Cybercrime is a real threat for small and medium businesses and it can cost your business hundreds of thousands of dollars if it happens to you. Here’s what you need to know to recognize and prevent cybercrime.
Cybercrime is an issue all businesses, regardless of their size, need to pay attention to. Although cybercrimes that make the news usually involve very large, well-known companies and institutions, small businesses and the self-employed are equally vulnerable to hackers. Yet, many SMbs are slow to implement cybersecurity measures. According to a Keeper Security Cyberthreat Study, that’s because as many as 73% of small businesses think a cyber attack is unlikely to happen to them.
Another reason is that small businesses tend to underestimate the losses they’d incur if they were hacked. According to AppRiver’s Cyberthreat Index for Business Survey, small-to-medium-sized businesses (SMBs) are likely to underestimate the impact a cyber attack could have on their business and often haven’t done much to improve their cybersecurity.
According to the survey, about two-thirds of small businesses with fewer than 50 employees indicated they believed the total loss they might incur from a cybercrime would be less than $25,000. Half thought the loss would be under $10,000. But in reality, the report says, the average cost of a data breech for small businesses in North America is $149,000.
Unfortunately, small business owners often disregard cybercrime statistics. Somehow, they believe, statistics are just cold numbers that happen to other businesses. They assume or hope their computers won’t be hacked. And that’s a costly attitude to take.
What is Cybercrime?
Cybercrime is criminal activity that takes place through computers, computer networks, smartphones and devices connected to the Internet. The actual crimes are varied. Some of the common cybercrime are data theft, phishing scams, ransomware, identity theft, computer viruses, financial crimes, and denial of service (DDos) attacks on computer systems and networks.
Troy Gill, manager of Security Research at AppRiver, cites an incident in which a small medical company had all of their workstations encrypted with ransomware overnight. “They were completely unable to continue business operations in this state and had to turn patients away,” explains Gill. “The attacker was demanding $60,000 to provide the key to decrypt the workstations. The company spent most of that first day trying to reschedule patients and find a consultant who could come on site right away to help.
“Next,” says Gill, “they spent several days attempting to restore from backups and recovered a significant portion of the files. However, many critical files were still encrypted with no suitable backup.” They negotiated with the hacker and got the ransom cut in half. But still, that particular incident cost the company $30,000 out of pocket plus four full days of lost revenue.”
For larger SMBs, the losses can go far above the national average, too. Gregory Kelley, Chief Technology Officer at Vestige Digital Investigations says that in one cybertheft, a company was the victim of a business email compromise that caused them to wire over $1 million in payments to a hacker’s account instead of having the money go to the vendor they thought they were paying.
It’s not only businesses with employees that get attacked either. Freelancers and the self-employed also are victimized by viruses placed on their computers or ransomware attacks.
How Do Hackers Get into Your Computer?
Hackers constantly seem to find new ways to break into computers or gain access to sensitive data. Formjacking, for instance, “is a trending threat,” says Kevin Haley, Director of STAR Product Management, Symantec Corporation. “It grabs credit card and identity information when you fill out a webform. It’s almost impossible for a victim to detect without a good security software.”
But most cyber attacks use methods that are not new. Here are some of the most common:
Social engineering involves tricking an individual into clicking on a link, opening an attachment, giving out critical information or even computer access to the hacker. It is one of the most common methods crooks use to hack into computers.
One typical examples of this technique includes sending phishing emails which look like a company or financial institution you do business with alerting you to some critical problem. The email will tell you to click a on a link and provide information such as a password or other confidential information. The hacker then uses or sells the information you or your employee have provided for identity theft or to break into your computer, website, or financial accounts. Another common hack is to run enticing ads or send out emails that pique the recipients’ curiosity and get them to click on a link that causes their computer to become infected with malware.
Similar tricks include impersonating the email address of someone you’d expect to get mail from or pretending to be part of an automated notification system. Just recently, for instance BusinessKnowHow.com started getting emails that spoofing a voicemail system.
Unencrypted Public WiFi
Another common way hackers gain access to sensitive information is through public WiFi networks. When you use a public network the data you transmit (in other words, the information you type or view) is often unencrypted and unsecured. As a result, a cybercriminal could intercept your data and get your passwords, login name, links to financial or other sensitive sites, and any other information you enter. This type of interception is called a Man in the Middle attack.
Remote desktop connections that let you log in remotely to a computer can also be a hazard if they aren’t secured in some way.
Outdated or Unpatched Software
It’s not unusual for computer software and website building software (such as blog software) to contain vulnerabilities that let hackers gain access to the system. Major providers of such software issue patches and updates that fix the vulnerabilities when they become known. But often computer users and website owners don’t install the updates, leaving their systems and sites vulnerable to attack.
Weak Username and Password Combinations
Hackers know that it can be difficult for computer users to remember usernames and passwords, and that they often use very simple or easy to remember combinations (Admin as the username and PASSWORD as the password, for instance). The hackers also have software they can use to generate what’s known as brute force attacks, which use software and trial and error to try to find a username/password combination that will give them access to your system. Short, simple passwords are easy for such software to discover.
Reusing Passwords and Usernames
Reusing the same or very similar passwords on multiple sites is dangerous and unfortunately common. One study of more than 28 million users showed that 52% of people used the same or nearly identical passwords for different services. The reason reusing passwords is so risky is that if a cybercriminal gets access to your information from one service, they can use that information to try to break into other accounts you own such as your bank account.
Failing to Change Passwords
Passwords and computer accesses that are left unchanged when an employee quits voluntarily or is fired is yet another way for criminals to attack systems. The unauthorized ex-employee access could come from a company other than your own, too. If you have someone else build your website, for instance, and an employee at that company with password access to your site leaves, they could login to your site and take it down or place malware on it if the company they worked for doesn’t change their password or take other steps to limit their access to your site.
How to Prevent Cybercrime Attacks
Although hackers are cunning and always devising new ways to commit crimes, successful attacks are frequently the result of user error. Ignorance, carelessness or disregard for basic cybersecurity safeguards are often at the root of data theft and other cybercrimes.
You can minimize the risk that your business (or you personally) will be a victim of a cybercrime by implementing these strategies:
Use Firewalls and Antivirus Software to Protect Your Devices
Your computers, smartphones and tablet should all be protected with good antivirus software no matter what operating system they use. Be sure that you check for updates regularly and renew the antivirus software subscription each year. If you have multiple devices (as most people do) look for virus software that will protect more than one device on a single subscription.
Protect Your Computer and Mobile Devices from Unauthorized Access
Use strong password or biometrics to help lock out unauthorized users. If you fail to do so, losing your computer or mobile device could allow someone access to all the data, contacts, and links you have stored on the system. Similarly, in an office, anyone who could get near a computer could gain access to its data if it’s not password protected.
Avoid Easy-to-Guess Passwords
To keep cybercriminals out you need to create strong passwords that are unique for each device you use and each service or site you access. Don’t use your name, business name or other words that someone wanting to break into your system might guess. Ideally, your passwords should be at least 8 characters long and contain a mixture of uppercase, lower case, numerical and other characters. If you’re using WordPress, the software can generate a strong password for you. If you think you’ll forget the passwords, use password management software. The antivirus software you use may include a password manager.0
Don’t Fall for Fear Tactics
“Websites with malware are a major source of infection (more than email),” says Brian LaBone, Senior Support Technician at Infoquest Technologies. “Pop-up messages on a website that say your computer is infected and that you should call an 800 number are still fooling consumers.” If you get popup of that type, do not call the 800 number, he advises. “Close your browser window, restart your computer and clear your browsing history.”
Do not call the 800 number in the popup even if you can’t close the web browser or if the popup shows up again when you restart your computer. Calling the 800 number will put you through to a criminal who will guide you through steps that will let them gain remote access to your computer. It’s after you give them that access that they plant the malware or virus on your system. If you can’t get the popup to go away on your own, call in a reputable IT person from a local company.
Use a VPN
VPN stands for Virtual Private Network. What a VPN does is encrypt the information sent to or from your device to prevent others from gaining access to it or seeing what you type or where you go on the Internet. Using a VPN is essential for security if you’re using public WiFi. It’s also advisable if you use RDP (remote desktop protocol) to log into a remote computer.
Be Careful What You Click and Open
Don’t click on links from people you don’t know, and don’t click on links in email or social media from people you do know if the link or context is something you wouldn’t expect from the individual. (A strange link from a friend or acquaintance may mean their account has been hacked.) Similarly, don’t open attachments from people you know, and don’t open attachments you don’t expect from those you do know. If unsure, pick up the telephone and call your acquaintance to see if they sent you something with an attachment.
Watch out for emails that contain links to accounts or services you regularly use, too. It’s not unusual for hackers to impersonate legitimate companies and organizations. Often they’ll pretend to alert your to a purchase or tell you your account has been compromised, and that you need to click a link to get or give more information. Don’t do it. If you think the email might be legitimate, open a browser and manually type in the URL you normally use to access that service (ie, don’t use the link in the email). Or call the institution to find out if they really did send the email.
If you receive a Facebook private message from a friend with a link that seems suspicious or out of character, think twice before you click the link. One common tactic hackers use is, once they have compromised a friend’s Facebook account, they send out private messages to all of the people in that person’s friends list containing a link that appears to be a video of you, but which is actually a link that downloads malware to your computer.
Use Two-Factor Authentication
Two-factor authentication is a means by which a second layer of security is added to prevent illegal access to accounts or systems. The way it works is that after someone logs into an account and enters the correct username and password, they will then be required to type in a verification code that is sent to a device the owner of that account possesses (a cell phone number or email address, for instance). If they don’t correctly enter the verification code that is sent to that device, they will be denied access to the account. Thus, if a hacker guesses or steals a username and password, they wouldn’t be able to access an account protected by two-factor authentication unless they also had access to the device to which the verification code is sent.
Backup Your Devices
Backing up all your files, photos and data on a regular basis may help prevent a disaster if you are hacked. If you have regular backups, your local tech support person (i.e., someone you know and trust) will be able to help you clear your device(s) and then restore files from a point before you were hacked.
Further reading: Take steps to prevent data breach