What if your small business gets hacked? It’s not an idle concern, with more than 80,000 security issues reported in 2015, according to Verizon’s annual in-depth business security survey.
If you aren’t owned by a global conglomerate, or don’t have security insurance, the effects of a hacking could be devastating.
In the Crosshairs
The threat is real. According to Symantec Corp., a security firm that publishes an annual Internet security threat report, nearly one-third of all cyber attacks target small businesses. According to Experian Business Information Services, 60 percent of the small and medium-sized businesses that experience a data breach go out of business within six months.
The perpetrators of most cyber attacks appear to be in it for the money. Although a small percentage of attacks are done for ideological reasons, hackers often want to profit, either directly or indirectly, from the attack. Once they have unauthorized access to your computers, they may:
- Encrypt your business's information and threaten to delete it unless you pay a ransom to have it decrypted;
- Steal customer information, including credit card numbers, Social Security numbers, names and addresses with the intention of reselling the information for a profit to other hackers; and
- Steal your business's bank account access credentials to initiate transfers while blocking your ability to detect the theft.
But how do they get in? They might use sophisticated technology coupled with an understanding of human nature to gain unauthorized access to company data.
Three common methods:
1. Exploitation of insecure passwords. Weak passwords are a relatively simple way for hackers to access a business's accounts. According to software company SplashData, “123456” and “password” are the two most common passwords in use. Through a “dictionary attack,” hackers use dictionaries that contain hundreds of millions of words and combinations of words that are most commonly used as passwords. With a “rainbow attack,” hackers can crack more sophisticated passwords fairly quickly by comparing the encrypted versions of passwords (the hashes) to a table of prepared hashes.
2. Breaching insecure networks. Many WiFi networks aren't properly secured, and if yours is one of them, a hacker can leverage a misconfigured access point in order to gain access to your company’s network. They can also steal information being transferred over WiFi between a user’s computer and the network because most wireless networks secure these communications using WPA encryption, which is virtually useless against a moderately knowledgeable hacker.
3. Email-based attacks and deception. Spam messages can sneak into systems, past protective folders, and trick even savvy email users. Spam often falls into two categories:
- Malware delivery. Emails may contain malware (software with a malicious purpose) as an attachment or as a download accessible through a link in the message body. Some forms of malware can be triggered simply by opening an email that uses certain email clients. Once activated, the malware can steal your information, hold it for a ransom or make your computer part of a more sophisticated attack on a third party.
- Phishing. Other emails may try to trick you into providing your access credentials to different services. After all, why waste time trying to crack a password when you can fool someone into giving it away freely? Phishing attacks are based on deception. The messages appear to be genuine—possibly from a bank or other service provider—with links that lead to fake login pages where the hacker can steal the credentials as soon as they're entered. More sophisticated hackers might use customized and personalized phishing attacks that have a higher success rate in fooling victims. For instance, in longlining, hackers rapidly deploy thousands of unique, malware-laden messages that are largely undetectable to traditional signature and reputation-based security systems. And in watering hole scams, hackers target a particular organization, industry or region, then guess or observe which websites the group often uses and infects one or more of them with malware. Eventually, some member of the targeted group gets infected.
Being aware of how hackers work can help you set up the right defenses against them. So now that you know how they may get in, help put the right protocols and systems in place to keep them out.
Read more articles on technology.
This article was originally published on January 14, 2015.