We have witnessed some horrifying data breaches over the last year. One of the worst was when a team of Chinese hackers penetrated the security of the Microsoft Exchange and accessed the accounts of over 250,000 global organizations. The Colonial Pipeline and SolarWinds were also victims to hackers.
While large corporations like these will continue to be targets for data breaches, small businesses are also at risk. Smaller companies can’t afford to be lax with their cybersecurity.
It’s hard to overstate the importance of data security. Depending on the type of business you run, a cyber-attack could mean much more than just consumer data being leaked. It could greatly reduce your company’s ability to operate, or even drive you out of business entirely. If you think this is hyperbole, then you are wrong. Research has found that 60% of small businesses file for bankruptcy within six months of a data breach.
Let’s take a look into some of the most common types of corporate cyber-attack in the market today, and what you can do to protect your company’s data.
The world of cyber attacks
There are many ways to classify cyber-attacks, but the most informative method is to classify them based on their objective. Cyber-attacks are usually perpetrated by bad actors looking to steal, extort, or disrupt.
Theft-focused cyber-attacks look to steal data, and they usually try to do it without leaving any traces. This is typically done as an act of corporate espionage, or in order to use that private data for profit. Consumer data can be sold in bulk on the black market for identity theft and credit fraud operations, for example. Hackers can do truly terrifying things with your data.
Extortion-based cyber-attacks are looking for ways to leverage money directly from the company they stole from. This is often achieved by stealing sensitive data and threatening to release it to the public, or stealing critical files and deleting the original, so the only way to get those files back is to pay the piper. These types of attacks are incredibly common and presumed to be under-reported, as big companies often pay up but keep quiet about it in order to avoid encouraging copycats.
The third motive for cyber-attacks is disruption, which involves attacking the company’s IT structure in order to make the systems less usable for either the company’s team, their end-users, or both. DDOS attacks fit this category, as do other acts of corporate sabotage. Disruptive attacks are often the trickiest to deal with, as their motive might ultimately be political, instead of driven by profit. This means that a disruptive attacker might simply delete all of a company’s files and vanish, never even giving the company the chance to pay up and get the data back.
While the vast methods and motives for cyber-attacks may sound scary, it’s not all doom and gloom. The good news in the middle of this all is that most cyber-attacks aren’t targeted. It’s not uncommon for a bad actor to pick out one company and keep trying to find ways to break into their systems. Instead, they chose one or two attack methods, and then attack hundreds of companies at a time, with the ultimate goal being to get the companies that aren’t being careful with cyber-security.
This means that you can avoid the vast majority of attacks just by making sure your company is not an easy target. Here are the strategies that can help ensure that.
1 – Email security training
All it takes is one employee clicking a link sent by a bad actor to compromise the company’s network, and the damage can be even bigger if they decide to download and run something they got from an untrusted email address. And those aren’t the only risks.
A large number of email-related data breaches are caused by social engineering and human error. The first involves a bad actor contacting a member of your team and convincing them to divulge sensitive information — usually by pretending to be an interested party. The second is much simpler: data breaches often occur because employees accidentally send emails to the wrong address.
The good news is that there are cyber-security firms that offer employee email security training. These programs go over the most common types of attack and how to avoid them, so it’s worth looking into them. Another solution is to show employees email security training videos, and then run simulations once in a while by sending fake emails to the team to see who’s not being smart about email security.
2 – Data compartmentalization
You can greatly improve your company’s data security by working with your IT team to make sure that only people who need the data can access the data. And that those who can access it only have as much permission as they need to. For example, your accountant probably needs permission to access the firm’s financial records, but do they really need permission to delete those records? And do the interns in the accounting department need to have access to the project files created by the design team?
Restricting how much access employees have to corporate data achieves two goals. First, it ensures that if their credentials are ever compromised the hacker will only be able to go so far. And second, it reduces how much damage can be caused by human error. Giving people too much access is just asking for someone to accidentally delete files they had nothing to do with.
3 – IoT management
Be careful about what employees are allowed to hook up to the office network. Imported smartwatches and other devices of dubious origins can come packed with malware or backdoors that make it easier for a bad actor to access your corporate network, or they may have software vulnerabilities that accomplish the same thing. There have even been cases of cyber-attacks conducted through smart lamps and internet-enabled thermostats.
In short, while business smartwatches and other IoT solutions can be very handy, make sure you keep them connected to a network that is separate from the one where all the important data is. It’s safer that way.
4 – Thumb drive management
Connecting an unknown thumb drive to a business workstation can cause massive damage to the business data and network. Having a good enterprise antivirus solution combined with keeping all the workstations updated to the latest security patches can mitigate some of that risk, but it’s still safe to keep employees from connecting random thumb drives to workstations, to begin with.
5 – Two-factor authentication
There are many ways to implement two-factor authentication in a business setting, ranging from requiring biometric data to access the corporate cloud to rolling out actual physical keys one carries with them to have access to corporate data. Whatever approach your business decides to go with, enabling two-factor authentication can instantly make your business network much safer.
Two-factor authentication can also solve the weak password problem, and that’s a big one. NordPass releases a list of the world’s most used passwords every year based on information found from public data leaks, and as of 2020 the password “123456” was still the most common password in the world. It has ranked #1 since 2013.