicago, November 2024.

Safety professionals of all ranges can profit from attending one of many greatest cybersecurity occasions, together with RSAC, Black Hat, plus two premier Microsoft occasions—Microsoft Safe (digital) and Microsoft Ignite (in-person and digital). If you happen to love being the primary to listen to about Microsoft product improvements, don’t miss these Microsoft occasions with insights each safety skilled can put to good use.

Microsoft Safe

Date: April 9, 2025
Location: On-line solely

Microsoft Safe is Microsoft’s cybersecurity convention. This 12 months’s one-hour digital showcase will highlight AI-first, end-to-end safety improvements with clear use circumstances and buyer tales of how they use our instruments every day. Attendees will deep-dive into cybersecurity merchandise and techniques together with hundreds of different cybersecurity professionals.

RSAC

Dates: April 27-Could 1, 2025
Location: San Francisco, CA

RSAC 2025 is a can’t-miss safety convention, bringing collectively greater than 40,000 safety professionals to debate the most recent cybersecurity challenges and innovation with one of the best of one of the best. With the theme of “Many Voices. One Neighborhood,” RSAC will function keynotes, monitor classes, interactive classes, networking alternatives, and an expo designed to foster superior safety methods.

All through RSAC, Microsoft Safety will showcase end-to-end safety improvements and share world class risk and regulatory intelligence to provide the benefit you want within the period of AI. From our signature Pre-Day to hands-on demos and one-on-one conferences, uncover how Microsoft Safety can provide the benefit you want within the period of AI.​ Try the full Microsoft at RSAC experience.

Learn more about the Microsoft Events at RSA Conference 2025

Black Hat

Dates: August 2-7, 2025
Location: Las Vegas, NV

The Black Hat Conference is a premier studying occasion within the cybersecurity business, identified for its in-depth technical classes and cutting-edge analysis displays on subjects like essential infrastructure and knowledge safety analysis information.

Microsoft is a key sponsor of the convention annually, the place we showcase our newest discoveries and AI analysis on real-world issues and options. Final 12 months, our AI Pink Teaming in Follow coaching classes and our AI Summit roundtables have been successful. Black Hat can also be identified for its safety group celebrations, together with the Cybersecurity Lady of the 12 months Awards and the Researcher celebrations, which we participate in yearly.

Learn more about the Black Hat Conference 2025

Microsoft Ignite

Dates: November 17-21, 2025
Location: San Francisco, CA, and on-line

Microsoft Ignite is Microsoft’s greatest annual convention for builders, IT professionals, enterprise leaders, safety professionals, and companions. Hundreds of safety professionals such as you attend yearly to listen to the most important safety product bulletins from Microsoft Safety and acquire coaching and skilling to organize for future developments in AI. Safety professionals of all ranges can be a part of interactive labs, workshops, keynotes, technical breakout classes, demos, and extra, led by Microsoft Safety leaders and consultants.

Over the previous few years, we’ve actually boosted Microsoft Safety experiences at Microsoft Ignite. Final 12 months, we hosted the Microsoft Ignite Safety Discussion board for safety leaders and two workshops on AI crimson teaming and Microsoft 365 Copilot deployment. Plus, we hosted greater than 30 sessions demoing new options that will help you safe your setting, use your favourite Microsoft instruments safely and securely, and ensure your organizational processes prioritize safety first.

If you happen to attend Microsoft Ignite in particular person this 12 months, you gained’t need to miss our Safety Leaders Dinner or the safety group social gathering. If you happen to’re not capable of attend in particular person, you’ll be able to register for our digital occasion.​ Signal as much as be taught extra.

Learn more about Microsoft Ignite 2025

Occasions for safety leaders and decision-makers

A woman presenting during the Microsoft AI Tour.

Microsoft AI Tour

Dates: By way of Could 30, 2025
Location: A number of worldwide

The Microsoft AI Tour is a free, one-day occasion for executives that explores the methods AI can drive progress and create lasting worth in a number of cities across the globe. Whether or not you’re a purposeful decision-maker who evaluates investments, an IT staff member charged with safety, or a CISO revamping your safety technique, there can be useful safety content material tailor-made to your wants.

Microsoft Safety’s prime enterprise leaders attend AI tour places worldwide to share with you the way Microsoft Security Copilot enables you to shield on the velocity and scale of AI. They’re additionally out there to fulfill with you.

Reserve your spot at an event near you

Occasion locationOccasion date
Dubai, United Arab EmiratesFebruary 6, 2025
Singapore, Southeast AsiaFebruary 19, 2025
Tokyo, JapanFebruary 26-27, 2025
London, United KingdomMarch 5, 2025
Brussels, BelgiumMarch 25, 2025
Seoul, South KoreaMarch 26, 2025
Paris, FranceMarch 26, 2025
Madrid, SpainMarch 27, 2025
Tokyo, JapanMarch 27, 2025
Beijing, ChinaApril 23, 2025
Athens, GreeceCould 27-30, 2025

Gartner Safety and Danger Administration Summit

Dates: June 11th of September, 2025
Location: Nationwide Harbor, MD

The Gartner Security and Risk Management Summit (Gartner SRM) explores traits in cybersecurity threat administration, together with the combination of generative AI, being an efficient CISO, the significance of balancing response and restoration efforts with prevention, combating misinformation, and shutting the cybersecurity abilities hole to construct a resilient workforce.

Microsoft Safety executives host classes at Gartner SRM that will help you make sure the safety of AI techniques and undertake AI to drive innovation and effectivity. Our hottest subjects focus on securing and governing AI.

Learn more about the Gartner Security and Risk Management Summit

Occasions for technical and safety practitioners

People attending the Microsoft booth at RSAC 2024.

Safety groups search for conferences that present specialised data on the business by which they work or on a slender cybersecurity matter.

Legalweek

Dates: March 24-27, 2025
Location: New York, NY

Legalweek is a weeklong convention the place roughly 6,000 members of the authorized group will collect to community with their friends, discover rising traits, highlight the most recent tech, and provide a roadmap by way of business shifts. Matters explored at previous Legalweek conferences embrace the moral and regulatory influence of utilizing your knowledge to coach AI, litigation within the age of cybersecurity, and maximizing effectivity and authorized automation.  

This 12 months, we’ll be sponsoring three classes on AI and one on collaboration in advanced litigation. As in years previous, Microsoft is internet hosting an Government Breakfast at Legalweek from 7:30 AM ET-8:45 AM ET on Tuesday, March 25, 2025. RSVP today and cease by Sales space #3103 in New York Hilton Midtown Americas Corridor 2 to be taught extra in regards to the newest Microsoft Purview improvements. If you happen to’d like to fulfill with our staff whereas at Legalweek, sign up for a one-on-one meeting.

Learn more about Legalweek 2025

Identiverse

Dates: June 3-6, 2025
Location: Las Vegas, NV

Limiting entry to AI, apps, and assets to these with the correct permissions is a vital a part of safety. The Identiverse conference supplies schooling, collaboration, and perception into the way forward for identification safety. Greater than 2,500 attendees will share insights, develop new concepts, and advance the state of contemporary digital identification and safety.

The occasion options classes on greatest practices, business traits, and newest applied sciences; an exhibition corridor to showcase the most recent identification answer improvements; and networking alternatives. Microsoft will host a sales space the place attendees can join with Microsoft Safety consultants and leaders.

Learn more about Identiverse 2025

Occasions for builders

The cybersecurity expertise scarcity is requiring many to step up even when cybersecurity isn’t of their official job description. In case you are an IT skilled being tasked with cybersecurity or somebody with an eagerness to be taught cybersecurity ways, be a part of our Microsoft occasions geared toward serving to you uplevel your cybersecurity abilities.

Microsoft Construct

Dates: Could 19-22, 2025
Location: Seattle, WA

Safety is a staff sport and builders are more and more the primary string staff members who construct safety into the event of functions. Microsoft Build Conference 2025 is Microsoft’s developer-focused occasion. It should showcase thrilling updates and improvements from Microsoft Safety for builders to create AI-enabled safety options for his or her organizations.

The occasion consists of connection alternatives, demos, and security-focused classes. Previous subjects have included utilizing AI to speed up improvement processes, instruments for enhancing the developer expertise, and techniques for constructing within the cloud. Keep updated on Microsoft Construct information and find out when registration is open.

Learn more about the Microsoft Build Conference 2025

Discover your inspiration at an occasion this 12 months

Cybersecurity occasions foster a tradition of steady studying and adaptation, empowering you to remain forward of rising cyberthreats and keep a resilient safety posture. The concepts will stream freely at these occasions. Whether or not you attend one of many greatest conferences of the 12 months or a smaller occasion (or each), you’ll be in good firm. Microsoft Safety can be there be, too, excited to share and wanting to be taught.

Hope to see you at a future occasion!

To be taught extra about Microsoft Safety options, go to our website. Bookmark the Security blog to maintain up with our professional protection on safety issues. Additionally, comply with us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the most recent information and updates on cybersecurity.

/by

7 cybersecurity traits and suggestions for small and medium companies to remain protected

,

By Scott Woodgate, General Manager, Threat Protection

As October draws to a close, marking 21 years of Cybersecurity Awareness Month, cyberattacks continue to be a challenge for businesses of all sizes, however, small and medium businesses (SMBs) face distinct challenges when it comes to cybersecurity. Although SMBs face heightened cybersecurity threats, unlike large enterprises, they often lack the resources and expertise to implement extensive security measures or manage complex security solutions, making them prime targets for bad actors. Both the risks that SMBs face and their current level of security readiness are not widely understood.

To help us better understand the SMB security needs and trends, Microsoft partnered with Bredin, a company specializing in SMB research and insights, to conduct a survey focused on security for businesses with 25 to 299 employees. As we share these insights below, and initial actions that can take to address them, SMBs can also find additional best practices to stay secure in the Be Cybersmart Kit.  

Decorative image of three bars - one blue, one yellow, and one green

SMB Cybersecurity Research Report

Read the full report to learn more about how security is continuing to play an important role for SMBs.

Discover more 

Graphic of 7 top 7 cybersecurity trends for small and medium sized businesses

1. One in three SMBs have been victims of a cyberattack 

With cyberattacks on the rise, SMBs are increasingly affected. Research shows that 31% of SMBs have been victims of cyberattacks such as ransomware, phishing, or data breaches. Despite this, many SMBs still hold misconceptions that increase their risk and vulnerability. Some believe they are too small to be targeted by hackers or assume that compliance equates to security. It is crucial to understand that bad actors pose a threat to businesses of all sizes, and complacency in cybersecurity can lead to significant risks. 

How can SMBs approach this?

Microsoft, in collaborating with the Cybersecurity and Infrastructure Security Agency (CISA) and the National Cybersecurity Alliance (NCA), has outlined four simple best practices to creates a strong cybersecurity foundation.

  • Use strong passwords and consider a password manager.
  • Turn on multifactor authentication.
  • Learn to recognize and report phishing.
  • Make sure to keep your software updated.
Graphic of 1 in 3 of all SMBs have experienced of a cyberattack

2. Cyberattacks cost SMBs more than $250,000 on average and up to $7,000,000 

The unexpected costs of a cyberattack can be devastating for an SMB and make it difficult to financially recover from. These costs can include expenses incurred for investigation and recovery efforts to resolve the incident, and associated fines related to a data breach. Cyberattacks not only present an immediate financial strain but can also have longer term impacts on an SMB. Diminished customer trust due to a cyberattack can cause broader reputational damage and lead to missed business opportunities in the future. It’s difficult to anticipate the impact of a cyberattack because the time it takes to recover can vary from one day to more than a month. While many SMBs are optimistic about their ability to withstand a cyberattack, some fail to accurately estimate the time needed to restore operations and resume normal business activities 

How can SMBs approach this?

SMBs can conduct a cybersecurity risk assessment to understand gaps in security and determine steps to resolve them. These assessments can help SMBs uncover areas open to attack to minimize them, ensure compliance with regulatory requirements, establish incident response plans, and more. Effectively and proactively planning can help minimize the financial, reputational, and operational costs associated with a cyberattack should one happen. Many organizations provide self-service assessments, and working with a security specialist or security service provider can bring additional expertise and guidance through the process as needed.

Graphic of The average cost of an attack for SMBs is over $250,000

3. 81% of SMBs believe AI increases the need for additional security controls

The rapid advancement of AI technologies and the ease of use through simple user interfaces creates notable challenges for SMBs when used by employees. Without the proper tools in place to secure company data, AI use can lead to sensitive or confidential information getting in the wrong hands. Fortunately, more than half of companies currently not using AI security tools intend to implement them within the next six months for more advanced security. 

How can SMBs approach this?

Data security and data governance play a critical role in successful adoption and use of AI. Data security, which includes labeling and encrypting documents and information, can mitigate the chance of restricted information being referenced in AI prompts. Data governance, or the process of managing, understanding, and securing data, can help establish a framework to effectively organize data within.

Graphic of 81% of SMBs believe AI increases the need for additional security controls

4. 94% consider cybersecurity critical to their business 

Recognizing the critical importance of cybersecurity, 94% of SMBs consider it essential to their operations. While it was not always considered a top priority given limited resources and in-house expertise, the rise in cyberthreats and increased sophistication of cyberattacks now pose significant risks for SMBs that is largely recognized across the SMB space. Managing work data on personal devices, ransomware, and phishing and more are cited as top challenges that SMBs are facing. 

How can SMBs approach this?

For SMBs that want to get started with available resources to train and educate employees, security topics across Cybersecurity 101Phishing, and more are provided through Microsoft’s Cybersecurity Awareness site.

Graphic of 94% of SMBs consider cybersecurity critical to their companies

5. Less than 30% of SMBs manage their security in-house 

Given the limited resources and in-house expertise within SMBs, many turn to security specialists for assistance. Less than 30% of SMBs manage security in-house and generally rely on security consultants or service providers to manage security needs. These security professionals provide crucial support in researching, selecting, and implementing cybersecurity solutions, ensuring that SMBs are protected from new threats. 

How can SMBs approach this?

Hiring a Managed Service Provider (MSP) is commonly used to supplement internal business operations. MSPs are organizations that help manage broad IT services, including security, and serve as strategic partners to improve efficiency and oversee day-to-day IT activities. Examples of security support can consist of researching and identifying the right security solution for a business based on specific needs and requirements. Additionally, MSPs can implement and manage the solution by configuring security policies and responding to incidents on the SMBs behalf. This model allows more time for SMBs to focus on core business objectives while MSPs keep the business protected.

Graphic of Less than 30% of SMBs manage their security in-house

6. 80% intend to increase their cybersecurity spending, with data protection as top area of spend 

Given the heightened importance of security, 80% of SMBs intend to increase cybersecurity spending. Top motivators are protection from financial losses and safeguards for client and customer data. It’s no surprise that data protection comes in as the top investment area with 65% of SMBs saying that is where increased spending will be allocated, validating the need for additional security with the rise of AI. Other top areas of spending include firewall services, phishing protection, ransomware and device protection, access control, and identity management.  

How can SMBs approach this?

Prioritizing these investments in the areas above, SMBs can improve security posture and reduce the risk of cyberattacks. Solutions such as Data Loss Prevention (DLP) help identify suspicious activity and prevent sensitive data from leaving leaking outside of the business, Endpoint Detection and Response (EDR) help protect devices and defend against threats, and Identity and Access Management (IAM) help ensure only the right people get access to the right information.

Graphic of 80% of SMBs intend to increase their cybersecurity spending

7. 68% of SMBs consider secure data access a challenge for remote workers 

The transition to hybrid work models has brought new security challenges for SMBs, and these issues will continue as hybrid work becomes a permanent fixture. With 68% of SMBs employing remote or hybrid workers, ensuring secure access for remote employees is increasingly critical. A significant 75% of SMBs are concerned about data loss on personal devices. To safeguard sensitive information in a hybrid work setting, it is vital to implement device security and management solutions so employees can securely work from anywhere.  

How can SMBs approach this?

Implement measures to protect data and internet-connected devices that include installing software updates immediately, ensuring mobile applications are downloaded from legitimate app stores, and refraining from sharing credentials over email or text, and only doing so over the phone in real-time.

Graphic of 68% of SMBs find secure data access for remote workers a challenge
/by