Online threats are on everyone’s minds after this week’s breach at OneLogin. The identity and access management company with over 2,000 enterprise clients was hacked, and the fallout isn't over. During the security breach, private information about users, apps, and various keys may have been obtained by the still unknown hackers. All we currently know is what OneLogin has announced on their company blog: data may have been collected and the hacker or hackers may have figured out a way to decrypt data.
If you're not sure what all this means you're not alone, many entrepreneurs don't realize that small businesses are just as at risk for cyberattacks as larger companies, but they are. According to a report by Keeper Security and the Ponemon Institute, 50 percent of small businesses have been breached in the past 12 months.
Here's an overview of everything you need to know to protect your business.
In this article…
- Why do hackers target small businesses?
- Types of cyberattacks
- Security solutions and what to look for
- Cybersecurity insurance
- Best practices for your business
Why do hackers target small businesses?
While breaches at big corporations such as Target and Home Depot make the headlines, small business are still very much targets for hackers. Stephen Cobb, a senior security researcher at antivirus software company ESET, said that small businesses fall into hackers' cybersecurity "sweet spot:" They have more digital assets to target than an individual consumer has, but less security than a larger enterprise.
The other reason small businesses make such appealing targets is because hackers know these companies are less careful about security. An infographic by Towergate Insurance showed that small businesses often underestimate their risk level, with 82 percent of small business owners saying they're not targets for attacks, because they don't have anything worth stealing. [See Related Story: Cyberattack Risks Remain a Threat to Businesses Despite Insurance]
Types of cyberattacks
In almost every case, the end goal of a cyberattack is to steal and exploit sensitive data, whether it's customer credit-card information or a person's credentials, which would be used to misuse the individual's identity online.
This is by no means an exhaustive list of potential cyberthreats, especially as hackers' techniques continue to evolve, but businesses should at least be aware of the most frequently used attacks.
APT: Advanced persistent threats, or APTs, are long-term targeted attacks that break into a network in multiple phases to avoid detection. This Symantec infographic outlined the five stages of an APT.
DDoS: An acronym for distributed denial of service, DDoS attacks occur when a server is intentionally overloaded with requests, with the goal of shutting down the target's website or network system.
Inside attack: This is when someone with administrative privileges, usually from within the organization, purposely misuses his or her credentials to gain access to confidential company information. Former employees, in particular, present a threat if they left the company on bad terms, so your business should have a protocol in place to revoke all access to company data immediately upon an employee's termination.
Malware: This umbrella term is short for "malicious software," and covers any program introduced into the target's computer with the intent to cause damage or gain unauthorized access. More about the different varieties of malware can be found on How to Geek. Business News Daily's sister site Tom's Guide also breaks down the myths and facts of malware.
Password attacks: There are three main types of password attacks: a brute-force attack, which involves guessing at passwords until the hacker gets in; a dictionary attack, which uses a program to try different combinations of dictionary words; and keylogging, which tracks all of a user's keystrokes, including login IDs and passwords. More about each type of attack (and how to avoid them) can be found in this Scorpion Software blog post.
Phishing: Perhaps the most commonly deployed form of cybertheft, phishing involves collecting sensitive information like login credentials and credit-card information through a legitimate-looking (but ultimately fraudulent) website, often sent to unsuspecting individuals in an email. Keeper Security and the Ponemon Institute reported that the most prevalent attacks against SMBs are web-based and phishing/social engineering. TechRepublic shared 10 signs to help you spot a phishing email.
Ransomware: Ransomware is a type of malware that infects your machine and, as the name suggests, demands a ransome. Typically ransomware will either lock you out of your computer and demand money in return for access or threaten to publish private information if you don't pay a specified amount. Ransomware is one of the fastest growing types of security breaches.
Security solutions and what to look for
There are a few different basic types of security software on the market, offering varying levels of protection. Antivirus software is the most common, and will defend against most types of malware. For a side-by-side comparison of the best antivirus software programs for small businesses, visit our sister site Top Ten Reviews.
Firewalls, which can be implemented with hardware or software, provide an added layer of protection by preventing an unauthorized user from accessing a computer or network. In an eHow.com article, author Sam N. Austin noted that some computer operating systems, such as Microsoft Windows, come with built-in firewalls. These protections can also be added separately to routers and servers.
Cobb, of ESET, said businesses should also invest in a data backup solution, so any information compromised or lost during a breach can easily be recovered from an alternate location; encryption software to protect sensitive data such as employee records, client/customer information and financial statements; and two-step authentication or password-security software for their internal programs to reduce the likelihood of password cracking.
It's important to remember that there's no one-size-fits-all security solution, so Charles Henderson, global head of security threats and testing at IBM, advised running a risk assessment, preferably through an outside firm.
One important solution that doesnꞌt involve software and that many small businesses overlook is cybersecurity insurance. As mentioned above, your general liability policy will not help you recoup losses or legal fees associated with a data breach, so a separate policy covering these types of damages can be hugely helpful in case of an attack.
Tim Francis, enterprise cyber lead at Travelers, a provider of cyberinsurance, said that small businesses often assume cyberinsurance policies are designed only for large companies, because those businesses are the most frequent targets of hackers. But many insurance carriers are beginning to offer tailor-made coverage for smaller companies to meet their budgets and risk-exposure levels, he said.
Francis advised business owners to look for a combination of first- and third-party coverage. First-party liability coverage includes any general costs incurred as a result of a breach, such as legal expertise, public relations campaigns, customer notification and business interruption. Third-party coverage protects you if your company is at the center of a breach that exposed sensitive information. This type of protection covers defense costs if the affected parties sue your company.
"Coverage is more than words on a page," Francis said. "Make sure your carrier is well-regarded financially and has a good reputation in the industry. There's tremendous variety in policies, [and] ... you need an agent who understands the differences."
Best practices for your business
Ready to protect your business and its data? These best practices will keep your company as safe as possible.
Keep your software up to date. As stated in this Tom's Guide article, "an outdated computer is more prone to crashes, security holes and cyberattacks than one that's been fully patched." Hackers are constantly scanning for security vulnerabilities, ESET's Cobb said, and if you let these weaknesses go for too long, you're greatly increasing your chances of being targeted.
Educate your employees. Make your employees aware of the ways cybercriminals can infiltrate your systems, teach them to recognize signs of a breach, and educate them on how to stay safe while using the companyꞌs network.
Implement formal security policies. Bill Carey, vice president of marketing and business development at Siber Systems, noted that having companywide security policies in place can help reduce your likelihood of an attack. He advised requiring strong passwords — those with upper- and lowercase letters, numbers and symbols — that should be changed every 60 to 90 days. Sixty-five percent of SMBs that have a password policy do not strictly enforce it, according to the Keeper Security and the Ponemon Institute report.
Practice your incident response plan. IBM's Henderson recommended running a drill of your response plan (and refining, if necessary) so your staff can detect and contain the breach quickly should an incident occur.
Ultimately, the best thing you can do for your business is to have a security-first mentality, Henderson said. He reminded small businesses that they shouldn't assume they're exempt from falling victim to a breach because of their size.
For more information on how to handle a data breach, visit this Business News Daily guide.
Additional reporting by Nicole Fallon Taylor and Mona Bushnell. Some source interviews were conducted for a previous version of this article.