The fact that cybercrime is on the rise isn’t lost on most businesses, with security spending expected to cross the $1 trillion mark from 2017 to 2021, according to CSO. But despite this huge figure, small businesses will be hard-pressed to adequately invest in IT security due to budget constraints, making them a juicy target for modern hackers.
Then again, if health insurance companies as big as Anthem and Excellus can get hacked (78 million and 10 million records were breached, respectively) and even law firms as big as Cravath Swaine & Moore LLP and Weil Gotshal & Manges LLP succumb to attacks, what makes small businesses safe from hackers, anyway?
How do hackers breach big companies?
Hackers often infiltrate big companies through smaller companies providing legitimate services to the target companies.
When Target was hacked in December 2013, the data breach compromised the personal information of around 110 million customers. Sales dropped as a result, lawsuits against Target piled up, store closures and layoffs occurred, and their CEO resigned. Hackers were able to infiltrate the big retailer’s system through a third-party vendor – an HVAC company. Afterward, they injected malware into the point-of-sale terminals.
Home Depot succumbed to what the authorities believe was a similar infiltration tactic to the Target attack – through a part of their network that was accessible to third-party service providers. The hack compromised the credit card information of 56 million customers, plus approximately 53 million email addresses.
So how can a company as big as Home Depot, supposedly with enough funds to invest adequately in IT security, be infiltrated?
According to a Fortune.com report: “[…] the hackers accessed the retailer’s POS system through usernames and passwords they stole from a refrigeration contractor’s electronic billing account.” This breach went on for five months before it was detected.
The Goodwill breach lasted for 18 months. The gateway was their third-party payment vendor. America’s Thrift Store was breached, too, via the software used by an outside service provider.
Bottom line, many of these large hacks can be traced back to smaller companies that contract business with the larger enterprise companies – they served as the gateway.
Nova Daly, senior policy advisor at Wiley Rein LLP, said during a House Small Business Committee hearing in July 2016:
“While large U.S. businesses typically have the means to fund and invest in strong and resilient cybersecurity measures to protect their interests, small businesses generally do not have this luxury. They often lack the capabilities and/or the resources to pursue strong, entity-wide cybersecurity protections. Further, small businesses often may not be privy to the kinds of broad, industry-wide threat notifications to which larger companies may be. Often, larger companies havethe resources to continually monitor and review threats that may arise from certain technology and supply chains, and at times are contacted by the U.S. government when breaches occur.”
When startups are targeted directly
Ashley Madison, a business that holds damning client information, could have invested more in IT security. After all, keeping unflattering secrets secure is its main value proposition. And yet, in July 2015, hackers shut Ashley Madison down and released its clients’ sensitive information after only a single attack. The company has never recovered.
The once-promising Australian startup Distribute.IT was brought down by a hacker in two weeks, while the cloud-based source code repository company Code Spaces was shut down in a denial-of-service attack. Those businesses never recovered as well.
Social engineering and email
Pundits have been predicting the demise of email for years, particularly with the increasing adoption of social networks in the corporate setting, alongside other communication channels such as real-time chat and video calling. But email continues to be a staple in business communication, and the number of worldwide email users is expected to continually increase by 3% year over year until 2019, according to a report by The Radicati Group.
This being the case, it’s no surprise that email is a hacker favorite when duping unsuspecting users into clicking malware-injected links or downloading malicious files that then allow them to infiltrate company networks, such as in the case of the Sony hack where fraudsters used phishing emails.
These Business Email Compromise (BEC) attacks use imposter emails that reflect a deep understanding of people’s roles and messaging patterns within a target organization.
“BEC attacks are particularly common in small businesses where audits and reconciliation procedures may be less frequent,” explains RPost CEO Zafar Khan. “If a hacker can trick a back-office employee into wiring money or sending a company check, the financial crime may not be detected until months later.”
What lessons do these tales of woe impart?
- Instead of going straight to the bigger companies, hackers infiltrate them through smaller vendors. Smaller businesses are the new favorite target, especially those connected as contractors to bigger networks.
- Investing in IT security is no longer optional or a good-to-have. It is an absolute minimum essential for any business, especially one that stores customers’ sensitive information.
- Email is the most common and preferred entry point for hackers.
- Hackers take advantage of human error to infiltrate systems.
How can you protect your business?
- Invest in cybersecurity. Accept that every business can be attacked, so map out your action plan with this in mind. Use cybersecurity tools that scan for viruses, spyware, and malware. Ensure your network has a strong firewall, and require your employees to only use strong passwords aside from two-factor authentication.
- Keep just the right amount of customer information in your database. Get rid of irrelevant customer data. More isn’t always better.
- Secure the most common entry point: email. Focusing your campaign on email is a good place to start, and email encryption should be standard procedure. Email encryption services you can look into include RMail, HP SecureMail, Symantec, DataMotion, Sendinc, and GhostMail.
- Train your employees on cybersecurity. For starters, government sites such as Small Business Administration and the Center for Development of Security Excellence provide online security tutorials for free.
Hackers are an organized entity, hitting where it hurts regardless of business size and the industry you’re in. It pays, therefore, to step up your security game. Otherwise, you risk falling victim to an attack – or worse, serving as the conduit for your clients to suffer an equally debilitating attack.