Digital criminals went big with their account takeover (ATO) fraud attempts in 2020. According to GlobeNewswire, the rate of ATO fraudulent login attempts over total login sessions grew 282% between Q2 2019 and Q2 2020. Similarly, ATO fraud rates for eCommerce businesses that sell physical goods online increased 378% following the start of the pandemic.

Why ATO Is a Danger to SMBs

ATO fraud attempts pose a threat to small- to mid-sized businesses (SMBs). Part of the reason why this is the case is the fact that enterprise users commonly reuse their passwords. According to Help Net Security, a 2020 report found that 99% of enterprise users reused their passwords across work accounts or between their work and personal accounts. Those users shared their passwords across an average of 2.7 accounts, with an average of 7.5 passwords shared across services used for work and personal reasons.

The danger here is that malicious actors could exploit password reuse among enterprise users to conduct a password reuse attack. This type of malicious activity involves taking one compromised set of account credentials and attempting to authenticate with the same details across multiple web services. If they are successful in their efforts, nefarious individuals can potentially leverage a password reuse attack to compromise an organization’s data.

That’s especially the case if digital attackers authenticate themselves onto a privileged account with a reused password, as they can leverage the rights of those privileged accounts to potentially move laterally to sensitive assets and exfiltrate their information. Lateral movement isn’t uncommon with SMBs, either. In fact, Vectra found in 2020 that small companies observed 112 lateral movement behaviors per 10,000 hosts—nearly double the amount detected by larger companies (64). Such a finding doesn’t mean that it’s easier to move around within an SMB, just that it might be easier to do so compared to large firms.

This type of activity threatens the livelihood of SMBs. According to Forbes, 74% of IT decision makers revealed in a survey that privileged access credential abuse was responsible for a data breach at their organization. Such an incident could burden SMBs with data breach recovery costs, legal fines, etc. But the costs of such an incident could go even further; consumers themselves could decide to no longer do business with SMBs affected by an instance of ATO fraud. Indeed, more than a quarter (28%) of respondents said that they would completely stop using a service if one of their online accounts suffered a compromise, reported Globe Newswire. This perspective reflects the concerns of 52% of respondents that they’ll become a victim of ATO fraud at some point in the future.

How to Defend Against ATO Fraud

Small- to medium-sized enterprises need to manage their accounts to defend themselves against these types of threats. First, they need to realize that there are often more people than just employees who have a need to access company computer systems, including contractors, support personnel, and vendors. If compromised, each credential provided represents a potential unauthorized login. These credentials and access levels should be governed well, providing only the level of authorization needed to perform one’s job duties. This approach will ultimately help to minimize the risk of misuse of those privileges.

Next, they need to inventory these roles within the organization and their corresponding levels of access. That commonly involves establishing and documenting basic roles, access levels for those roles, and approvers for the associated access. This does not need to be complicated. It can start with more general guidelines and approval forms before maturing into more formal structures. However, baselines for access for certain roles should be pre-determined and documented so that deviations can be examined more closely before being granted (or denied).

Overall, SMBs should make sure that all accounts operate under the rule of least privilege. The Cybersecurity and Infrastructure Security Agency (CISA) explains that this fundamental security control requires organizations to not allocate access rights to subjects when those privileges aren’t necessary to those subjects’ ordinary job functions. In other words, SMBs give out access rights to employees and other personnel on a “need to have” basis. If certain individuals need to receive extra rights for a certain project, SMBs can allocate those privileges and then relinquish them once the work is complete.

SMBs then need to investigate further if strong administrator access controls are true for all devices at all levels (application, operating system, database, device), and that no exemptions have been applied to the established company policy. Within this step, organizations should implement multi-factor authentication (MFA) as a means to protect access to both employee and user accounts—even in the event that someone gains access to those account credentials. They can pair this with network segmentation, a discipline through which SMBs can separate a network into different zones and limit access privileges based upon those zones. With those segments, SMBs can also prevent an attacker from using a single instance of ATO fraud to move laterally across the entire corporate network.

The Need for Expert Guidance

All of the above is a lot for SMBs to do on their own. Many organizations just might not know where to start.

Fortunately, they don’t need to do it alone. They can instead work with a managed services provider like ITEGRITI, whose team members have the experience to specifically design and implement security controls, such as, the principle of least privilege, MFA, network segmentation, and others that accord with their level of risk. They can then use specific risk metrics to measure the effectiveness of those controls over time and make improvements as needed.

To get started, SMBs need to develop an understanding of their risks. They can learn about their current risk exposure by taking ITEGRITI’s Cybersecurity Risk Assessment. These risk assessment questions are based on the essential cybersecurity controls that help companies avoid hacks, and minimize business impact during cybersecurity events. They will receive a copy of the risk baseline report along with a cybersecurity maturity score based solely on this attestation along with control implications in areas where cybersecurity controls may need improvement.

More information about ITEGRITI’s Cybersecurity Risk Assessment is available here.