Cybercrime poses a massive threat to small businesses and their customers’ data, yet many smaller organizations don’t have the resources and time to devote to strengthening cybersecurity. As a result, their digital systems are vulnerable to attack – often with devastating consequences.
We’ll explore the current state of cybercrime and what businesses can do to protect their business from a data breach and respond to attacks.
What is cybercrime?
Cybercrime refers to criminal activity involving computers, networks and other digital channels. These attacks are reaching epidemic proportions. According to the FBI’s 2021 Internet Crime Report, cybercrime costs in the U.S. reached $6.9 billion in 2021, while Cybersecurity Ventures says global cybercrime costs hit $6 trillion and will top $10.5 trillion by 2025.
Large companies aren’t the only victims. According to cybersecurity solution provider Coro, a typical mid-market company can expect to be attacked between 56,000 and 86,000 times during the year.
What do cybercriminals target?
When they attack, cybercriminals usually target these five value assets:
- Commercial data. Commercial data includes trade secrets, corporate takeovers, and research and development projects. This data can fetch millions of dollars on the open market as businesses try to gain a competitive advantage. Commercial data theft is akin to cyber-industrial espionage.
- Customer databases. A big market exists for individuals’ personal and financial details. Even more worrying: There’s value in selling details of people’s health conditions.
- Customer payment details. Credit and debit card details are lucrative. Though banks use artificial intelligence and machine learning to detect unusual payment patterns, cybercriminals can still extort millions of dollars and quickly move the money offshore.
- Money in the bank. Dual-factor authentication and other security measures make it almost impossible to access the cash sitting in company bank accounts. However, with social engineering attacks and other tactics, criminals can still access this money.
- Company identity. Cybercriminals change company contact and decision-maker details at government agency levels. They can then open trading accounts with retailers and banks to take out loans. Consumers have been affected by this type of scam for years, and the number of businesses falling victim to it is growing fast.
How do cybercriminals conduct attacks?
Cybercriminals pull off attacks in three primary ways:
- Technological manipulation. Hackers gain access to data on vulnerable computer systems and cloud networks.
- Employee manipulation. Employee manipulation in the form of social engineering takes advantage of typical decision-making shortcuts. For example, if the “boss” emails you asking you to transfer money, you’re unlikely to verify their identity because you don’t perceive the situation as risky.
- Insider theft. Companies lose 5% of their revenue to fraud annually, according to the Association of Certified Fraud Examiners. For example, if a staff member takes your customer database to a new employer, you could lose significant revenue to your competitor.
What techniques do cybercriminals use?
Below are 110 of the most successful cybercriminal business scams:
- Data diddling. Data diddling is a type of fraud that involves the falsification of numbers. For example, say your restaurant receives 12 crates of wine, and you enter that number into your inventory software. However, a dishonest worker changes that number from 12 to 10, steals and sells two wine crates, and pockets the money. Data diddling is a common restaurant scam, but it can affect many business types.
- Distributed Denial of Service (DDoS) attacks. In a DDoS attack, cybercriminals make millions of requests to access your websites, internet connections, and computer networks, causing them to shut down because they can’t cope with the demand. Companies often must pay “release fees” to stop the attacks.
- Cyber extortion. In cyber extortion attacks, hackers access commercially valuable or confidential information, such as law firm or health clinic data. They then threaten to dump the data online or sell it to a competitor if you don’t pay them a ransom.
- Identity theft. Businesses can also fall prey to identity theft. They’re even more lucrative targets than individuals because they take larger loans, and it’s easier to alter their ID details.
- IoT (Internet of Things) breaches. Companies often use the latest technology to prevent servers and terminals from being attacked. But hackers often gain entry easily through poorly protected IoT devices like security cameras.
- Malware. Malware allows hackers to alter or control computer behavior. Often – as with cryptocurrency mining – malware can damage a computer. Other times, malware performs keystroke logging to send information to cybercriminals who try to hack passwords and break into the broader computer network.
- Man-in-the-middle attacks. Man-in-the-middle attacks often involve impersonating professionals like lawyers to manipulate people into undesirable actions. For example, say you got an email from your lawyer telling you to transfer a deposit for a new home. The email may look legit, but it’s actually a bad actor attempting to steal your money.
- Password attacks. There are many different password attack varieties, including brute-force attacks, where hackers enter millions of passwords quickly, trying to get lucky. There are also sophisticated attacks where cybercriminals choose a victim and monitor their social media activity to glean password clues.
- Phishing. Phishing emails (or texts) impersonate legitimate organizations like retailers and banks you typically do business with. They may say there’s a problem with your account and urge you to log in. In reality, they’re diverting you to their website or platform in an attempt to steal money or information.
- Software vulnerability exploitation. Cybercriminal gangs discover ways to breach and take over computer networks by exploiting security weaknesses in apps and programs.
How can businesses prevent cybercrime?
Cybercriminals steal your company’s data, money, and assets by looking for weaknesses in your IT setup and catching your staff off-guard.
To prevent and combat cybercrime, it’s essential to shore up your technology and train your team.
Bolster your technology to prevent cybercrime.
At a minimum, take the following 15 steps to protect your organization from cybercrime.
- Encrypt your data. Encrypted data is “jumbled up.” It’s indecipherable without a key. If a hacker breaches your system and doesn’t have the key, they can’t use the data.
- Keep software and apps up to date. Vendors release updates periodically to protect clients against new and emerging cyber threats. Apply patches the same day vendors release them, and hackers will be much less likely to breach your system.
- Restrict who can install software on your network. Your IT team can’t apply patches to apps and software programs they don’t know are on your network. Limit who can install software on your system, and keep a record of everything installed.
- Delete software you don’t use. Regularly audit your system, cloud storage, and everything connected to your network to monitor unused apps. Uninstall them to prevent them from becoming attack vectors in the future.
- Delete unsupported software. Uninstall software that vendors no longer support, patch, or update. Ask your team about programs they’d prefer to use, and ensure their vendors support them.
- Know what connects to your network. Keep a list of every computer and device authorized to connect to your network. Hackers generally don’t have access to authorized devices, so your system will block them when they try to connect.
- Limit account privileges. Use access control systems to give employees access only to the apps, programs and data they need to do their job. Limiting the number of areas a user account can access restricts the amount of damage a hacker can do.
- Use antivirus software. Stop ransomware and malware from being downloaded to your network by installing the best antivirus and internet security software.
- Implement strong firewalls. Firewalls can detect viruses and stop malware and phishing attacks. Select a firewall that monitors traffic patterns over time and alerts an IT team member when suspicious activity occurs.
- Back up data regularly. Use a backup service with cloud encryption to back up your database It’s harder for a cybergang to threaten your data if you have a copy of it securely stored elsewhere. A secure backup also means you can get back to business much faster. Read our reviews of the best cloud storage and online backup services to find a provider.
- Secure your company’s Wi-Fi network. Phones and other devices look for “beacon frames” when scanning for Wi-Fi networks. Make yourself invisible to outsiders by switching off the beacon frame.
- Practice robust password management. People are notoriously good at choosing weak passwords. Use secure passwords, and consider implementing an encrypted, centralized password-management system to better protect your network and terminals.
- Implement dual-factor authentication (2FA). 2FA requires a second security element when logging into an account or device. For example, if you try to log into Google from a new device, Google sends a confirmation code to a known trusted device. Dual-factor authentication makes it challenging for hackers to get past your network’s defenses.
- Protect IoT devices properly. IoT devices, including connected printers and cameras, present an opportunity for hackers to infiltrate your network. Secure every item connected to your network with the same diligence you use for terminals, laptops, and mobile devices.
- Consult white-hat hackers. White-hat hackers are reformed hackers who attempt to break into your computer network – with your permission. They can let you know which areas are particularly vulnerable and how you should protect yourself better.
Password management tools can help you create secure passwords and organize, manage, and store them across your entire network for increased security.
Train your team to prevent cybercrime.
Educating and empowering your team can help guard against cybercrime. Teach your team the following tenets to create “human firewalls.”
- Question everything out of the ordinary. Create a list of checks and balances within your company to detect phishing. For example, if the CEO calls accounts payable demanding money for an invoice, require the employee to report it to their manager immediately. Encourage staff to speak up if they get any suspicious requests by phone, email or text.
- Don’t assume public Wi-Fi is safe. Although the old, insecure WPA2 protocol is now being phased out, it’s still used in many places. Instruct employees to connect to the office using an encrypted VPN or 4G or 5G signals when they are out of the office.
- Be careful what you tell others. Many managers and employees use personal branding via social platforms to enhance their organizations and reputations. Instruct your team to be careful about how much they share on social media because cybercriminals could use that information to impersonate them.
- Double-check remote desktop access requests. IT teams often connect to co-workers’ computers via the best remote PC access software to troubleshoot issues. Hackers know this, and they’ll pretend to be from your IT team. Instruct your team to check directly with the IT manager to ensure access requests are valid.
- Ensure everyone understands the risks. Most employees don’t know how devastating a data breach’s financial and reputational damage can be. Train them on what they need to look out for and when to speak up. Monitor their performance, test them regularly, and reward staff who raise the alarm.
Make cybersecurity risk assessments a business priority. Shore up vulnerable network elements first, then work your way down the list and fix one area at a time to minimize the chances of a successful breach.
How should businesses respond to cybercrime?
You only have to be wrong once to fall victim to cybercrime. If your system is breached, take the following four steps:
- Understand how the attack happened. Hackers are creative and often break into systems in ways companies didn’t anticipate. Ensure you know how they got in as soon as possible and shut down the threat quickly.
- Go section by section through your network. You may have gotten the cybercriminals out of your system, but have they left any unpleasant surprises? Go through your network and devices one department at a time to ensure the threat won’t come back.
- Start the rebuild when a department is clear. As you declare each department clear, begin reinstalling apps and programs separately. Only connect back the parts of the network that have been cleared.
- Download data from backup cloud locations. When it’s safe, reinstall your cloud connection to your company databases. At this point, you should be able to continue doing business securely.
A data breach can damage your reputation, leaving customers unwilling to entrust you with their data. You may even face a class-action lawsuit brought by customers affected by the breach. Cybersecurity threats are too big for small companies to ignore, so start preparing now.