The media often reports incidents involving corporations facing massive data breaches. Personal, private, and financial information of victims can be leaked in numbers reaching millions. The hacking of small businesses is often not reported, mainly because these types of attacks are not public knowledge. Many entrepreneurs do not realize that small businesses are equally at risk for cyberattacks as larger companies. According to a report by Verizon, 61 percent of data breach victims were small businesses. The following is a brief overview of topics that will help to protect your business and your customers’ personal, private, and financial information:
Topics to be covered:
1. Why do hackers target small businesses?
2. Types of cyberattacks.
3. Security solutions.
4. Cybersecurity insurance considerations.
5. Best practices for your business.
Why do hackers target small businesses?
While breaches at large corporations, such as Target and Home Depot make the headlines, small businesses are still very much targets for hackers. Stephen Cobb, a senior security researcher at antivirus software company ESET, said that small businesses fall into hackers’ cybersecurity focus because they have more digital assets to target than an individual consumer, but considerably less cybersecurity than a larger enterprise.
The other reason small businesses are appealing targets is that hackers know these companies are less informed about cybersecurity services and defenses. According to Towergate Insurance, small businesses often underestimate their risk level, with 82 percent of small business owners saying they are not targets for attacks because they don’t have anything worth stealing. However, there are several reasons why small businesses are a prime target for cyberattacks.
The first reason is that they are easy to attack, due to this complacent attitude and a lack of investment into cybersecurity measures. Since security breaches can be devastating to a small business, many SMB owners are more likely to pay a ransom to get their data back. Small businesses are often the key for attackers to gain access to larger businesses by attacking their supply chains or trusted relationships, such as DMS service providers.
Types of cyberattacks
In most cases, the end goal of a cyberattack is to steal and exploit sensitive data, whether it is personal, private, financial, credit card information, or on-line banking credentials, with the goal to steal money or identities. The following is an example of potential cyber threats facing businesses today.
APT: Advanced persistent threats, or APTs, are long-term targeted attacks in which hackers break into a network in multiple phases to avoid detection. Once an attacker gains access to the target network, they work to remain undetected while establishing their foothold on the system. If a breach is detected and repaired, the attackers have already secured other routes into the system so they can continue to steal data.
DDoS: An acronym for distributed denial of service, DDoS attacks occur when a server is intentionally overloaded with requests until it shuts down the target’s website or network system.
Inside attack: This is when someone with administrative privileges, usually from within the organization, purposely misuses his or her credentials to gain access to confidential company information. Former employees, in particular, present protocol in place to revoke all access to company data immediately before an employee is terminated.
Malware: This umbrella term is short for “malicious software” and covers any program introduced into the target’s computer with the intent to cause damage or gain unauthorized access. Types of malware include viruses, worms, Trojans, ransomware and spyware. Knowing this is important for choosing what type of cybersecurity software you need.
Password attacks: There are three main types of password attacks: a brute-force attack, which involves guessing at passwords until the hacker gets in; a dictionary attack, which uses a program to try different combinations of dictionary words; and keylogging, which tracks a user’s keystrokes, including login IDs and passwords.
Phishing: Perhaps the most commonly deployed form of cyber theft, phishing involves collecting sensitive information like login credentials and credit card information through a legitimate-looking (but ultimately fraudulent) website, often sent to unsuspecting individuals in an email. Spear phishing, an advanced form of this type of attack, requires in-depth knowledge of specific individuals and social engineering to gain their trust and infiltrate the network.
Ransomware: Ransomware is a type of malware that infects your machine and, as the name suggests, demands a ransom. Ransomware encrypts your files/data or and demands money in the form of Bitcoin in exchange for access to your data or threatens to publish private information if you do not the ransom within a specific time frame. Ransomware is one of the fastest-growing types of security breaches.
Zero day attack: Zero-day attacks can be a developer’s worst nightmare. They are unknown flaws and exploits in software and systems discovered by attackers before the developers and security staff become aware of the issue. These exploits can go undiscovered for months, even years, until they are discovered and repaired.
Security solutions and what is available
There are basic types of security software on the market that offer different levels of protection. Antivirus software is the most common and will defend against most types of known malware. There are product reviews available on the Internet.
Firewalls can be implemented with hardware or software will provide an added layer of protection by preventing an unauthorized user from accessing computers or network. Most operating systems such as Windows 10 include a firewall program.
Information security professionals advise that businesses invest in three security solutions. The first is a data backup solution so that any information compromised or lost during a breach can easily be recovered from an alternate location. The second is encryption software to protect sensitive data, such as employee records, client/customer information, and financial statements. The third solution is two-step authentication or password-security software for a business’s internal programs to reduce the likelihood of password cracking.
One important solution that does not involve software and that many small businesses overlook is cybersecurity insurance. A general P&C and liability policy will not help you recoup losses or legal fees associated with a data breach. A separate policy covering these types of damages can defray some of the costs or damages in case of a cyber breach.
According to a survey by insurance company Hiscox, only 21 percent of small businesses have some form of cyber insurance, with 52 percent indicating that they have not considered buying the coverage.
Tim Francis, enterprise cyber lead at Travelers Insurance, a provider of cyber insurance, stated that many small businesses assume cyber insurance policies are designed only for large companies because those businesses are the most frequent targets of hackers. Today, many insurance carriers are beginning to offer tailor-made coverage for smaller companies to meet their budgets and risk-exposure levels.
Mr. Francis advised business owners to look for a combination of first and third-party coverage. First-party liability coverage includes general costs incurred as a result of a breach, such as legal expertise, public relations campaigns, customer notification and business interruption. Third-party coverage protects you if your company is at the center of a breach that exposed sensitive information. This type of protection covers legal defense costs if the affected parties sue your company.
“ Coverage is more than words on a page,” Mr. Francis said. “ Make sure your carrier is well regarded financially and has a good reputation in the industry. There is a wide variety in policies, [and] … you need an agent who understands the differences.”
Best practices for your business
Ready to protect your business and its data? These best practices will keep your company as safe as possible.
Keep your software up to date. Cyber threat professionals emphasize that “ An outdated computer is more prone to crashes, security holes and cyberattacks than one that’s been fully patched.” Hackers are constantly scanning for security vulnerabilities, if you let these weaknesses go for too long, you are greatly increasing your chances of being targeted.
Educate your employees. Make your employees aware of the ways cybercriminals can infiltrate your systems, teach them to recognize signs of phishing or a breach, and educate them on how to stay safe while using the company’s computers and networks.
Implement formal security policies. Putting in place and enforcing security policies is essential to locking down your system. Protecting the network should be on everyone’s mind since everyone who uses it can be a potential endpoint for attackers. Creating a culture of caution and preventive practices will bolster your protection. Regularly hold meetings and seminars on the best cybersecurity practices, such as using strong passwords and changing them on a regular basis, identifying and reporting suspicious emails, and clicking links or downloading attachments. Many companies enforce password policies that require employees to follow strict standards for creating passwords, such as including numbers, both uppercase and lowercase characters, and symbols, as well as never using the same or similar passwords for different applications
Practice your incident response plan. Information security professionals recommend running a drill of your documented incident response plan (and refining, if necessary) so your staff can detect and contain the breach quickly should an incident occur.
Many small to medium-sized businesses do not have the in-house resources to cover all of the topics in this report. The Federal Trade Commission is introducing new regulations that will affect all firms that handle customers’ personal, private and financial information. Wapack Labs Corporation can help any sized business to prepare and comply with these new regulations with training, planning, policies, phishing, penetration testing, daily cyber threat notifications, and vCiSO’s to help your firm stay cyber safe.
Please feel free to contact us firstname.lastname@example.org or your RedXray distributor.