Why do hackers target your company’s data? Well, some do it for fun, and some do it to make a social or political point. But as you’ve probably guessed, most are in it for the money.
With the WannaCry attack alone netting the perpetrators £108,000 in Bitcoin, hacking is big business. That’s why, if it were ever true, the popular image of a geeky loner working from a dingy basement bedroom certainly isn’t anymore. Cybercrime is often conducted on a large scale by organised criminal gangs.
You don’t even need to be a decent coder to be a hacker. Basic hacking tools are available to buy for a few pounds on the dark web. These tools won’t get you past the heavily defended gateways of a large corporate network, but they might give you access to the credit card details of the customers of a vulnerable small business.
And in a worrying trend, major ransomware developers have started to create affiliate schemes, which means they provide more sophisticated hacking tools to wannabe hackers in return for a percentage of their profits.
If this all sounds deeply worrying, the good news is that most hackers focusing on small businesses are still looking for easy wins. Make your business a hard nut to crack and they will just move on. With that in mind, here are three of the most common cyber attacks threatening your business today, and what can be done to guard against them.
For hackers, phishing attacks are easy and cheap. For small businesses, they can be deeply damaging. In most cases, phishing attacks start with an email that purports to come from a legitimate business, and sometimes mimics the branding of that company in convincing detail.
The email will often urge victims to take immediate action to remedy a problem. In many cases, clicking on a link will take you to a sign-in page that looks entirely legitimate. But entering your details gives a criminal all the information he needs to commit identity theft and fraud.
Phishing is incredibly common: the latest Hiscox cyber readiness report finds that 32% of all data breaches involve it in some form, and companies are three times as likely to suffer a data breach through activities like phishing than through a technical vulnerability.
There are different types of phishing – deceptive phishing involves the kind of mimicry cited above, while spear phishing is a highly personalised attack that uses details like someone’s name and position to hoodwink them into giving away sensitive information.
The main defence against phishing is vigilance. Red flags to look out for include an email address with misspellings or strange characters, and an insistence on immediate action – whether that’s confirming details or clicking on an attachment. If you or your staff have any doubt about the legitimacy of an email or web page, contact the company concerned directly to see if it is real.
Another reason to guard against phishing is the part it plays in many ransomware attacks. Clicking a link or opening an attachment in an email can allow ransomware to install itself on a computer, and from there to spread to other devices on your network. Typically, the malicious code then locks you out of your files or systems until a ransom has been paid, usually in bitcoin or another virtual currency.
Ransomware attacks have increased by 97% in the last two years, with the average ransom demand over £800. The first defence against it is to know and heed the red flags for phishing mentioned above. But ransomware can also infect your network through other means, so install security software, patch and update all operating systems and applications, and back up your business-critical files regularly to the cloud or a portable drive.
This common hacking technique lets criminals view, modify and delete the data in an infected database. If that data includes sensitive company information or customer details, the hack constitutes a severe data breach.
SQL injections can be quite technical, but in layman’s terms involve manipulating a login form to gain access to a database or application. SQL injections have been around for a long time, so the first line of defence against them is to operate modern, trusted technology and keep it updated and patched.
After that, use input validation for all user-submitted data, limit the privileges that you assign to accounts and encrypt or hash passwords and other confidential information. SQL injections are still a threat, but a reduction in the number of successful attacks in recent years shows that, by following basic security rules, small businesses can do a lot to protect themselves online.
No matter how vigilant you are, protecting your business with cyber insurance will give you the reassurance that should the worst happen and hackers strike, your business can get back up and running quickly, and any loss of income or costs incurred are covered.
Basic security measures can help reduce the chances of your business falling victim to cybercrime, but they can’t take it away completely. Hackers are always looking for new vulnerabilities. That’s why a growing number of small businesses are investing in cyber insurance, so they are covered if the worst happens. Hiscox CyberClear cyber insurance has recently been rated the most comprehensive cyber insurance policy for small businesses. Find out more about Hiscox Insurance for small businesses.