By most accounts, 2014 will go down in history as the 'year of the hack' -- so what does that mean for 2015? Will this year be just as bad or even worse than last year's epic hacks?
Hackers ran rampant on US companies in 2014, pulling off an unprecedented number of major breaches against the country's largest retailers, financial firms, critical infrastructure, software makers and, of course, movie studios. Smaller businesses also faced a significant rise in cyber extortion and other hacks, including an attack on the popular technology startup Code Spaces which put that company out of business. The vast number of attacks and the seemingly unstoppable nature of hacking has created a certain amount of hysteria among the public and business leaders, particularly since it's estimated that 72% of small businesses close their doors within two years of a significant data breach. While the risk of cyber attacks is growing, it's important for small and medium-sized businesses to keep perspective and focus on the real threats that are most likely to target their operations.
A number of security firms will be coming out with dire predictions for ever more exotic, extreme and dangerous attacks that could potentially occur in 2015. Some of these include smartphone viruses, Internet of Things (IoT) hacks, "super-worms" and the like. While these threats could pick up down the road, for now the chances are relatively low that they will have a significant impact on SMBs over the next 12 months. Instead, companies should focus on the immediate, tangible threats that are much more likely to target them this year.
Here are the real cyber threats that will continue to dog SMBs in 2015:
- Weak Passwords - The easiest way to break into a company is by stealing a password, and no one knows that better than JPMorgan Chase. Last year, over 83 million of its customer accounts were breached after a password hack on one of its servers. Businesses often make basic mistakes with passwords, such as not changing manufacturer default passwords, using guessable patterns or common phrases (like 'password'), etc. Hackers also have tools at their disposal (like 'rainbow tables' and 'dictionary attacks') which can crack passwords. Security Tips: The best way to protect online accounts is by using a password manager tool like LastPass, Dashlane, RoboForm, etc. This makes it easier to safely store and use complex passwords. Each account should have its own unique password, be changed monthly and be 10+ characters long (combination of upper/lower-case letters, numbers and symbols). Use two-factor authentication when available.
- Phishing - Email phishing has been around since the late 1980s, but it still tricks up most businesses today. Small and mid-sized businesses are particularly at risk, as these attacks continue to increase each year, including a 61% jump in 2013. Thanks to the rise of "crimeware" kits for sale on the black market, phishing is often difficult to spot and uses a number of tricks to infect the user's PC with malware, such as spoofed sites, infected attachments, malicious URLs and fake videos or images. "Drive-by" emails can also infect a user's machine as soon as they're opened. Phishing is one of the top methods hackers use to spread banking trojans, an especially dangerous type of malware that can wipe out an SMB's bank account. A small California escrow firm went bankrupt in 2013 after losing $1.5 million to a banking trojan. Security Tips: Educate employees about how phishing works, but don't expect them to keep your company secure. Have a plan in place so that if an employee is infected, the hacker won't be able to get very far. This includes segmenting the network so employees run on separate servers, limiting their access to sensitive data, using 'thin client' machines or Chromebooks which don't allow local storage and regularly changing key passwords. It's also important to run antivirus on all machines and to backup data regularly.
- Drive-By Downloads - Few business owners have probably heard of the "drive-by" download, but it's now one of the top ways for criminals to install malware on a PC. In this type of attack, a hacker takes advantage of a poorly secured website to run malware on it that will infect anyone who visits the page. This is another common way for spreading banking trojans. Security Tips: Segment the computer network to prevent infections from spreading, and try to use thin clients or Chromebooks when possible. Use more secure browsers like Chrome and Firefox, and also use script-blocking plugins (such as NoScript, ScriptSafe or AdBlock Plus).
- Insider Access - While the media often portrays hackers as criminal masterminds with almost infinite skill-sets, in many cases they're just average people with inside access to a company (employees, vendors, customers, etc.). Although low-tech, the insider threat is one of the top dangers any SMB will face, because a person with physical access to a company's computers, servers or point-of-sale terminals can do almost anything they want, from stealing data outright to downloading malware, selling access to other criminals, etc. One recent example is Morgan Stanley, which had the information of 350,000 clients exposed by one of its own employees. Security Tips: Employees should only have access to company data they need to do their jobs. When employees are terminated, their access should be eliminated immediately. Remote access to the company network should be extremely limited. PIN pad readers and other sensitive devices should be locked up after hours.
- Insecure Wireless - There's no such thing as safe WiFi. Even WPA/WPA2 password-protected WiFi networks can be used by hackers to beachhead an SMB network. A number of free and low-cost WiFi hacking tools are available online. Once in a WiFi network, the hacker can read the employees' network traffic, steal passwords and logon as a legitimate user. Security Tips: First, make sure there are no WiFi ports which aren't password-protected - and that includes changing any default passwords by the telecom/cable operator. Next, use a virtual private network (VPN) to encrypt all data that flows over the WiFi connection. Lastly, perform sensitive tasks like online banking off of the WiFi connection, using an ethernet cable instead.