Canadian Underwriter

The biggest cyber threats for your small business client

January 26, 2022   by Jason Contant

Cybersecurity concept

Print this page Share

Your small business clients have a significant susceptibility to spoofing and clickjacking cyberattacks, a new survey finds.

Software-as-a-service (SaaS) cybersecurity company CyberCatch randomly sampled 1,850 small- and medium-sized businesses (SMBs) in Canada across 10 industry segments. Spoofing (84.3% of SMBs vulnerable), clickjacking (73.3%) and sniffing (26.8%) were the Top 3 vulnerabilities for SMBs in their website, software or web applications, CyberCatch found.

Spoofing is caused from weaknesses that allow a website to accept invalid data, so an attacker could send scripts to fool the web server to produce usernames, passwords or even the entire customer database, CyberCatch explains in its inaugural Small and Medium-Sized Businesses Vulnerabilities Report (SMBVR), released Jan. 19. Or an attacker could spoof the content on the website and redirect traffic to an attacked-controller site and steal user credentials or install malware or ransomware.

Clickjacking allows attackers to insert stylesheets, iframes, text boxes or layers and “hijack” a webpage or portions of a webpage to trick users and steal user credentials or account secrets for easy intrusion to install malware or ransomware.

Sniffing is caused from weaknesses that do not force encryption and instead allow transmission of sensitive or security-critical data in cleartext that an attacker can easily discover and steal with simple “network sniffing.” This allows attackers to “make intrusion or move laterally once inside with ease to eventually exfiltrate data or infect ransomware.”

SMBVR looked at 10 SMB segments across 1,850 companies in Canada and 20,000 in the U.S.: dental practices, medical practices, colleges and universities, accounting firms, law firms, MSPs and ISPs (managed service providers and internet service providers), technology companies, shipping and transportation, manufacturers and defence contractors.

In Canada in particular, the random sample found spoofing vulnerabilities were detected the most in manufacturers (90.5%), accountants (90%) and colleges and universities (89%), but largely in the other SMB segments except defence contractors (20.5%). Clickjacking vulnerabilities were found mostly in manufacturers (82.5%), law firms (81%) and accountants (78.5%), while sniffing was found mostly in law firms (40%), manufacturers and colleges and universities (33% each).

To mitigate the cyber risk, CyberCatch recommends SMBs scan their websites, software and web applications facing the internet to ensure no vulnerabilities such as spoofing, clickjacking and sniffing.

“If vulnerabilities are detected, steps should be taken to fix the weakness promptly, otherwise the mistakes will be exploited by attackers to steal data or inflict ransomware,” the report said, adding that a cybersecurity control to regularly scan all IT assets to detect vulnerabilities caused by Common Weakness Enumeration (CWE) should be implemented, along with a policy to fix the weaknesses within a reasonable time. CWE is a formal list of common software and hardware weaknesses that can occur in the architecture, design, code or implementation of software or hardware than can be exploited by an attacker to gain access to a system or network.

Former Canadian and American law enforcement and cybersecurity experts launched CyberCatch Jan. 19 to better protect North American SMBs from cyber threats. CyberCatch’s advisory board includes Gov. Tom Ridge, the first U.S. Secretary of Homeland Security and former RCMP assistant commissioner Kevin Hackett. The executive management team includes former Allstate chief information security officer (CISO) Andy Kim, serving as vice president and CSIO.


Feature image by