A cybersecurity breach isn’t something that only happens to other businesses: tens of thousands of websites around the world are hacked each day and the number of new malware strains runs into tens of millions per year.
Hackers are after logins that give access to a money trail, or customer data, or corporate strategies, secrets, and intellectual property; others simply seek to disrupt services.
For hackers, it’s all about finding and exploiting weak links - many of them human, some of them technical. They take advantage of human frailty in the form of lazy, or predictable, or gullible behaviour, finding ever more creative ways to entice people to visit increasingly realistic fake websites, or be conned by elaborate spoofs. Organisations are at fault too: software developers and original equipment manufacturers don’t always incorporate adequate security features into their products, leaving users vulnerable to attack.
So how do hackers gain access?
- Server scanning. Hackers remotely scan the servers of the targeted company, looking for an entry weakness through which they can deploy commands that will cause the system to crash before executing their own code.
- Wi-Fi vulnerability. Most businesses have secure Wi-Fi, but hackers exploit careless employees who use open wireless networks when out of the office.
- Phishing and social engineering. Simple phishing indiscriminately delivers emails containing an attachment or link that automatically downloads malware if opened; they have been moved up a peg using social engineering techniques, targeting specific employees with a seemingly business-relevant attachment or link, or one tailored to the employee’s personal interests.
- Infected websites. Websites which are likely to be used by a company are targeted: hackers look for weaknesses on the website, using them to embed code that will infect visitors to the site.
- Planting code into web-entry databases. Web-based forms that are used to collect and store a user’s details may be targeted by hackers who, instead of entering the expected personal details, input code that will be executed rather than stored as inert data.
- Stealing or guessing passwords. Stealing passwords involves trickery: users receive a fake email asking them to reset their password using an enclosed link. Guessing passwords is easier than it sounds: 90% of passwords are drawn from a list of only 1000 variants.
- Stealing IDs from third-party sites. Knowing that some people use the same usernames and passwords for both work and other websites, hackers look for employees of the targeted company on third-party sites and attempt to steal the details from there.
- Hijacking email accounts. After researching the background of a targeted employee, hackers prepare a list of possible answers to security questions and use the company’s password-reset mechanism to change the password and access their email account.
- USB devices. Even when formatted, some USB drives can appear completely empty, so memory sticks loaded with malware is one way hackers use to gain entry. Another is using USB to connect devices which can spoof a network card to divert internet traffic and record keystrokes – that nice rep that has asked if he can charge his smartphone on a company PC could, in fact, be hijacking passwords.
- Inside jobs. Financially desperate or disgruntled employees, undercover recruits and on-site service providers constitute an ever-present threat from within.
Foiling the attempts of hackers requires a systematic approach; in the same way that you wouldn’t lock up your premises at night and leave the windows open, every potential entry point needs securing.
How to protect your business
Ensure that all employees are trained about potential security threats and that they use strong, unique passwords – the same password should never be used across different accounts. Always use the latest version of your operating system’s software, as well as that of your browsers: out of date add-ons are targeted by hackers as a way to redirect those browsers and siphon off user data. Antivirus software should be set to update automatically; alternatively, updates should be downloaded only from the developer’s site, not from links in pop-up reminders. Think backups and encryption.
The adage that prevention is better than cure couldn’t be truer here; undoing damage after a security breach can be – at the very least – time-consuming and costly. Building business systems without information security measures is asking for trouble; without defences, it's really just a matter of time before your business gets hacked.
The solutions are out there and their implementation is straightforward. Now is the time to review your security provisions…before the cybercriminals do.