The news often reports on incidents involving large corporations facing massive data breaches where the personal information of millions of consumers was potentially leaked. However, we don’t often hear reports about the hacking of small businesses, mainly because these types of attacks aren’t high profile and/or people don't sensationalise small business when compared to big business.
Many owners and directors of small business, don’t realize that are just as at risk for cyber-attacks as larger companies, but they are. According to a report by Australian Cyber Security Centre saw the majority of breach victims in 2018, were small businesses. Here’s an overview of everything you need to know to protect your business.
Why do hackers target small businesses?
While breaches at big corporations, such as Sony, Facebook and Aadhaar (Ministry of Electronics and Information Technology, India) make the headlines, small businesses are still very much targets for hackers. Stephen Cobb, a senior security researcher at antivirus software company ESET, said that small businesses fall into hackers’ cyber-security sweet spot: They have more digital assets to target than an individual consumer has but less security than a larger enterprise.
The other reason small businesses are appealing targets is that hackers know these companies are less careful about security. According to insurance stratum collected, small businesses often underestimate their risk level, with 82 percent of small business owners saying they’re not targets for attacks, because they don’t have anything worth stealing.
However, there are several reasons why small businesses are a prime target for cyberattackers. Ultimately, it’s because they’re easy to attack due to this complacent attitude and a lack of investment into cybersecurity measures. Since security breaches can be devastating to a small business, many SMB owners are more likely to pay a ransom to get their data back. And finally, small businesses are often the key for attackers to gain access to larger businesses that the SMBs work with.
Types of cyberattacks In almost every case, the end goal of a cyberattack is to steal and exploit sensitive data, whether it’s customer credit card information or a person’s credentials, which is then used to manipulate the individual’s identity online. This is by no means an exhaustive list of potential cyberthreats, especially as hackers’ techniques evolve, but businesses should at least be aware of the most common types of attacks.
APT: Advanced persistent threats, or APTs, are long-term targeted attacks in which hackers break into a network in multiple phases to avoid detection. Once an attacker gains access to the target network, they work to remain undetected while establishing their foothold on the system. If a breach is detected and repaired, the attackers have already secured other routes into the system so they 2 can continue to plunder data.
DDoS: An acronym for distributed denial of service, DDoS attacks occur when a server is intentionally overloaded with requests until it shuts down the target’s website or network system.
Inside attack: This is when someone with administrative privileges, usually from within the organisation, purposely misuses his or her credentials to gain access to confidential company information. Former employees, in particular, present a threat if they left the company on bad terms. Your business should have a protocol in place to revoke all access to company data immediately when an employee is terminated.
Malware: This umbrella term is short for “malicious software” and covers any program introduced into the target’s computer with the intent to cause damage or gain unauthorized access. Types of malware include viruses, worms, Trojans, ransomware and spyware. Knowing this is important for choosing what type of cybersecurity software you need.
Password attacks: There are three main types of password attacks; a brute-force attack, which involves guessing at passwords until the hacker gets in; a dictionary attack, which uses a program to try different combinations of dictionary words; and keylogging, which tracks a user’s keystrokes, including login IDs and passwords.
Phishing: Perhaps the most commonly deployed form of cybertheft, phishing involves collecting sensitive information like login credentials and credit card information through a legitimate-looking (but ultimately fraudulent) website, often sent to unsuspecting individuals in an email. Spear phishing, an advanced form of this type of attack, requires in-depth knowledge of specific individuals and social engineering to gain their trust and infiltrate the network.
Ransomware: Ransomware is a type of malware that infects your machine and, as the name suggests, demands a ransom. Typically, ransomware either locks you out of your computer and demands money in exchange for access or it threatens to publish private information if you don’t pay a specified amount. Ransomware is one of the fastest-growing types of security breaches.
Zero day attack: Zero day attacks can be a developer’s worst nightmare. They are unknown flaws and exploits in software and systems discovered by attackers 3 before the developers and security staff become aware of the issue. These exploits can go undiscovered for months, even years, until they’re discovered and repaired.
Security solutions and what to look for There are a few different basic types of security software on the market, offering varying levels of protection, they include:
Antivirus software (and Endpoint Protection) is the most common and will defend against most types of malware. The can be paid for via a subscription basis are generally inexpensive when protecting a few machines. Endpoint protection type services are either edge devices (similar to firewalls) and scan computers and devices on the network looking for specific flags for malicious programs on your network.
Firewalls, which can be implemented with hardware or software, provide an added layer of protection by preventing an unauthorized user from accessing a computer or network. Most modern operating systems (e.g. Windows 10) come with a firewall or OS defender type applications built-in, albeit is cheap, but like anything - the more money invested the greater the options and features, with hardware firewalls offering enterprise level protection to any intrusion.
On top of that there are security solutions. The first is a data backup so that any information compromised or lost during a breach can easily be recovered from an alternate location. The second is encryption to protect sensitive data, such as employee records, client/customer information and financial statements. The third solution is multi-factor authentication (which combines something you know (like a password) with something you have (2FA code that is generated from an algorithm) which greatly reduces the likelihood of access even if your password is compromised.
Remember, there’s no one-size-fits-all security solution, so Charles Henderson, global head of security threats and testing at IBM, advised running a risk assessment, and if you don't have the technical know-how, to engage an outside firm or consultant.
Best practices for your Business
Ready to protect your business and its data? These best practices will keep your company as safe as possible.
Keep your software up to date. As stated in this Tom’s Guide article, “an outdated computer is more prone to crashes, security holes and cyber-attacks than one that’s been fully patched.” Hackers are constantly scanning for security vulnerabilities, Cobb said, and if you let these weaknesses go for too long, you’re greatly increasing your chances of being targeted.
Educate your employees. Education is your best weapon! Make your employees aware of the ways cyber-criminals can infiltrate your systems, teach them to recognize signs of a breach, and educate them on how to stay safe while using the company’s network.
Implement formal security policies. Putting in place and enforcing security policies is essential to locking down your system. Protecting the network should be on everyone’s mind since everyone who uses it can be a potential endpoint for attackers. Creating a culture of caution and preventive practices will bolster your protection. Regularly hold meetings and seminars on the best cyber-security practices, such as using strong passwords, identifying and reporting suspicious emails, and clicking links or downloading attachments.
Many companies enforce password policies that require employees to follow strict standards for creating passwords, such as including numbers, both uppercase and lowercase characters and symbols, as well as never using the same or similar passwords for different applications Practice your incident response plan. IBM’s Henderson recommended running a drill of your response plan (and refining, if necessary) so your staff can detect and contain the breach quickly should an incident occur.
Ultimately, the best thing you can do for your business is to have a security-first mentality, Henderson said. He reminded small businesses that they shouldn’t assume they’re exempt from falling victim to a breach because of their size.
コメント