Data breaches at large corporations make news, but hackers and thieves are increasingly focusing their work on small businesses. According to the annual Verizon Data Breach Incident Report, 58% of data breaches are happening to local mom-and-pop operations.
"Many small businesses don't have the resources focused on security and training, and employees are not cognizant of being at risk," said Michael Bruemmer, VP of Experian Data Breach Resolution. "Some of these businesses, especially startups, may have no or small revenue, but they may be processing credit cards or holding personal data for other companies, and they don't realize they have to protect it."
Also, small businesses don't regularly share security intelligence with each other, so they may not know their neighbors or competitors suffered an attack. Hackers know this, so they target these companies. "If hackers get into one company and the route of attack seems to be working, they'll continue to do it, city by city, business by business," Bruemmer added.
According to Experian's 2018 Global Fraud and Identity Report, 63% of businesses experienced the same or more fraud in the last 12 months.
Falling Down on the Job
Overall, Verizon's annual report found 2,216 confirmed data breaches—up 11% vs. 2016—and more than 53,000 security incidents in 2017, up 32% vs. the prior year.
"One of the key takeaways from the 2018 Verizon [report] is that employees are falling victim to more sophisticated social engineering and phishing attacks," said David Vergara, Director of Security Product Marketing with VASCO Data Security. "These findings are not surprising, as attacks, especially those based on advanced phishing techniques, are evolving quickly."
According to Verizon, hackers are using tactics like phishing and financial pretexts to trick users. Human resource departments are a favorite target, as they are a gold mine of sensitive information that can be used for nefarious purposes.
These tactics are favored because they work. About 85% of data breaches can be traced back to user behavior, according to Experian. This includes reusing passwords, clicking on bad links that download keylogger software, or not verifying email messages before responding to a request.
85% of data breaches can be traced back to user behavior.
Hackers take advantage of the data that is easy to find online. While social media provides a lot of personal information, criminals use corporate websites as well to target their potential victims. The idea of using all of these information resources is to hit users in multiple socially-engineered attacks, according to Experian's Bruemmer. "It's not the complex, well-thought-out malware attack or other sophisticated plots. It's social engineering."
And unfortunately, employers and employees remain lax in following their security training or upgrading their software, leaving networks open to data breaches.
Throwing Smoke Bombs After a Robbery
Found in 39% of malware-related incidents, ransomware is now the most prevalent form of malware, according to Verizon's report. Ransomware jumped to the top slot from fourth place in 2016; as recently as 2014, it wasn't even among the top 20 forms of malware.
Ransomware locks down the system, and you may think that's the initial threat. What you may not realize is the bad guys have already been active within the network, making copies of your data for their use, and then nail you with the ransomware as they prepare to retreat. In the more than 5,000 incidents Experian investigated last year, one-third involved hackers lurking within the system long before they locked networks.
So while ransomware is the attack vector du jour, the malware is typically more of a distraction than the actual threat.
"These attacks aren't just to get Bitcoin payments," Bruemmer says. "Our forensics people liken it to throwing a smoke bomb into a house after you robbed it. It is the easy, last thing to do to get people not thinking you've taken other stuff."
Minimizing the Impact of Data Breaches
In response to the Verizon report's findings, Bruemmer pointed out two important considerations. First, hackers and threats are becoming more sophisticated; so if one mode of attack isn't working, they will search for another until they find success. Second, you can never let your guard down.
"It only takes one chink the armor to let someone in," he says.
Staying vigilant with your own online habits is the best way to help protect yourself from identity theft. Also, if you're the victim of a data breach, act quickly to lock down your personal information to minimize the impact.
Here are some other resources on data breaches and identity theft to review and share with people in your organization:
- Know what to do if your credit card or debit card is part of a data breach.
- Run a free dark web scan to see if your information appears on the dark web.
- Look into an identity theft protection product to monitor your credit, get alerted to new accounts and inquiries, and have dedicated fraud support if your identity is compromised.