Former law enforcement and cybersecurity experts have launched CyberCatch, a cybersecurity company for small and medium-sized businesses with fewer than 500 employees. The firm also published its inaugural Small and Medium-Sized Business Vulnerabilities Report (SMBVR) which shows that more than 30 per cent of U.S. small and medium-sized businesses (SMBs) have vulnerabilities that attackers can exploit. In Canada, that number jumps to 80 per cent of the SMB websites and applications tested by the firm’s CyberXRay tool.

“The SMBVR is the first research study to focus on SMBs in North America to detect vulnerabilities that a cyber attacker can identify and exploit to break in, steal data or infect ransomware,” the firm’s researchers write. “The SMBVR reveals how vulnerable SMBs are to cyberattacks today. This is the reason why CyberCatch was founded,” adds Sai Huda, founder and chairman of the new firm. Its team includes law enforcement and cybersecurity experts from the insurance industry, the U.S. Department of Defense, the U.S. Navy and the Royal Canadian Mounted Police (RCMP).

In the SMBVR, the firm says a scan of 21,850 randomly selected SMB websites in the U.S. and Canada (1,850 were scanned in Canada) found that susceptibility to spoofing, clickjacking and sniffing were the top three vulnerabilities found. “The level of these three vulnerabilities were significantly higher in Canada,” the firm’s researchers write.

Spoofing occurs when a website, software or web application does not sufficiently verify the origin or authenticity of data and accepts invalid data, allowing attackers to force servers into producing information. Legitimate traffic can also be redirected to the attacker’s website for credential compromise and data farming for future attacks. Clickjacking, meanwhile, happens when the technology allows an attacker to use multiple transparent or opaque layers to trick users into clicking links they never intended. Keystrokes can also be hijacked, they add. Sniffing occurs when the technology does not force encryption and instead allows the transmission of sensitive or critical data.

“SMBs across the U.S. and Canada should scan their websites, software and web applications facing the internet to make sure there are no vulnerabilities,” the report concludes. “A cybersecurity control to regularly scan all IT assets to detect vulnerabilities should be implemented and a policy to fix the weaknesses within a reasonable time should (also) be implemented.”