SMALL businesses are increasingly in the crosshairs of cybercriminals, not because of what they lack, but because of what they’re connected to.

According to cybersecurity expert and CEO of 876 Technology Solutions Trevor Forrest, the growing trend of hackers targeting Jamaica’s small and medium-sized enterprises (SMEs) stems from a common but dangerous mindset that being small means being safe. That belief, he warns, is not only misguided but also costly.

“The increasing value of data has nothing to do with the size of a business,” Forrest explained during a recent SME Conference hosted by the National Commercial Bank (NCB).

Small businesses often have big clients, and threat actors know that the investment in security has already been made by those larger clients. Rather than attacking heavily protected enterprises directly, hackers look for smaller firms as a gateway to reach bigger targets.

“It’s just like a thief walking your road,” he says in simpler terms. “If he sees a gate, fence, grille, alarm system, and camera, but next door he sees a house with just a gate and a fence, where do you think he will go?” he said.

With all the other expenses of starting a business, and for some, transitioning into the formal sector, many may view cybersecurity systems as an added expense and a high investment. But Forrest says this perception changes once business owners understand the cost of doing nothing. He stresses the importance of assessing what will happen when a breach occurs because, as he puts it, “it’s not a matter of if, but when”. According to Forrest, many business owners don’t fully grasp what they stand to lose until it’s too late. When it comes to vulnerabilities, he points to one above all: the business itself. Poor staff awareness, he says, remains one of the greatest risks facing Jamaica’s SMEs, with most cyberattacks starting internally, often through an employee who unknowingly opens the door.

“Nine times out of 10, when we’re called in after a breach occurred, someone did something they weren’t supposed to and didn’t know that they weren’t supposed to do that,” he said.

Educating staff on the risks and the things they do routinely that compromise the security of the business is crucial. As businesses go more digital in a bid to grow, Forrest says this comes with baggage, and cybersecurity is a huge part of protecting digital assets.While banks are widely believed to be the main targets of cybercrime, experts say manufacturing, distribution, and small retail businesses are often the unsuspecting victims. Email compromise was another major risk mentioned that small and medium-sized businesses face. Emails are the primary communication tool in business, and even if an account becomes compromised, a basic call-back system can prevent losses.

“If you get an email saying your supplier details have changed, you call back the supplier, not from the contact information that you have in the email but from the information that you know that you obtained from an independent source,” said Dane Nicholson, head of fraud prevention at National Commercial Bank Jamaica Limited (NCB).

Across Latin America and the Caribbean, Nicholson says business email compromise is one of the biggest issues, with emails being compromised and money sent to the wrong person. He advises business owners to pay close attention to the domain names of the entities they communicate with, as cybercriminals often manipulate email addresses to deceive recipients.

Flipping the script, Forrest added that entrepreneurs should never link their business email address with anything else, warning that the possibilities with that email address are endless for perpetrating fraudulent business transactions. No one is immune without proper security measures in place, and he notes that the convenience businesses enjoy by linking emails to everything often compromises security.

“Never tie your hotmail, gmail, or Yahoo to what you would consider sensitive transactions,” Forrest advised.

All transactions, he says, should use separate emails. Businesses should also have their domain addresses, which go a long way in legitimising communication. He encourages businesses to move away from using Gmail for business correspondence and to invest in a proper domain-based email system.

Dane Nicholson, head of fraud prevention at NCB Jamaica, highlights the growing risk of business email compromise, and is urging SMEs to adopt stronger verification protocols. (Naphtali Junior)