Cyber threats are seemingly everywhere, from obnoxious spam emails that fill your inbox to complex scams that lead to corporate account takeovers. For most businesses, preventing a data breach is the most significant cybersecurity concern. Security Magazine reports that the average cost of a data breach is $4.5 million. On top of potentially paying a ransom, attorney fees, and other costs associated with a data breach, businesses may also suffer from lost productivity and damage to their reputation with the public.
Cybersecurity is a complex topic, and even experts with advanced degrees must pay continual attention to understand the ever-changing nature of cyber threats. Most small and medium-sized businesses (SMBs) do not have the resources to hire a dedicated cybersecurity expert, but fortunately, there are other options. uRISQ is an affordable tool to help SMBs manage their cybersecurity program in a way that meets each business’s unique needs.
What Do Hackers Hope to Gain?
Everyone knows hackers pose a major risk to businesses and individuals alike. Understanding common motives for hacking can help businesses stay one step ahead and prevent cyber threats before they happen. Hackers may be motivated by:
- Money – Financial gain is by far the top goal for cybercriminals. In one recent year, Reuters reported that 86 percent of data breaches were for money. Hackers can profit by holding data hostage until the affected business pays a ransom. They can also use stolen data to create deceptive scams so consumers will pay them money.
- Fame – Some hackers simply enjoy showing off their power. When one person or group affects many websites or companies, people tend to give them more attention.
- Sabotage – These attacks are usually from a disgruntled employee or former employee who wants to express anger towards a company. It could also be a competitor’s misguided attempt to gain an advantage.
- Espionage – Nefarious actors may try to steal classified information or trade secrets. A competitor could use this information to gain a competitive advantage. If the target is a government agency, hackers could cause serious harm by overtaking utilities or other major infrastructure.
- “Hacktivism” – Some hackers use their skills to send a political message or promote or oppose social issues.
Although all these motives exist, SMBS must recognize that the primary motive is money. Some SMBs let their guard down, thinking they are not a high-profile company and therefore do not need to worry about large-scale cyber attacks. Cybercriminals target whoever will allow them to generate the most money for the least effort. SMBs often have lower levels of cybersecurity than larger corporations yet have significantly higher cash flow than individual consumers. Any business that does not take cybersecurity seriously is an easy target for hackers trying to make money.
Cyber Threats That Target Technology
Shortly after computers became popular, hackers began to develop various worms, viruses, and other cyber threats. As technology evolves, so do cybercriminals’ methods to cause interruptions and steal data. Some common threats that are relevant today include:
- Malware – Malicious software, including worms, viruses, trojans, spyware, adware, and ransomware, is known as malware. Users may unknowingly install this software by clicking on a suspicious link, opening an attachment, or inserting infected removable media, such as a CD or USB drive. Once installed, malware may cause something as harmless as obnoxious pop-up ads or, in more severe cases, could steal data or even render the system unusable. In the case of ransomware, users can only regain access to the system if they pay a ransom to the hacker.
- DDoS Attacks – Hackers use distributed denial of service attacks (DDoS) to create chaos and slow productivity. They usually create a large group of compromised computers called a botnet and command the entire botnet to access the target server simultaneously. This attack slows the server and can even cause it to crash. Hackers sometimes use this as a distraction to commit other cybercrimes while employees focus on fixing the server issue.
- SQL Injection – Hackers insert malicious code into a server to view results not displayed on the public webpage. This code could allow the hacker to discover a company’s unpublished web pages listing products they have not yet released. Hackers can also use SQL injection attacks to modify or delete data.
- Man-in-the-Middle Attack (MitM) – The most common way for hackers to carry out this type of attack is by setting up a free wifi hotspot in a public place that is not password protected. When users log on to the malicious wifi, the hacker can intercept the exchanged data.
- Unauthorized access to physical devices – Many employees take laptops or phones home. Left unsecured, a thief, roommate, family member, or any other unauthorized person could access the data. Similarly, unauthorized individuals could sneak into a physical office and access devices that way.
Cyber Threats That Target People
While many threats typically take advantage of a network vulnerability or other technological issue, an increasing number of cybercriminals are developing attacks that target human error. After all, humans are the weakest link in privacy and security. Social engineering is a technique that cybercriminals use to manipulate people to share information and data that they would not share otherwise. Companies with robust protection for their devices and network are at risk if their employees fall victim to a social engineering attack. Some examples include:
- Phishing – Just as a fisherman uses lures that mimic something the fish is familiar with, phishing attacks typically mimic a trusted company or individual, hoping the victim will feel comfortable enough to disclose personal information or passwords. Phishing attacks used to come primarily from emails, but hackers have recently been utilizing SMS (text) messaging, sometimes called smishing.
- Baiting – In this type of attack, hackers offer a reward or prize, such as a gift card or free music download, but require you to enter some personal information before receiving the reward. If the “reward” is a free download, it could contain malware.
- Scareware – People often do not think clearly when they are worried or alarmed. Scareware injects malicious code into a webpage that causes popups warning the user that their computer has a virus. Now that the hacker has the user’s attention, the popups offer the chance to purchase and download security software. If the user does this, the hacker gains access to credit card information and often infects the computer with a real virus.
What Can Businesses Do?
Businesses should implement reasonable data security measures to prevent cyber attacks. Most nationwide businesses are subject to various state data privacy laws requiring basic data security programs. At a minimum, all businesses should equip their devices with the latest antivirus software, firewalls, and other technology designed to improve security. Businesses should also regularly install updates and patches to the operating system and applications.
Businesses can also implement policies that prevent cyber threats unique to their industry or work environment. For example, if certain devices store highly sensitive information, a policy that prohibits removable media such as CDs and USB drives in those devices could prevent some types of malware. Additionally, businesses can limit the number of users with administrator privileges. This way, the average employee cannot download new software without an administrator’s approval, thus reducing the risk of accidentally downloading something malicious.
In some industries, it might make sense to limit who has access to sensitive information. Unfortunately, some data theft is an inside job. Employees with legitimate access could use data outside the scope of their work for financial or personal gain, blackmail, or for many other reasons. Businesses can limit access to sensitive data to those with a genuine need for business reasons.
When businesses implement new policies that limit employees, there is sometimes pushback and frustration. However, with thoughtful training and good communication, business leaders can empower employees to make meaningful changes that improve cybersecurity.
What Can Employees Do?
Since there are many types of cyber threats, and the list is continuously growing, it is likely too overwhelming for the average employee to remember the details of various threats. Fortunately, following good cybersecurity practices can prevent a wide range of threats. Instead of worrying about learning the dozens of ways hackers can access data and cause trouble, employees should focus on modifying their behavior. Some areas employees and individuals can focus on include:
- Strong passwords – The best passwords have at least 12 characters, including upper and lower-case letters, numbers, and special characters. Since hackers can access so much personal information from social media and previous breaches, passwords should not include cities, names, dates, or other personal information that hackers could guess. A reputable third-party password manager can suggest randomized passwords that are sufficiently complex.
- Multi-factor authentication – Some accounts require users to enter a code from a text message or email or answer a phone call to verify their identity. Even if a hacker knows or guesses the login information, they shouldn’t be able to access the account unless they also have access to the user’s phone to view text messages.
- Use a secure wifi network – This is especially important in the age of remote work. Accessing wifi at a coffee shop or other public location could allow hackers to intercept transmitted data. If employees are using their home network, they should have a strong password to protect the network. A VPN can also help protect data security when employees work remotely.
- Avoid suspicious links or attachments – Even when employers install software to scan emails for viruses and other dangers, employees should remain vigilant and use good judgment when opening any links or attachments in emails. Emails from a supposed boss or coworker that seem uncharacteristically urgent or emotional may be a phishing attempt.
- Pay attention to the email or web address – Scammers often use fake emails or websites with one character off so they look visually similar to the real one. When an employee receives a message they are unsure about, they can compare email addresses or contact their coworker directly to verify the authenticity rather than responding to the email.
Reducing Damage When Attacks Do Happen
Even after following these tips, many, if not most, businesses will still fall victim to some type of cyber attack at one point or another. For this reason, data security programs should include measures beyond preventing cyber attacks. Businesses should also develop policies and procedures that prevent hackers from accessing and using sensitive data if they do breach the system. Some examples include:
- Keep an inventory of where your business stores sensitive data
- Limit data collection to what is reasonably necessary
- Encrypt data so it is not usable without the key
- Have an incident response plan in place
Seek Support From Cybersecurity Experts
Most small and medium-sized businesses (SMBs) lack the resources to hire someone to focus specifically on cybersecurity. Even employees with a deep understanding of the various cybersecurity risks are likely stretched thin with other tasks, making it difficult to give sufficient attention to cybersecurity. To further complicate matters, cybercriminals constantly change their tactics and invent new ways to wreak havoc on businesses.
When businesses utilize a privacy and security program like uRISQ, they know their cybersecurity needs are in good hands. uRISQ can conduct vulnerability scanning to help identify potential weaknesses and develop a plan to address each business’s unique needs. uRISQ also helps with breach support to help businesses properly report breaches and get back on track after a breach.