The Small Business Cyber Threat Checklist

There is one significant drawback to our internet-centric culture: Your business faces more threats than ever before.

Threats are malicious actions that act on your company’s vulnerabilities with a determinable likelihood and negative consequences. To understand these threats, we must discuss the different attack vectors that attackers can exploit —and the consequences of failing to address them.

When a system has a malware infection, several outcomes generally occur:

  • The stealing of business data;
  • The system must be brought down to identity and correct the threat.

These are serious concerns for any organization but are particularly dangerous for medical practices. Following HIPAA privacy laws, medical offices are liable when patient information is lost or stolen; this can mean steep fines, loss of business partnerships, and damage to the clinic’s reputation.

And system downtime is just as serious. Should a healthcare clinic’s system go down, it disrupts schedules, planned appointments, and each patient’s ability to get the care he/she needs. If a system gets brought down by a cyberthreat shortly before a patient’s appointment, it can delay their treatment until the clinicians can safely reaccess the patient’s records. Naturally, this seriously damages the relationship the clinic has built with its clients.

And that’s only the beginning of the damage that can occur. Just think of how damaging system downtime can be when it occurs near periods of peak insurance filing, such as the end of the year. Patients often rush to schedule appointments with practitioners before their insurance “resets” at the turn of the year. If a clinic’s system goes dark during these critical windows of opportunity, patients will be understandably frustrated—and will likely turn to another provider who can keep its promises!

In short, patient trust is hard to gain yet easy to lose. And once it’s lost, it’s nearly impossible to get back. To protect your business, you need to be aware of each type of cyber threat that could potentially affect your company.

Use this checklist as an overview of the most common types of threats. Knowing the possibilities will help you take steps to protect your business from them:

Outdated software and equipment 

According to the Wall Street Journal, “Several companies have suffered more than $100 million in lost revenue over the past year due to a common and frequently overlooked cybersecurity issue: outdated software.” This May 2018 article highlights how companies struggle to stay on top of security patches crucial in protecting them from such revenue loss. In addition to outdated software is outdated equipment; computers, phone technology, servers, routers, etc., which increases vulnerability.


Malware is any malicious software designed to corrupt, disable, or infect a computer system. Malware has increased substantially over the years, with AV Test registering nearly 800 million different malware applications as of 2018. Depending on the threat’s severity, malware infection can range from a minor inconvenience to complete system shutdown.


Spam is unsolicited and un-personalized email communications. While spam itself isn’t dangerous, it can be a tool to deliver malicious code to many users. Employee mailboxes filled with spam increases your exposure to this type of attack.


Spoofing attacks occur when users falsify data to present themselves as someone else. The goal of spoofing is to get a user to take action (such as opening a malicious email or link) that quietly downloads malware into their system. In 2016, the German manufacturer Leoni AG lost $44.6 million to thieves who had spoofed professional credentials.


Similar to spoofing, phishing occurs when users misrepresent themselves to access secure systems. The difference is that with phishing, the goal isn’t to infect systems with malware but to trick users into providing sensitive data on their own. Spear phishing is a variant of this, where fraudsters customize attacks to specific users based on data they gain elsewhere. This attack is common for businesses—as many as 76 percent of businesses reported phishing attacks in 2016. 


Snooping is the eavesdropping of cybersecurity. This occurs when unauthorized users gain access to protected information by viewing an open email on a coworker’s computer or stealing a login to view their emails. It can also include more sophisticated processes, such as malware that remotely tracks user activity.

Social Engineering

Social engineering involves manipulating users into giving up personal data. A common example would be a fraudster attempting to break into someone’s account, learning which security question they’re using for password recovery, then going on social media to mine that data.


Ransomware is a nasty form of malware that infects a system, locks out the user, and demands that the victim make a payment to an outside account in exchange for release. The highly-publicized WannaCry and NotPetya attacks of 2017 are two examples, affecting hundreds of thousands of systems across the world. This type of attack has grown in popularity over the past few years, with Kaspersky estimating that one out of every five businesses were affected in 2016.

Ransomware is particularly dangerous for medical practices, as a full-scale ransomware attack can render an entire clinic’s system inoperable from a single breach. Until the threat can be handled, the clinic has no way to look up records, call patients to reschedule appointments, or access critical health information that may be requested by other offices.

Identity Theft

Identity theft is more common than ever, thanks to the wealth of personal data we put online. These attacks occur when fraudsters locate personal details and then open new accounts in the victim’s name—usually in the form of a credit card or loan. In the worst-case scenario, these fraudsters can empty a user’s bank account and abscond with the funds before the victim is aware of the issue. According to one report, as many as 16.7 million people were victims of identity fraud in 2017.

Compromised Web Pages

Legitimate web pages can be turned into attack vectors without even realizing they’ve been affected. This is most often done through malicious code inserted into banner ads. When a user loads the webpage, the code copies itself into the viewer’s system and gains access to its data.

Email Interception

Email traffic isn’t always as secure as it seems. With a bit of technical know-how, fraudsters can set up email interception tools that let them view “private” emails being sent on someone else’s server. This is a serious threat to medical offices that coordinate patient details and information among third-party clinics and insurance providers.

Data Theft

Rather than stealing devices directly, some thieves opt to steal data. This can be done by accessing an unsecured laptop, using a thumb drive to copy files, and then leaving the scene without a trace. However, data theft is more commonly done remotely through malware or tracking tools that let thieves steal records with little personal risk. Data theft is a common type of attack, with some reports estimating that as many as 82 data records are lost or stolen every second.

Keystroke Logging

Software exists that can record keystrokes and transfer the data to a central collection point. This gives hackers easy access to login credentials, passwords, and any data entered through the computer’s input device. By the time users realize what has happened, the damage is done. This type of attack made news in 2005 when a small businessman had over $90,000 stolen from his online bank account due to a keystroke-logging trojan stealing his information.

Malicious Actions

Malicious users can attack businesses in ways that are hard to prevent. These may include employees stealing data for competitors, changing passwords, or abusing their privileges to take revenge on a company. The attacks are difficult to prevent, but your company should engage every possible safeguard to prevent them.

Human Error

Attacks aren’t always intentional. Users can leave their businesses vulnerable by accident and create weaknesses for others to exploit. In most cases, humans are the weakest link of any security chain. Consider research showing that up to 56 percent of email recipients will click links from unknown senders—even while claiming to understand the risks of a virus infection!

Natural Disasters 

Natural disasters such as tornadoes, fires, or floods can damage your company’s devices, servers, and infrastructure. In 2017, the U.S. saw an estimated $649 million in property damage from tornadoes alone.

Disasters are common causes of downtime, as large-scale catastrophes can completely destroy a company’s IT infrastructure. And as our world becomes more connected, the risks increase—a medical clinic in New York, for example, maybe receiving computing services from servers in Florida. Should a hurricane strike these servers, the New York clinic may go dark.

Protecting Your Enterprise

There are threats on all sides. How can you protect your organization?

We recommend starting with a thorough assessment of your business’s cybersecurity policies, procedures, and infrastructure. This is an important part of taking a proactive approach to data security, but it’s also crucial for developing disaster recovery strategies should breaches occur. Let us give you a hand with a free IT assessment. The threats are there—are you prepared to face them?

Download Cyber Threat Checklist

You May Also Like…


Submit a Comment

Your email address will not be published. Required fields are marked *