Over the last 12 months, millions of customers around the world have been impacted by some of the biggest data breaches in history. Small businesses are particularly at risk, as they work with sensitive personal and financial information every day.
October is Cybersecurity Awareness Month and a timely reminder to stay secure online. So how can you protect your business? It all starts with understanding the mindset of a cybercriminal. Who are they? What are they looking for? Why are they stealing information? And how do they get it?
Who is Behind a Cyber-Attack?
Despite the stereotypes, cybercriminals aren’t necessarily well-funded geniuses who lurk in the shadows building sophisticated hacking programs. The barrier to entry is much lower, with cybercrime tools and services available to anyone with the right motivation. There are four kinds of cyber criminals:
● Hackers, who use their skills to break into vulnerable systems and networks
● Cyberactivists, who often have political or ideological reasons for exploiting a company and exposing their data
● ‘Script kiddies,’ who don’t have the technical expertise and use off-the-shelf hacking tools to steal data
● Malicious insiders, who are employees using their position to steal sensitive information from their company
What Do Cybercriminals Want?
Data is the ultimate prize for a cybercriminal. This could be anything from the personal information of staff and customers to confidential business information like sales and inventory records, credit cards and banking information, or account credentials used to access company systems.
Personal information can be used to commit identity fraud like scam campaigns, or payment fraud like transactions on stolen credit cards. Business information can be sold to competitors or state sponsors and used to gain access to company accounts. Cybercriminals steal this data by gaining control of the accounts that access it.
Once they have access to your accounts, cybercriminals can change your password and lock you out, then use this account to access other online services. For example, imagine if a cybercriminal was able to access your email account. They could intercept a PDF invoice and edit the payment details, to trick your customers into paying a fraudulent bank account instead of you.
How Do Cybercriminals Access Your Accounts?
Cybercriminals use several tactics to gain access to their accounts.
● Direct attacks, using tools that allow them to guess or break passwords that are weak. If you’ve used that password across multiple accounts, the damage could be wide-ranging.
● Phishing and social engineering, where cybercriminals trick people into handing over their details using links or requests in emails, texts, phone calls and other communications
● Malware, which is malicious software that can infect your device to monitor your activity, and provide backdoor access to your systems
● Ransomware, which spreads across your devices to lock them, so the cybercriminal can threaten to expose or erase your data unless you pay a ransom
How Can You Protect Your Business?
Being cyber-wise in your business or practice doesn’t have to be complex or expensive. It’s about taking a layered approach, to make sure you have broad protection against a range of threats. You already do this with your home security. Aside from locking doors and windows, you might have additional deterrents like gates, cameras, alarms, and even a dog.
Here are five strategies you can use as layers to improve your business’ resilience to cybercrime.
- Do a risk assessment on your business, to identify any gaps. This might involve thinking about what data you store, which technology you use to store it, and what obligations you have to manage it.
- Get the security basics sorted, like having strong and unique passwords on each account, and switching on multi-factor authentication wherever possible. Password managers are a good option as they do the hard work for you.
- Develop strong policies and processes to help your team maintain clear and consistent cybersecurity habits. This should outline how your business or practice handles account security, device security and data security.
- Buy from organizations that adhere to data security standards, like ISO 27001 and SOC2. Use secure websites (the ‘s’ in HTTP is the key) and make sure that accessing and sharing data is limited to staff who need the information to do their jobs.
- Don’t forget to consider the human element of security. Staff should understand how to safely use the accounts, devices and data that belong to your business. They should also feel confident about where to go for help, and how to respond if an incident occurs.
Cybercriminals are a growing threat to all organizations. The best way to make sure you keep your data safe is to look at your business through their eyes and consider what gaps or vulnerabilities might exist. That way, you can enjoy peace of mind, knowing the data you’re holding on your business and customers is safe and secure.
