- 61% of data breaches directly affect small businesses.
- Strong passwords, up-to-date antivirus software and implementing best practices are just a few tactics you should employ as part of an overall cybersecurity solution.
- There are countless types of attacks, but distributed denial of service (DDoS) and man-in-the-middle (MitM) attacks are among the most common.
Each second, more than 77 terabytes of internet traffic takes place online. As such, the internet has become a digital Silk Road that facilitates nearly every facet of modern life. And just as ancient merchants were sometimes beset by bandits on the actual Silk Road, today's entrepreneurs can easily find themselves under attack from cyber malcontents working to derail companies through theft and disruption.
In recent years, headlines have spotlighted crippling cyberattacks against major corporations. While each corporate cyberattack resulted in millions of dollars in damages, most stories fail to mention the many data breaches that affect much softer targets: small businesses. According to Verizon's Data Breach Investigations Report, 43% of breaches impacted SMBs.
You may not know when the next attack could occur, but taking proper precautions can hamper or completely stymie a hacker's attempt at gaining access to your network. To help you avoid the mistakes of Target and, more than 20 government agencies, we've compiled info on why your SMB could be at risk and how to avoid a similar fate.
Why cyberhackers go after small businesses
When it comes to starting a small business, new owners have many decisions to make and often leave cybersecurity measures by the wayside. Unless they focus on shoring up their defenses, they may inadvertently end up leaving points of entry wide open for hackers. That can be a major problem. A report by the U.S. National Cyber Security Alliance estimated that 60% of all SMBs fail within six months of a cyberattack.
According to Towergate Insurance, SMBs often underestimate their risk level, with 82% of SMB owners saying they're not targets for attacks. They believe that, researchers said, because they feel they "don't have anything worth stealing."
Stephen Cobb, a senior security researcher at antivirus software company ESET, said that SMBs fall into hackers' cybersecurity sweet spot since they "have more digital assets to target than an individual consumer has but less security than a larger enterprise."
Couple that with the costs associated with implementing proper defenses, and you have a situation that's primed for intrusions. Since security breaches can be devastating to a SMB, owners are more likely to pay a ransom to get their data back. SMBs can merely be a steppingstone for attackers to gain access to larger businesses.
Did You Know? 60% of all SMBs fail within six months of a cyberattack.
Cybersecurity attacks to look out for
Regardless of their target, hackers generally aim to gain access to a company's sensitive data, such as consumers' credit card information. With enough identifying information, attackers can then exploit an individual's identity any number of damaging ways.
One of the best ways to prepare for an attack is to understand the different methods hackers generally use to gain access to that information. While this is by no means an exhaustive list of potential threats, since cybercrime is a constantly evolving phenomenon, business owners should at least be aware of the following types of attacks.
- APT: Advanced persistent threats, or APTs, are long-term targeted attacks in which hackers break into a network in multiple phases to avoid detection. Once an attacker gains access to the target network, they work to remain undetected while establishing their foothold on the system. If a breach is detected and repaired, the attackers have already secured other routes into the system so they can continue to plunder data.
- DDoS: An acronym for distributed denial of service, DDoS attacks occur when a server is intentionally overloaded with requests until it shuts down the target's website or network system.
- Inside attack: This is when someone with administrative privileges, usually from within the organization, purposely misuses his or her credentials to gain access to confidential company information. Former employees, in particular, present a threat if they left the company on bad terms. Your business should have a protocol in place to revoke all access to company data immediately when an employee is terminated.
- Malware: This umbrella term is short for "malicious software" and covers any program introduced into the target's computer with the intent to cause damage or gain unauthorized access. Types of malware include viruses, worms, Trojans, ransomware and spyware. Knowing this is important, because it helps you determine what type of cybersecurity software you need.
- Man in the middle (MitM) attack: In any normal transaction, two parties exchange goods – or in the case of e-commerce, digital information – with each other. Knowing this, hackers who use the man in the middle method of intrusion do so by installing malware that interrupts the flow of information to steal important data. This is generally done when one or more parties conduct the transaction through an unsecured public Wi-Fi network, where attackers have installed malware that helps sift through data.
- Password attack: There are three main types of password attacks: a brute-force attack, which involves guessing at passwords until the hacker gets in; a dictionary attack, which uses a program to try different combinations of dictionary words; and keylogging, which tracks a user's keystrokes, including login IDs and passwords.
- Phishing: Perhaps the most commonly deployed form of cybertheft, phishing attacks involve collecting sensitive information like login credentials and credit card information through a legitimate-looking (but ultimately fraudulent) website, often sent to unsuspecting individuals in an email. Spear phishing, an advanced form of this type of attack, requires in-depth knowledge of specific individuals and social engineering to gain their trust and infiltrate the network.
- Ransomware: A ransomware attack infects your machine with malware and, as the name suggests, demands a ransom. Typically, ransomware either locks you out of your computer and demands money in exchange for access, or it threatens to publish private information if you don't pay a specified amount. Ransomware is one of the fastest-growing types of security breaches.
- SQL injection attack: For more than four decades, web developers have been using structured query language (SQL) as one of the main coding languages on the internet. While a standardized language has greatly benefited the internet's development, it can also be an easy way for malicious code to make its way onto your business's website. Through a successful SQL injection attack on your servers, sensitive information can let bad actors access and modify important databases, download files, and even manipulate devices on the network.
- Zero-day attack: Zero-day attacks can be a developer's worst nightmare. They are unknown flaws and exploits in software and systems discovered by attackers before the developers and security staff become aware of any threats. These exploits can go undiscovered for months, or even years, until they're discovered and repaired.
How to secure your networks
Just as more companies continue to grow their businesses online, so, too, will the need for robust cybersecurity measures. According to Cybersecurity Ventures' 2019 Cybersecurity Market Report, worldwide spending on such products will increase from $3.5 billion in 2004 to an estimated $170.4 billion in 2022.
For small businesses looking to ensure that their networks have at least a fighting chance against many attacks, that generally means installing any number of basic types of security software available on the market, each with varying levels of efficacy.
Antivirus software is the most common and will defend against most types of malware.
A hardware- or software-based firewall can provide an added layer of protection by preventing an unauthorized user from accessing a computer or network. Most modern operating systems, including Windows 10, come with a firewall program installed for free.
Along with those more surface-level tools, Cobb suggests that businesses invest in three additional security measures.
- The first is a data backup solution so that any information compromised or lost during a breach can easily be recovered from an alternate location.
- The second is encryption software to protect sensitive data, such as employee records, client/customer information and financial statements.
- The third solution is two-step authentication or password-security software for a business's internal programs to reduce the likelihood of password cracking.
As you begin considering your options, it's generally a good idea to run a risk assessment, either by yourself or with the help of an outside firm.
Tip: According to Security.org, antivirus software can scan for eight threats including malware, spyware, adware, viruses, and more.
Cybersecurity best practices
In addition to implementing some sort of software-based solution, small businesses should adopt certain technological best practices and policies to shore up vulnerabilities.
- Keep your software up to date. Hackers are constantly scanning for security vulnerabilities, Cobb said, and if you let these weaknesses go for too long, you're greatly increasing your chances of being targeted.
- Educate your employees. Teach your employees about the different ways cybercriminals can infiltrate your systems. Advise them on how to recognize signs of a breach and educate them on how to stay safe while using the company's network.
- Implement formal security policies. Putting in place and enforcing security policies is essential to locking down your system. Protecting the network should be on everyone's mind since everyone who uses it can be a potential endpoint for attackers. Regularly hold meetings and seminars on the best cybersecurity practices, such as using strong passwords, identifying and reporting suspicious emails, activating two-factor authentication, and clicking links or downloading attachments.
- Practice your incident response plan. Despite your best efforts, there may come a time when your company falls prey to a cyberattack. If that day comes, it's important that your staff can handle the fallout that comes from it. By drawing up a response plan, attacks can be quickly identified and quelled before doing too much damage.
For more information see our article on how to handle a data breach.
Additional reporting by Andreas Rivera, Sammi Caramela, Nicole Fallon and Mona Bushnell. Some source interviews were conducted for a previous version of this article.