June 4, 2018
Data breaches at large corporations make news, but hackers and thieves are increasingly focusing their work on small businesses. According to the annual Verizon Data Breach Incident Report, 58% of data breaches are happening to local mom-and-pop operations.
“Many small businesses don’t have the resources focused on security and training, and employees are not cognizant of being at risk,” said Michael Bruemmer, VP of Experian Data Breach Resolution. “Some of these businesses, especially startups, may have no or small revenue, but they may be processing credit cards or holding personal data for other companies, and they don’t realize they have to protect it.”
Also, small businesses don’t regularly share security intelligences with each other, so they may not know their neighbors or competitors suffered an attack. Hackers know this, so they target these companies. “If hackers get into one company and the route of attack seems to be working, they’ll continue to do it, city by city, business by business,” Bruemmer added.
According to Experian’s 2018 Global Fraud and Identity Report, 63% of businesses experienced the same or more fraud in the last 12 months.
Falling Down on the Job
Overall, Verizon’s annual report found 2,216 confirmed data breaches — up 11% vs. 2016 — and more than 53,000 security incidents in 2017, up 32% vs. the prior year.
“One of the key takeaways from the 2018 Verizon [report] is that employees are falling victim to more sophisticated social engineering and phishing attacks,” said David Vergara, Director of Security Product Marketing with VASCO Data Security. “These findings are not surprising, as attacks, especially those based on advanced phishing techniques, are evolving quickly.”
According to Verizon, hackers are using tactics like phishing and financial pretexts to trick users. Human resource departments are a favorite target, as they are a gold mine of sensitive information that can be used for nefarious purposes.
These tactics are favored because they work. About 85% of data breaches can be traced back to user behavior, according to Experian. This includes reusing passwords, clicking on bad links that download keylogger software (which allows hackers to record everything you type, including passwords), or not verifying email messages before responding to a request.
Hackers take advantage of the data that is easy to find online. While social media provides a lot of personal information, criminals use corporate websites as well to target their potential victims. The idea of using all of these information resources is to hit users in multiple socially-engineered attacks, according to Experian’s Bruemmer. “It’s not the complex, well-thought-out malware attack or other sophisticated plots. It’s social engineering.”
And unfortunately, employers and employees remain lax in following their security training or upgrading their software, leaving networks open to data breaches.
Throwing Smoke Bombs After a Robbery
Found in 39% of malware-related incidents, ransomware is now the most prevalent form of malware, according to Verizon’s report. Ransomware jumped to the top slot from fourth place in 2016; as recently as 2014, it wasn’t even among the top 20 forms of malware.
Ransomware locks down the system, and you may think that’s the initial threat. What you may not realize is the bad guys have already been active within the network, making copies of your data for their use, and then nail you with the ransomware as they prepare to retreat. In the more than 5,000 incidents Experian investigated last year, one-third involved hackers lurking within the system long before they locked networks.
So while ransomware is the attack vector du jour, the malware is typically more of a distraction than the actual threat.
“These attacks aren’t just to get Bitcoin payments,” Bruemmer says. “Our forensics people liken it to throwing a smoke bomb into a house after you robbed it. It is the easy, last thing to do to get people not thinking you’ve taken other stuff.”
Minimizing the Impact of Data Breaches
In response to the Verizon report’s findings, Bruemmer pointed out two important considerations. First, hackers and threats are becoming more sophisticated; so if one mode of attack isn’t working, they will search for another until they find success. Second, you can never let your guard down.
“It only takes one chink in the armor to let someone in,” he says.
Here are some steps to help make sure your small business is preparing itself and limiting risk of a data breach:
- Monitor and manage your third party vendors or partners closely.
- Create and regularly review your data breach response plan.
- Ensure all software and hardware are up to date.
- Don’t skimp on technology and security costs.
- Regularly train employees in security and maintain an open door policy where they can address concerns with the leadership team or owner.
- Get more resources on the Experian Data Breach Resolution blog.
If your small business does have a data breach, act quickly. Execute the plan you’ve laid out and bring in trusted support to help minimize the impact and mitigate risk.
You should also know what you’re required to do and share. A breach can leak more than information, it can reduce the trust your customers have in your ability to keep their information secure. So communicating clearly and quickly with them on what happened, what they need to do, and what you’re doing is important.
This post was originally published on Experian.com.
Sue Poremba is freelance writer based on Central PA. She's covered cybersecurity and identity theft issues since 2008, with her articles appearing in publications and websites such as Forbes, Yahoo, NBC, CSO, CIO, and many others. She is also the author of several cybersecurity ebooks and a prolific and respected ghostwriter within the security industry. In 2017, she was named a Top 25 Influencer in Cybersecurity among Women in Tech by Onalytica.