As a business owner, our tendency is to focus on what crisis we’re going to resolve today. What fire we’re going to put out first. Business coaches will tell you the importance of planning, forecasting and trying to predict the future. But, many days, reality hits you smack in the face before you even walk in the door.
All that said, there are some potential future problems that are easier to plan for and prepare for than others. One of the biggest risks facing business owners today is cybersecurity. You may think that because you’re a small to medium-sized business that this is not a huge risk factor for you. But, there are often other consequences to consider. A security breach not only affects your stolen data, but it also affects your staff’s productivity, impacts your reputation and you can potentially even be facing fines due to non-compliance issues.
But, as you read on, you will learn that hackers don’t always target just the big guys.
Malware and Ransomware
Malware continues to grow at an alarming rate, with hacking techniques becoming more sophisticated and inventive every day. Most of us have a vision of hackers sitting in a dark, little room in the back of an abandoned warehouse. While small malicious attackers certainly do exist, in some cases, state-of-the-art, network-based, automated ransomware and malware have totally removed actual humans from running malware campaigns. Not only is malware technology becoming more sophisticated—it’s becoming more sophisticated in evading detection. The technology and methodology for encryption are outpacing the technology to prevent malware. These attackers are also using legitimate technology like cloud services and internet services, such as Google and Dropbox to launch malicious attacks that are practically impossible to detect until it’s too late.
- Avast Threat Labs reports that some Android smartphones have malware or adware already built in
- Lenovo was preloading adware Superfish on its laptops
- Kaspersky Lab Solutions blocked nearly 800 million malware attacks
- Web Anti-Virus detected almost 283 million unique URLs identified as malicious
- Our File Anti-Virus identified over 187 million unique malicious unwanted objects
How Do Data Breaches Occur?
A data breach occurs whenever information is taken or stolen from a system without the knowledge or permission of the owner of that system. As technology advances, hackers are finding more gateways into all systems, from individual users to small businesses to mega-corporations.
Many business owners may become somewhat complacent. You may ask, why would a hacker bother with us? We’re not a huge mega-corporation like Facebook or Marriot. We only have data related to our business—we don’t have client information. The true motivation with hackers is, sometimes it’s not the actual data that’s important to them—it’s what they can do with that data.
With the use of Artificial Intelligence (AI), even though you may not think your information is important, hackers can use your seemingly innocent data for nefarious purposes. Often used with data mined from other sources hackers can, for example, “guess” social security numbers, passwords to bank accounts or other financial institutions. And sometimes it’s as simple as they will hold your data for ransom, demanding money to restore your data.
Clear back in 2009, researchers from Carnegie Mellon predicted:
“Information about an individual’s place and date of birth can be exploited to predict his or her Social Security number (SSN). Using only publicly available information, we observed a correlation between individuals’ SSNs and their birth data and found that for younger cohorts the correlation allows statistical inference of private SSNs.”
There are also concerns that by using this stolen data, AI will be able to mimic human speech patterns, preferences and behaviors to create more realistic-seeming phishing scams.
How Do Data Breaches Affect Consumers?
Stolen data is used mainly in targeted email phishing scams and identity theft.
- According to 2017 statistics, there are over 130 large-scale, targeted breaches in the U.S. per year, and that number is growing by 27 percent per year. (from Accenture)
- There are around 24,000 malicious mobile apps blocked every day. (from Symantec)
- 100,000 groups in at least 150 countries and more than 400,000 machines were infected by the Wannacry virus in 2017, at a total cost of around $4 billion. (from Malware Tech Blog)
- In 2017, spear-phishing emails were the most widely used infection vector, employed by 71 percent of those groups that staged cyber-attacks. (from Symantec)
Some of the Biggest Breaches
- Facebook
- Hundreds of millions of unencrypted passwords were visible to Facebook employees. Facebook claims that there is no evidence that this data was used for malicious purposes
- 30 million user’s personal information was exposed in a computer network attack in 2018
- Of that 30 million, 14 million users had their names, contact information exposed. But more importantly, sensitive information including gender, recent location check-ins and relationship status was also compromised
- An additional 15 million had their names and contact information exposed
- Another 1 million had their access tokens (used by users to log into their accounts without using their password) revealed
- This attack took advantage of a weakness in a series of bugs in a Facebook feature
- A British Analytics firm was able to access data from 87 million users without their permission in 2014
- Facebook removed 559 pages and 251 accounts that they claim broke their spam rules in late 2018
- Marriot / Starwood Guest
- At least 500 million guests affected by a security breach found in 2018
- Unauthorized breaches were discovered as far back as 2014
- For nearly 327 million guests the breach included a combination of name, phone number, email address, mailing address, date of birth, gender, Starwood Preferred Guest account information, arrival and departure dates, reservation dates and communication preferences
- Under Armour
- Under Armour purchased MyFitnessPal in 2015 for $475 billion
- Data of 150 million users of the MyFitnesPal diet and fitness app were compromised
- The breach included users’ names, passwords and email addresses
- Yahoo
- 3 billion accounts were hacked in the course of 3 breaches from 2013 to 2016
- Although Yahoo knew of the earlier breaches, it didn’t disclose the information until 2016
- Yahoo is facing a class action lawsuit that claims Yahoo failed to protect the data of its users
- T-Mobile
- About 2 million users were affected
- Data stolen included, encrypted passwords, account numbers, email addresses and billing information
- An international group of hackers accessed T-Mobiles’ servers through an Application Programming Interface (API). Basically, an API is an access point or link to a database that allows application to “talk to each other.”
- Wendy’s
- In 2015-2016 more than 1 million credit cards were compromised at more than 1,025 Wendy’s locations affecting 7,500 financial institutions
- Cybercriminals were able to install malware on Wendy’s point-of-sale credit card systems
- Wendy’s recently agreed to pay $50 million to a group of financial institutions for their costs related to the breach
- A consumer class action lawsuit was settled for $3.5 million
How are Cybercriminals Getting In?
According to Kaspersky Labs, in early 2018 the biggest vulnerability was found in the Microsoft Office products (Word, PowerPoint, Exel, etc.) with just over 47 percent of the total share. Other big offenders providing cybercriminal access are internet browsers at 23.74%, followed closely by Android devices at 20.68%. While some of these issues have been resolved, cyberhackers are smart and clever and always looking for new vulnerabilities.
Cybersecurity Risks
Many business owners are so busy running their company, that cybersecurity isn’t even on their radar. But statistics show that cybersecurity should be at the top of their to do lists. Not only is your business at risk for losing all your data, but you could also lose credibility with your customers/clients. A recent study by Ping Identity surveyed over 3,000 people in the US, UK, France, and Germany to analyze the attitudes and behaviors of consumers regarding data breaches.
Here’s what they found:
Internet of Things (IoT)
IoT technology is advancing so quickly that some manufacturers have either taken shortcuts or ignored vulnerabilities in their products in the rush to get them on the market. This new technology has provided hackers an open door into your systems.
So, what is IoT? IoT is simply any physical device that can be connected to the internet. Basically, that means any device that can collect information and send it and devices that can receive information and do something with it. And as we learned earlier, the internet is the second most used port of entry for malicious attacks.
Many of us are familiar with some obvious devices such as computers, laptops, smart phones, tablets, Bluetooth headphones and speakers and baby monitors. It’s estimated that there are tens of billions of these devices across the globe. Here’s a list of other devices that are also included in IoT.
- TVs
- Home appliances
- Thermostats
- Home lighting
- Security systems
- Industrial sensors
- Fitness monitors and apps
- Toys
- Recording devices
- Drones
- Smart car alarms
Why Does IoT Pose a Security Risk?
Aside from the broad risk of being connected to the internet, there are some other risks that are not obvious or well known as a data breach. All these tiny computers in these IoT devices are vulnerable to malicious hackers. These vulnerabilities include unencrypted communications, weak passwords and insecure web interfaces. Many users never change the password from the factory setting. Imagine those vulnerabilities multiplied by tens of billions!
In 2016, in order to gain an advantage over other players in the online video game Minecraft, three young men created two botnets that targeted IoT devices. These botnets hijacked and gained control of nearly 65,000 devices in the first 20 hours and grew to somewhere between 200,000 to 300,000 devices. All of these hijacked devices became part of the Mirai and Clickfraud botnet schemes.
The Mirai botnet was used to cause several “distributed denial-of-service (DDOS) attack. A DDOS attack happens when many computers (IoT devices) act together to flood targeted computer(s) or server(s) with malware. Originally created to slow down Minecraft competitors’ servers, Mirai quickly became something much more dangerous. At its peak Mirai was able to disrupt internet service to most of most of the eastern United States. And there was concern that Mirai would be able to interfere with the 2016 election and media coverage.
The Clickfraud botnet was used to commit advertising fraud, specifically “clickfraud.” Clickfraud works by making it appear that a real human user has clicked on an ad in order to falsely generate revenue.
The Dyn botnet attack was able to disrupt internet service for major websites such as Netflix, Paypay, Amazon and Reddit.
What’s Does the Future Hold for Cybersecurity?
While much of this must seem like doom and gloom, there are steps that you as a business owner can take to protect your business from data breaches and malware. As we reviewed in this article, technology if advancing at light speed and hackers are becoming cleverer in their methodology.
Here are 5 Steps a Business Owner Can Take to Thwart Cyberattacks
- Recognize that size does not matter to Cyberhackers. No business is exempt from cyber-attacks. As a business owner, it’s not a matter if a cyber-attack will happen—it’s a matter of when
- Hire a reputable IT Security provider. Spry Squared can assess your system’s vulnerabilities, make recommendations and implement cybersecurity best practices
- Working with your trusted IT advisor, create a plan. Spry Squared will work with you and/or your IT manager one-on-one to craft a customized cybersecurity plan that is best for your business. Once your plan has been implemented, we monitor your systems and are able to spot abnormalities and take preventative measures. Additionally, we ensure that all data is continuously backed-up
- Create and enforce cybersecurity protocols within your organization. All the preparation and preventative measures you undertake will be rendered useless due to human error if untrained staff do not follow cybersecurity best practices
- Regular updates to your hardware and applications are a must. Cybercriminals are always looking for new ways to break into a system. But they continue to exploit existing known vulnerabilities. Typically, when a vulnerability is discovered, a security patch is released to “fix” it. However, if you don’t update with the security patch that leaves an “open door” for hackers
If you’re ready to take your Cybersecurity risk seriously, contact the IT Security experts at Spry Squared. You’ve got nothing to lose if you do—and everything to lose if you don’t! Call us today at 720-724-7730.