Why Hackers Want to Attack Your Small Business

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://tech.co/hackers-want-attack-small-business-2016-01

First things first, I want to dispel the stereotype that hackers only want
to go after the “big fish”. What I mean is people tend to assume that
hackers only target big time corporate websites, such as Samsung, Amazon,
Apple, etc., that store tons of valuable customer and personal data. They
still certainly target these businesses, but a startling new trend is
emerging. Rather than investing time and energy to infiltrate more
fortified and secure enterprise websites, hackers are now starting to
attack smaller and vulnerable websites to do their dirty work. In fact,
Symantec recently issued a threat report that showed three out of every
five cyber attacks centered on attacking small businesses. This can be an
ominous trend for SMB and startup owners, but it certainly doesn’t mean
it’s the end of the world! Let’s learn more about what hackers really what
out of small businesses.

What Do Hackers Want From Me?

The question is why would blue chip hackers want to hack small businesses
such as yourself? It’s pretty logical, really. You see, there are a lot of
misunderstandings about web security when it comes to small business
owners. Before we delve deep into why hackers want to access your website,
we need to understand the motivating factors for hackers to hack SMB
websites. To begin with, a huge mistake most small business owners are
guilty of is placing too much misguided trust into basic web security from
their hosting providers or content management systems. Even if your website
is powered by a hugely popular name brand CMS, such as WordPress, doesn’t
make you totally exempt from potential attacks. Also, a great piece of
advice that everyone should adhere to is that cybersecurity is the
individual’s responsibility (not somebody else)! Protecting your customer
and personal data is solely up to you and this is a duty that should be
held with high accountability. It keeps me up at night wondering how many
countless websites I’ve potentially submitted personal data to and whether
or not those website owners take full responsibility for the security of my
private information.

Another large, but fatal, misunderstanding regarding web security for small
business owners is the dilatory, “I’ll worry about it when I get hacked”
mentality. However, the logic behind this thought process is extremely
flawed. Most small business owners or startups tend to overlook
cybersecurity due to several factors, such as the burdensome management of
a cybersecurity solution and the associated costs, but writing off
cybersecurity until it’s too late can have grave consequences. According to
Inc. Magazine, 71 percent of all data breaches targeted small businesses
with less than 100 employees. The real issue being that these attacks cost
roughly $36,000 in damages and lost revenue that small businesses had to
incur. To large enterprise corporations, $36,000 in average attack damages
might be just a drop in the bucket, but to SMB owners, this can cripple a
business. Cyber attacks can have a far more negative impact on smaller
companies as they typically do not have the proper resources, dedicated
information security specialists, or the capital to effectively counteract
all malicious intents to their website. The truly scary part is hackers
know this and want to take advantage of this more than ever.

So, this brings us back to the original question — why would hackers attack
your business, rather than a large corporation? Although there are a lot of
reasons why hackers want to hack your website, it’s pretty clear that most
small business owners aren’t fully prepared for a cyber attack. This is not
at all the fault of SMB owners, but more so a fault by design. Small
business websites contain just as much personal and private information as
large enterprise websites. The primary difference being that smaller
websites are just that much easier to gain access and pilfer the desired
information. Just to get in the head of potential hackers, people need to
realize that corporate websites might have more data in terms of sheer
volume, but will ultimately be heavily supported by an enterprise
cybersecurity solution. If you were a hacker, which would you choose to
hack? The answer is pretty simple.

What Can I Do to Protect My Website?

I just want to preface this section by saying that cybersecurity should be
treated as an ongoing task. Your job doesn’t end right after applying a
cybersecurity solution to your business. Hackers are always one step ahead
of everyone and are constantly developing new attack methods to grow more
sophisticated by the day. Not to mention, a large portion of web hacking
can actually originate from insider employees or disgruntled ex-employees.
For instance, Federal IT managers recently revealed that more than 45
percent of government agencies experienced insider attack attempts and 29%
of these cases subsequently suffered from data loss. This just goes to show
the far reaching range of cyber attacks and the scale at which it can be
executed.

Luckily, there are some preemptive measures you can take to strengthen your
cybersecurity and potentially deter any malicious attacks from taking over
your business. The first step in building a better cybersecurity
environment is to fully accept the fact that your website is just as
vulnerable as any other company. Web attacks can happen to anyone, it’s as
simple as that. All the excuses you have for putting cybersecurity on the
back burner can really come back to haunt you. These excuses for delaying
website protection are the impetus for hackers to specifically target
smaller businesses such as yourself. Changing your mindset that these
attacks can happen to you is a big step in the right direction.

Next, be careful who you grant administrative access to your customer or
personal data on your website. This is a crucial element to your
cybersecurity plan. As I mentioned above, in the case of US Government
cyber attacks, 45 percent of the attacks were launched by or originated
from insider sources. Just as you would never give your banking information
or pin number to any relative or friend, you need to treat customers’ and
your own personal information with the same high level standards. Also, in
terms of properly securing information with inside sources, ensure that
they are promptly trained about cybersecurity best practices and held
accountable for their actions. These days, users can easily find their
computers and/or network systems infected with malware just by clicking on
the wrong link on a website. This can be a stepping stone for hackers to
infiltrate your system remotely. I highly recommend reading these tips on
how to detect whether your system is infected with malware.

Lastly, since we are dealing with hackers or even remotely launched
malicious attacks, it is important to protect your website and web servers
(not just your actual end point physical computer). One great way to
protect your website is to utilize a web application firewall (WAF). WAFs
work to filter potential intrusions and web attacks BEFORE they affect your
website. This is a great preventative measure to keep your online data
safe. Additionally, most WAFs are also offered in cloud form, which can
help you implement a great website protection service for a fraction of the
cost and without any complicated installation.

Hopefully, this gives you a better understanding of how vulnerable your
small business can be to web attacks. It’s really up to you to be more
vigilant and take control of your own website. Remember, cybersecurity
isn’t just a set it and forget it type of process. Hackers these days might
not be as motivated to chase the big fish, but as the old say goes there’s
always plenty of other fish in the sea and this can’t be more true for the
world of cybersecurity. Don’t let your website fall prey to these dangerous
web hackers and get started with web security today!

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Need access to data breach details or alerts when new breaches happen? Risk Based Security's Cyber Risk Analytics 
portal, fueled by the RBS breach research team, provides detailed information on how data breaches occur and which 
vendors to trust. Contact us today for a demo.