Cyber attacks are a growing threat, and according to the FBI’s Internet Crime Report, the cost of cybercrimes reached $2.7 billion in 2020 alone.1 In 2021, damages from cybercrime are expected to reach $6 trillion globally.2 If the cost of cybercrimes were measured as a country, it would be the world’s third-largest economy, only behind the United States and China.
Small businesses are attractive targets for cybersecurity threats because they have information that criminals want and typically lack the appropriate business network security. According to a recent survey by the Small Business Administration, 88% of small business owners felt their business was vulnerable to a cybersecurity incident. Yet many businesses can’t afford professional IT solutions, have limited time to devote to business network security, or don’t know where to begin.3
At Woligo, we want every business to be protected against cybersecurity threats. That’s why we created this guide – to educate small business owners on the importance of small business security and their potential liability.
What is a cyber attack?
A cyber attack is the “deliberate exploitation of computer systems, business storage, technology-dependent enterprises, and networks.” Cyberattacks use malicious code to alter computer code, logic, or data, resulting in disruptive consequences that can compromise small business security4 and lead to identity theft, data loss, and other cybercrimes.
Common types of cybersecurity threats
Malware is malicious software that is installed in your system without your consent. It can attach itself to legitimate code and propagate; it can lurk in practical applications or replicate itself across the internet. Ransomware is a common type of malware that leads to data loss and threatens to publish or permanently delete it unless a ransom is paid.
2. Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) Attacks
Denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks overwhelm a system’s resources so that it cannot respond to service requests. This cybersecurity threat is launched from many host machines controlled by the attacker infected with malicious software.
3. Man-in-the-Middle (MitM) Attack
A man-in-the-middle (MitM) attack occurs when a hacker inserts itself between a client’s communications and a server. Session hijacking is a common type of MitM attack, where an attacker hijacks a session between a trusted client and network server. The attacking computer substitutes its IP address for the trusted client while the server continues the session, believing it is communicating with the client.
4. Phishing and Spear-Phishing Attacks
Phishing and spear-phishing attacks are the practice of sending emails that appear to be from trusted sources to gain personal information or influence users to do something. It could involve an attachment to an email that loads malware onto your computer. It could also be a link to an illegitimate website that can trick you into downloading malware or handing over your personal information. Spear phishing is a very targeted type of phishing activity where attackers take the time to conduct research into targets and create unique and relevant messages.
5. Drive-by Download Attacks
Drive-by download attacks are a standard method of spreading malware. Hackers look for insecure websites and plant a malicious script into HTTP or PHP code on one of the pages. This script might install malware directly onto the computer of someone who visits the site, or it might re-direct the victim to a site controlled by the hackers. Drive-by downloads can happen when visiting a website or viewing an email message or a pop-up window. Unlike many other cybersecurity threats, a drive-by doesn’t rely on a user to do anything to become infected.
A password attack is when a hacker obtains access to a person’s password by looking around the person’s desk, ”sniffing” the connection to the network to acquire unencrypted passwords, social engineering, access to a password database, or outright guessing.
A SQL injection attack is a common issue with database-driven websites. A malefactor executes a SQL query to the database via the input data from the client to the server. SQL commands are inserted into data-plane input (for example, instead of the login or password) to run predefined SQL commands. A successful SQL injection can read sensitive data from the database, modify (insert, update or delete) database data, execute administration operations (such as shutdown) on the database, recover the content of a given file, and, in some cases, issue commands to the operating system.
Eavesdropping attacks occur through the interception of network traffic. An attacker can obtain passwords, credit card numbers, and other confidential information that a user might be sending over the network by eavesdropping.
Birthday attacks are against hash algorithms used to verify the integrity of a message, software, or digital signature. A message processed by a hash function produces a message digest (MD) of fixed length, independent of the input message’s length; this MD uniquely characterizes the message. The birthday attack refers to the probability of finding two random messages that generate the same MD when processed by a hash function. If an attacker calculates the same MD for his message as the user has, he can safely replace the user’s message with his, and the receiver will not be able to detect the replacement even if he compares MDs.
Physical security breaches can occur when someone physically gains access to your cell phone, computer, etc. to commit a cybercrime. This can be a result of everything from “tailgating”, where a non-employee follows someone into your place of business, to auto break-ins. To protect yourself from physical security threats, make sure you do not leave your devices unlocked or unattended, keep your devices in a secured location (not a locked car, for example), use physical access controls, like doors that lock or system to “badge in” to an office or building, and educate your employees about the importance of vigilance and staying aware of their surroundings.
Social engineering is where an attacker uses non-technical means to gain access to passwords, social security numbers, bank account information, etc. Some examples of this type of attack could be a phone call from someone pretending to be a bank representative asking for private details to verify an account, or someone pretending to be an IT support representative needing password information to perform system updates on a company computer.6
You must have the proper business storage and small business security practices in place to secure, store and access your records correctly. But even more than that, you have legal obligations anytime you collect or store personally identifiable information, otherwise known as PII.
According to the US General Services Administration, PII is information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific individual. It is important to note that data can become PII if additional information is made publicly available that, when combined, could be used to identify an individual.7 Examples of PPI include Social Security Numbers, driver’s license numbers, Alien Registration numbers, financial or medical records, biometrics, or criminal history. This data requires stricter handling guidelines and business storage because of the increased risk to an individual if the information was compromised.8
Understanding your liability
As a custodian of information, you could be liable if that information ends up in the wrong hands. And even if it doesn’t end up in the wrong hands, a customer could still decide to sue you for not properly securing their personal information.
Security Incident: Ransomware in North Carolina
Wilmington Surgical Associates in North Carolina was victim to a ransomware attack by cybercriminals that resulted in highly sensitive data being breached: patient names, birth dates, social security numbers, and health records. As a result, patients joined together in a class-action lawsuit to force the practice to strengthen its data security systems and submit to annual audits and provide credit monitoring services.
These patients claim that Wilmington Surgical Associates did not adequately secure its network, servers, and system, and the egregious lack of monitoring led to the intrusion occurring unnoticed. The resulting lawsuit seeks reimbursement of out-of-pocket expenses, restitution, compensatory damages, and injunctive relief.9
Security Incident: $1 Million Missing in Real Estate Transaction
In Clearwater Beach, Florida, the buyer of $1 million real estate property filed suit against the attorney handling the closing for failing to enact adequate security protocols to secure email accounts. The attorney sent the buyer wiring instructions for the initial deposit of $10,000, and the buyer successfully wired the initial deposit. Later, the buyer received another email from the attorney’s email service that appeared to be from the attorney’s office with wiring instructions for the closing amount of $974,633.44 to be held in escrow. The wiring instructions were on the attorney’s letterhead and contained information that only the attorney could know. The buyer wired the remaining balance to the bank account identified in the second wiring instructions.10
On the day of the closing, the attorney requested that the buyer wire the remaining funds. **CRINGE** The lawsuit filed by the buyer alleged that the attorney could have prevented this from happening if they had the proper business network security.
Security Incident: Failing to Plan is Planning to Fail
Edelson PC, a leading plaintiffs’ firm in privacy and data security law, filed a suit against Johnson & Bell, a Chicago-based law firm, for not implementing the appropriate small business security. The lawsuit alleged that Johnson & Bell were vulnerable to ‘man-in-the-middle’ cyber-attacks because they use outdated software and allow their employees to remotely access company information which criminals could exploit. It’s important to note that Johnson & Bell had not suffered a data breach or any other form of cyber attack. The lawsuit is based on the firm’s lack of cybersecurity measures that make them vulnerable to a cyber attack in the future.11
The impact of a cybersecurity incident
Could your business survive a cybersecurity incident?
The impact of a cybersecurity incident on your business could be detrimental. The United States National Cyber Security Alliance found that 60% of small businesses cannot sustain their operations longer than six months after a cyber attack.12
According to IBM’s 2020 Cost of Data Breach Report, the average cost for every lost or stolen record was $146 across all data breaches.13 If the lost or stolen record contained a customer’s personally identifiable information, the cost increased to $150. If the lost or stolen record had personally identifiable information AND the security incident was caused by a malicious attack, then the cost increased to $171. These costs take into account various factors, from crisis management and lost revenue to forensic services and legal expenditures.
Business network security
Business network security should be a priority for every small business, whether you run a solo operation or have a team of employees. The ideal scenario would be to hire a cybersecurity consultant or have an IT professional on staff who can update, manage and implement your business network security. But if that’s not in your budget, you can still take steps to improve your small business security, reinforce your business storage and prevent data loss.
Start by determining your company’s current security status by performing an informal audit. Who is in charge of your business storage and security procedures? Is that person up-to-date on best practices? What defenses are already in place? Has there ever been a security incident? Next, you want to take an inventory of all data, files, and records. What information do you collect, and how do you collect it? What information do you store? What is the most important information to protect? Who has access to it?
Last but not least, mitigate your vulnerabilities. The best defense is a good offense. What more can you do to prevent data loss? Should you hold regular training on small business security for employees? Can you limit who has access to personal information? Can you afford to outsource a part of your cybersecurity network so a professional can manage it?
The importance of cyber insurance
Even if you had the very best small business security infrastructure and a team of cybersecurity experts on your payroll, you could still be vulnerable to data loss and other cybersecurity threats. After all, human error was a major contributing cause in 95% of all breaches, according to the IBM Cyber Security Intelligence Index Report. In other words, had human error not been a factor, the chances are that 19 out of 20 breaches analyzed in the study would not have happened at all.14
That’s why cyber insurance is so important. It adds an extra layer of protection in the event of a security incident or data loss. Within the Internet of Things, you can’t always control who has access to your data and who doesn’t. Yes, that includes the personal information your business collects, stores, or sends. You can indeed implement safeguards to protect confidential data, but hackers might still be able to break into your business storage.
The one thing you can control is whether or not your business is prepared for cybersecurity threats. Entrepreneurs and self-employed workers can benefit significantly from cyber insurance. Thankfully, you can get two different types of cyber insurance through Woligo – data breach insurance and cyber liability insurance.
Data breach insurance
Data breaches involve the exposure of personal information and can happen in several ways. Maybe a hacker breaks into your business storage, or perhaps an employee accidentally opens an email with a virus that leads to a security incident. Unfortunately, that’s the world we live in. Data breach insurance may help cover costs, such as notifying all customers, patients, or employees who have been affected by a breach. The coverage can also help hire a public relations firm to handle the security incident and offer credit monitoring services to data breach victims.
Cyber liability insurance
Cyber liability insurance helps cover your business after a cybersecurity threat. It is used to respond to a security incident and may help cover legal services, lost income, and lawsuits that emerge because of the cyberattack or other security issues.
Whether you are self-employed or are just looking for another layer of added security (because you can never have too much), a safeguard discount plan could be right for you. ID Sanctuary is one of the many benefits you get with our safeguard discount plan and immediately gets to work to guide you through the identity restoration process if your information falls victim to a security incident. Most of the time, we catch these problems well before they escalate. As part of our identity theft insurance, we offer checking and saving account alerts, credit bureau reports and monitoring, and credit inquiry alerts.
Be prepared for a security incident
No one is immune to hackers. They can target and extract personal information on any of your business’ computers. Robust business network security combined with cyber insurance and safeguard products help you spring into action and respond quickly in the event of a breach or security incident. Together, they help cover your bases so that your company experiences as little damage as possible if anything happens.
- IC3 Releases 2020 Internet Crime Report — FBI
- Stay safe from cybersecurity threats (sba.gov)
- What is a Cyberattack? - Definition from Techopedia
- Top 10 Most Common Types of Cyber Attacks (netwrix.com)
- The Role of Human Error in Successful Cyber Security Breaches (usecure.io)
- GSA Rules of Behavior for Handling Personally Identifiable Information (PII) | GSA
- What is Personally Identifiable Information? | Homeland Security (dhs.gov)
- Are Businesses at Risk of Litigation in the Event of a Cybersecurity Breach? - Legal Reader
- BEWARE: You Can be Sued for Cybersecurity Negligence (getcryptostopper.com)
- 60 Percent of Small Businesses Fold Within 6 Months of a Cyber Attack. Here's How to Protect Yourself | Inc.com
- Cost of a Data Breach Report 2020 (ibm.com)
- The Role of Human Error in Successful Cyber Security Breaches (usecure.io)