Small Businesses are Highly Vulnerable to Cyber Security Breaches

A cyber security breach, or data breach, is an intentional or unintentional release of private information to an untrusted environment, whether to the public or to criminals. According to a Verizon study, there were more than 40,000 documented cyber security related incidents in 2019, and nearly half of all data breaches were perpetrated against small businesses.

Small businesses are often the victim of cyber crime due to having inadequate security measures that protect against such an attack. Larger companies and government organizations, motivated by legal and regulatory concerns, have moved to secure their data. As a result, public sector entities, healthcare organizations, and private corporations combined accounted for 41% of all data breaches, 2% less than the 43% share represented by small business data breaches.

It’s clear that hackers are targeting lower-profile, lower-security businesses. While the take might be less than what is possible targeting a major corporation—Target lost credit card data from 40 million customer accounts in 2013, the largest hack in recent years—small businesses are easier victims due to their lack of security infrastructure.

There are numerous ways that a hacker can obtain sensitive data from your business.

According to Verizon’s study of 2019 cyber breaches, hacking, malware, and social engineering are the three most common cyber attacks. Many times, attacks are multi-faceted, as hackers utilize malware and/or social engineering in order to hack into a secure system.

Command-and-control (C2) servers are the hacking method of choice for the majority of cyber criminals. As the name suggests, C2 servers issue commands to compromised systems, essentially turning over control of the newly infected computer to the hacker, allowing them to extract data, such as login credentials. 

Use of stolen login credentials was the most common cyber crime of 2019, increasing in prevalence by 18% compared to 2018.

Cyber criminals typically use malware—software designed to disrupt secure systems—to steal login information, and often manage to do so without being detected. Phishing emails are the most common form of malware attack. A phishing email looks like a normal email which encourages the recipient to click on an attached file, which may be described as a receipt for a purchase, a work file, or some other innocent item. But these attachments contain code that allow the C2 server to gain access to the computer, giving the hacker the opportunity to steal data. 

A credential-based attack is significant, as hackers can move freely through your organization’s computer system, steal personal data, compromise network connections, and even sell the credentials to other cyber criminals. Hackers might also use the stolen credentials to deploy ransomware attacks, in which a hacker extorts money in exchange for relinquishing their control of the computer system.  

Some companies have begun to fight back against phishing through the use of simulations in which fake (non-harmful) phishing emails are sent to employees. This has allowed companies to identify organizational weaknesses, and to train employees not to click on attachments or links in suspicious emails. Evidence shows that this approach is working: in a recent phishing simulation exercise, only 3% of recipients clicked on an attachment, suggesting that the average computer user is becoming more sophisticated and can recognize fraudulent emails. This is a sound strategy that can help employees become more familiar with phishing scams.  

The data also suggests that those with online e-commerce sites are particularly at risk of a cyber attack, as hackers are increasingly targeting web-based payment systems to steal customer data. Similar to in person point-of-sale debit or credit card skimming, online card theft provides the thief with access to payment information that can be used for financial gain. And, as discussed, hackers also seem to place an emphasis on credential theft to gain access into computer systems and/or email accounts, in an attempt to extort money. 

‘Social engineering’ is a non-technological yet effective means of data attack, relying on person-to-person manipulation.

Have you ever received a phone call from someone claiming that your bank account has been breached, and that you need to act quickly to rectify the situation? Chances are that you have—and chances are even greater that the caller wasn’t a representative of your bank.

Instead of trying to find a software vulnerability, social engineers use fake identities to trick people into divulging personal information. This method of hacking can be especially tricky to identify, as was demonstrated when one company tested their organization’s security by employing professional social engineers, who dressed like IT professionals and told staff that they were hired to fix a computer issue. Staff permitted the intruders into the building, and allowed them to connect to the computer system. 

Though it was only a test, it did aptly demonstrate that people are quick to trust those who look and sound like qualified professionals. This same scenario can occur over the phone or through email, and is a popular form of cyber theft as it accounted for 35% of data breaches in 2019.

External sources are the culprit for the majority of cyber hacks, though internal data breaches do happen.

External sources are the cause of most breaches, as they do not have any affiliation with the company, and thus the likelihood of being caught is relatively low.

Internal attacks are much less common. When they do occur, misuse of issued credentials—the malicious use of existing privileges—seems to be the most prevalent threat. Employees can carry out a cyber attack through mishandling data, unauthorized access, email misuse, and installation and use of unapproved software. It may be possible to curb the threat of internal cyber theft through security measures such as access control, which can limit employee access to only approved areas of the business.

Alarmingly, threat actors manage to hack into computer systems fairly easily. An “attack path” is defined as the length⁠—literally and figuratively⁠—a cyber thief must go to complete a hack. In theory, a long attack path means that systems are more secure, when compared to systems with short attack paths. But analyses of data attacks have shown that hackers often manage to complete a hack in just one or two steps, meaning that hackers are targeting relatively insecure systems and/or environments, like those at small businesses which typically have less network security than large companies.

The unfortunate outcome of many successful hacks is that businesses are extorted to the tune of thousands of dollars: the average loss due to a computer breach in 2019 was $7,611, while the average loss due to compromised email systems in 2019 was $24,439.

The good news? Money lost to ransomware attacks was fully recovered in 99% of cases.

How can you prevent a cyber security breach?

Cyber crimes are serious and all-too-common, but there are ways to secure your business’s online systems against a cyber breach.

Employee education is key to stopping cyber crimes.

If your employees know what to look out for, they can better avoid a would-be attack. Malware is a huge threat, but one that can be neutralized by not clicking on phishing emails or malicious online advertising. Phishing awareness training is a good place to start, as there are courses that detail how to avoid falling victim to fake emails.

With social engineering schemes on the rise, instituting a plan that ensures employees don’t give out personal data is a simple yet effective means of sidestepping scammers. Consider a cross-check system that requires employees to check with a manager anytime someone on the phone or in person claims to be a hired contractor.

Because human error is the source of many attacks, regularly training employees on how to use computer systems is also important. Reducing accidental errors can increase cyber security.

Enable two-factor authentication to improve credential security.

Two-factor authentication (2FA) adds a layer of security to every login by requiring the user to provide information beyond a username and password, such as a question only you know the answer to, a mobile-push notification PIN sent to your phone, or even a fingerprint scan.

There are companies that can add 2FA to your online systems. Partnering with an expert is often smarter and more cost effective than finding 2FA solutions on your own.

Add file integrity monitoring as a way to detect potential cyber attacks.

File integrity monitoring (FIM) is a technology that can detect changes in files that might indicate a cyber attack. FIM is useful for detecting malware, as well as achieving compliance with the Payment Card Industry Data Security Standard, a regulation for online sites that accept card payment. Using FIM to shore up online payment forms is especially important for e-commerce businesses.

FIM is used to monitor for suspect changes on servers, databases, network devices, directory servers, applications, cloud environments, and virtual images. If the FIM spots a potential attack, you’ll be immediately alerted, enabling you to refer the situation to relevant personnel to fix the issue.

Cyber crime is a serious threat, and one that will only grow increasingly prevalent. Left unprotected, your business might fall victim to such an attack, exposing sensitive business and customer data, and losing revenue as well. It’s critical that you implement security precautions to defend against hackers and stop attacks before they are successful.