According to Forbes Magazine, 57% of small business owners believe they will not be the target of a cyberattack. This statistic starkly contrasts the reality, as reported by Verizon in 2019, that small businesses accounted for 43% of all breaches. This false sense of security leads smaller businesses to neglect their security posture. When disaster strikes, they will not have the resources of larger companies, which will exacerbate their recovery times, or they may not recover at all. It is crucial that these businesses can resolve any issues where possible, understand risks, and have thorough plans for when an event does occur.
So how big is the attack vector for a small company that doesn’t maintain servers and only has a handful of employees? It will vary from company to company, but there has been a significant spike in ransomware attacks recently, and small businesses are not immune. A ransomware attack is when an adversary can access crucial business data and lock it away until you pay for the key. Before we get into how this could happen, let’s dive into the hypothetical of what this could mean for a business. An incident like this must be reported to customers, resulting in a loss of confidence. Depending on the type of data, it may mean customers are affected in the form of stolen credit cards or other personal information. It may prevent your business from operating if the data is essential to operations.
So how can such an attack happen? What if my data is in the cloud? Even if this data is not on your local computer, it could still be vulnerable to this attack, either through one of your devices or through the cloud provider using stolen credentials. This type of attack corresponds to around 75% of security incidents affecting small businesses and 25% of incidents across all companies. According to Verizon’s report, these attacks can come from abuse of user credentials, phishing, exploitation of resources, or through third-party applications. Let’s explain what these methods mean in layman’s terms and how you can mitigate them.
With this method, an attack will utilize data gathered from a previous data breach to log into your applications or networks. A quick way to check if your credentials have been leaked is to use HaveIBeenPwned. This website will scan through publicly available breaches for your email and alert you if it finds it. Just know that this search isn’t all-inclusive, and there is a whole market for user data on the internet that your information could still be a part of. So the real solution is to refrain from reusing credentials. If you use a separate password for each service, an attacker cannot use data from a previous breach. Another solution is to use Multi-factor Authentication. By requiring a pin to be texted to you or generated through an app like Duo or Authy, an attacker will need more than just a password to get in.
A phishing attack is where an adversary will reach out to you under some guise and attempt to gain the information they can use to get into your accounts, or they may try to get you to run a virus or other malware which will give them entry to your systems or data. The best way to combat this is to understand attackers’ tactics to trick people and some hallmarks that the person you are interacting with may not be whom they seem. Detecting phishing attempts is a big topic, but some immediate things would be:
Now, it is one thing for you to understand how to recognize this sort of attack. Still, ensuring everyone in your business understands this, too, is quite another. An effective training tactic is allowing the “good” guys to attempt these phishing attacks and see how successful they are. Several platforms will send emails to different employees to see if they can be coerced into clicking links they shouldn’t. Zeus Technologies offers this sort of service as well as others online.
This form of attack is what people generally think of when it comes to hacking. Some software running somewhere has a bug or some other defect that allows unauthorized users to manipulate it into leaking information, running code, or otherwise doing bad things. The applications or resources could be misconfigured or unsecured. Either way, this one requires constant due diligence. Keep notice of which versions of software you are running, and update when as often as possible, especially when security patches need to be applied. In terms of configuration, ensure you understand the applications and services you use and any permissions surrounding the data you store.
In this category, it is beneficial to have people familiar with the software to give some advice. Cybersecurity professionals will have tools to scan for common misconfigurations or other things that may help with this attack category.
Attacks of this nature are relatively uncommon, but mentioning them brings everything to a captivating conclusion. The latest Version Data Breach report highlights the SolarWinds breach. In this attack, adversaries manipulated a prevalent framework to send out an update containing malware, which affected any user that installed the update. Though this happens infrequently, the widespread damage this breach caused showed everyone how vulnerable they could be. So how would one prevent this? You can’t. There is no foolproof security method. Sooner or later, a hacker can get into a network; you need to be prepared for that. Minimize risk, but prepare for the worst. Make backups and have a recovery plan.
The best security is having a plan to get the business up and running as quickly as possible after a breach; a common rule is the 1-10-60 rule which states that you should detect an attack in 1 minute, understand the attack in 10 minutes, and have a fix within 60 minutes. Obviously, with a small business that has minimal or no IT support, that is a tall order. Still, the difference between a business that goes under because of a breach and one that bounces back is its recovery plan.
In summary, your small business is not immune to cyber-attacks, and there are a few simple steps you can take to protect your business: