Nowadays, more and more businesses are migrating towards digital platforms. Due to this, the risks of cyber attacks have also increased. The past two years has seen many security breaches involving the major corporations. But many small and medium sized businesses are in perception that they are not a valuable target for cyber criminals or they don’t have anything worth stealing. Well, they should think again!
The fact is that hackers are now targeting small sized businesses more because they usually don’t have enough resources to protect themselves. This does not mean that small businesses need to spend a large amount of money to protect themselves from the possible security attacks. With limited resources, they can defend themselves and protect their businesses and its valuable information from the cyber criminals. In fact, Symantec Threat Report recently stated that approximately 82% of security breaches could have been evaded if the companies had followed a simple cyber security plan.
To start creating a cyber security plan, one must understand the internet security threats and learn how to protect their business from these threats. To assist you, the National Cyber Security Alliance, which is partnered with Department of Homeland Security, the Federal Bureau of Investigations, National Institute for Standards and Technology, Microsoft, Symantec, McAfee, CA, AOL, RSA, and Small Business Administration has developed a list of top 5 cyber threats that shouldn’t be ignored by small and medium businesses. The list also includes how the threats can affect your businesses as well as steps to ensure that they don’t target your business.
Here is a summary of the top 5 threats:
1. Malicious code
The code can cause damage to a computer system.
The 2006 FBI Computer Crime Study stated that the malicious software programs (spyware, Trojan horse, viruses, worms, etc.) are a primary cause of security breaches. Businesses face an average loss of $69,125 per incident. The software is often disguised or combined with other non-malicious software and can damage the system of the computer, delete important files and steal critical passwords or unlock security software to enable the hacker to obtain customers or employees private data. These types of programs are usually used by criminals for financial gain.
Recently, a northeastern manufacturing company got hold of important contracts that were worth several million dollars to make measurement and instrumentation device for NASA and the US Navy. But one morning, the employees were unable to operate the company’s computers and received the message that the system was going through repair. Soon after that, the server crashed and abolished all the company’s tools and manufacturing programs. The manager was unable to get hold of the backup tapes and found that even the individual workstations were cleaned out.
The company’s CFO accepted that the software breach had destroyed all their programs and code generators which allowed the firm to develop their products and lower costs. The company suffered a loss of millions of dollars, had to be lowered down from its position in the industry, and remove 80 employees from its team. However, the company received some consolation after the cyber criminals were arrested and convicted.
To ensure the same doesn’t happen to you, follow these tips:
- Install and use anti-virus programs, anti-spyware programs and firewalls on all operating systems.
- Make sure that your computers are protected by a firewall. The firewalls can be either built into the wireless system or a software firewall that is combined with many anti-malware programs.
- Keep your computer’s software up-to-date and update to the recent patches (operating system, anti-spyware, anti-virus, anti-adware, firewall and other office automation software).
2. Stolen/lost laptop or mobile device
Yes, a stolen or even a lost laptop is the most common way to lose important information. The 2006 FBI Crime Study reported that a stolen or lost laptop usually results in a loss of $30,570. The loss can increase in case of the incident involving big businesses or if it requires the company to notify their customers about the unpleasant incident. A company’s reputation can suffer from this threat as well lose the loyalty of their customer and might even have to face legal liability.
Last year, an employee of the Department of Veterans affairs took his laptop home. The laptop was stolen in his absence which contained the medical history of approximately 26.5 million veterans. Thankfully, the laptop was found and the data was not used but the VA had to inform all 26.5 million veterans about the happenings and also faced Congressional hearings and public scrutiny.
There have also been other incidents that involved lost or stolen laptops that were the cause of many data breaches. For example, a laptop which had records of 250,000 American customers was stolen from a car. A laptop belonging to the Providential Health Care Hospital system was also stolen which had medical records of thousands of patients.
- Always ensure maximum protection of your customer’s information when transferring it to any portable device by encrypting all data. Encryption program work to encode the sensitive information and make it unreadable to outsiders. The important information can only be opened with a password or an encryption data. If a laptop is stolen or lost, then it is unlikely that the cyber criminal will be able to read the important information.
- The encryption programs are usually included in financial and database software. You can confirm by checking your software’s owner’s manual and find out if the feature is available and how to turn the function on. Sometimes, additional programs are also required to properly encrypt information.
3. Spear phishing
Spear phishing is an email that appears to be from someone you know. But in reality, it is the hacker who is interested in your bank and credit card information, passwords, and other sensitive data. The email may seem genuine to employees and members of the company, but the sender’s information will be fake or spoofed. The traditional phishing methods work to steal information from individuals and gain access to company’s computer system.
If an employee opens any email and responds with the username and password or clicks on any given links or attachments, then they can be putting your business or organization at risk.
A medium sized bicycle manufacturing company relied heavily on emails for its business. The company developed bikes that were used in races and received around 50,000 spam emails per day. The company had also installed many spam filters so the employees don’t open any suspicious looking emails. But even after many precautions, many phishing emails still reach employees. Recently, an employee received a spam email which looked like it came from the company’s IT department and requested the employee to confirm the “administration password.”
Luckily, the employee contacted the line manager for the password and probe further to realize that the email was a scam. Although, this did not result in any financial loss but it could have caused huge damage if the employee had not been alert to investigate the e-mail.
- Prohibit the employees to open any spam email or pop-up windows which claim to be from business or organizations that you are dealing in. They can say that they are from anyone – your internet service provider, online payment service, bank, or even the government agency. The genuine companies won’t ask for passwords or other sensitive information over email or link.
- If an employee receives such email which asks for sensitive information, then he or she should not respond to it. Instead, contact the manager or simply, call the person who emailed you directly.
- It is also important to keep your employees updated on what a spear phishing email will look like and make sure that they don’t respond to any suspicious looking email.
4. Unsecured wireless internet networks
Although wireless internet networks give businesses an opportunity to operate their network using minimal infrastructure or wires, there are many security risks that are associated when using wireless internet service. If your business computers are running on the open wireless internet network, then the hackers and fraudster can easily get into your computer and steal sensitive data.
But many businesses don’t take the necessary measures to secure their wireless network. The Symantec / Small Business Technology Institute Study also stated that around 60% of small businesses are using open/unsecured wireless networks. Also, many other small businesses are not using proper wireless security practices to protect their operating systems. An unsecured wireless network can help hackers get into your computers easily and create havoc.
The biggest data breach was pulled by hackers using an open wireless network. According to the news, a global retail chain’s financial data of customers was stolen by hackers who used the company’s wireless network that was secured using the lowest form of encryption available.
In 2005, two hackers used a telescope wireless antenna to decode the data between hand-held payment scanners from the parking lot of the targeted store. This enabled them to get hold of the company’s database and credit and debit cards of approximately 47 million customers. It is also said that the hackers had access to the credit card database for more than 2 years.
The retail chain used the oldest available encryption method called the Wireless Equivalent Privacy (WEP) which, according to technology experts, can be easily hacked in less than a minute. The security breach has cost the company $17 million with $12 million in one-quarter alone or 3 cents per share.
- Always make sure to change the default password when setting up a wireless network. Most network devices come with wireless access points which are pre-set with default administrator passwords for easy set-up. The default passwords are easily accessible online and are not of any assistance in providing protection. If you change the default passwords, the cyber criminals will have a tough time taking over your device.
- Make sure to encrypt your wireless network with WPA (Wi-Fi Protected Access) protection. Although both WEP and WPA encrypt information, the WEP is considered to be old-fashioned and less effective than WPA. Encrypted data would provide you protection from anyone who is monitoring your network and trying to view the data on your system.
5. Disgruntled employee threat
A past employee especially the one who is annoyed with your company can pose a serious danger to your business. Insiders usually have direct access to company’s critical information and can easily steal it and sell to your rivals. They are also able to delete the important information causing permanent damages.
An ex-employee of a company, which handled flight operations for major automotive companies, erased important information about the company’s employees two weeks after he resigned. The company suffered a loss of $34,000.
The reports suggested that the employee was offended at being removed from his position earlier than expected. Reports also pointed that the ex-employee was one of the three workers who were aware of the login and password for the firewall that was used to protect the employee database.
- Split critical functions and responsibilities amongst employees in such way that no individual can harm the company without taking help from other employees of the company.
- Keep a strict policy of password and authentication. Always ensure that employees use passwords which contain letters and numbers both.
- Make sure to change the passwords every 90 days and delete the employees accounts or change their passwords after they leave your company. This will make it difficult for annoyed employees to damage your system after leaving your company.
- Always perform background checks, educational checks to make sure that you are hiring good and reputable employees.