How to keep your business safe from hackers

Things to look for according to a ‘superhacker’.

To defeat any enemy, you have to know how they think. Read on to understand what hackers look for – and how they spot vulnerabilities – so that you can protect your business from black-hat tricks.

There is something soothing about a world underwater.

Fish tanks are relaxing to look at. Research shows that watching these aquiline animals reduces our stress and lowers blood pressure. One study even found that an aquarium effectively chills out patients waiting at a dentist’s office.

Impressive stuff.

But for at one business at least, the lobby fish tank became a source of considerable stress.

According to The Washington Post, a North American casino was hacked through its aquarium in 2017. The artificial habitat was equipped with sensors that modulated its temperature, food, and conditions. This digital device connected to a local PC, and so cyberattackers used it as a port of entry to the larger network.

And boom. They were in.

The rise of homeworking during the pandemic exposed us without us noticing. Away from the office, we connect our work laptop to our home internet without thinking. We connect our work mobile to our Virtual Assistants, and other IoT.

In fact, 80% of IT organisations found IoT devices on their networks that they did not install, secure, or manage.

Cybercriminals jumped on the opportunity to target unsuspecting users and unsecured devices. IoT devices, according to one study from Berkley, are attacked thousands of times every single month. Most IoT devices are inherently insecure, as they lack the bandwidth for serious encryption.

Cybercriminals use them to leapfrog into the real target. Without the right protection, something as banal as a fish tank thermometer could sink your business.

Even before the pandemic, one study from Hiscox found that a small business in the UK is successfully hacked every 19 seconds. Since COVID-19, the problem has only gotten worse.

In the wake of the COVID-19 pandemic, cyber criminals have only gotten bolder.

In the first half of 2020, 4.83 million DDoS attacks were recorded. So-called ‘zero-day’ attacks, a name that refers to the amount of time the vulnerability was known before the attack (0), doubled in 2021. Moreover, a lot of compromised data is floating around online, unbeknownst to its owners, and available to anyone with a computer and an appetite for clandestine information.

So: what can small businesses do to protect themselves from this new breed of post-pandemic hacker?

Understanding the mindset of a cybercriminal is a good place to start.

Black hat, white hat

Brett Johnson was on America’s Most Wanted List for 39 cybercrime felonies. He built the world’s first cybercrime community called Shadow Group, a precursor to today’s darknet.

“The United States Secret Service called me the Original Internet Godfather” he says, from his studio in California, backdropped by a giant vinyl logo bearing his name.

Brett was ‘on the ground [floor]’ of modern financial cybercrime as we know it. He's a progenitor of the online fraud schemes we encounter every day (thanks, Brett).

Now a white-hat expert with a YouTube channel, he helps companies tackle cybercrime. There are few in the industry with the same 'hands-on' experience as Brett.

Protecting your business against super hackers

Many SMEs treat cyber security as an afterthought. That’s a mistake, according to Gill and Isla Wilson, the wiz web developers behind Buttered Host, both of whom also serve as consulting security experts for Vodafone and as business.connected advisers.

“If you own a building, you invest in contents insurance, but what are you doing to protect your digital assets? You'll buy a lock for your door, right? So why wouldn’t you have a lock on your website?”

From side hustles to homeworking, the pandemic heralded a shift in the way we work. Gill and Isla say that has intensified the threats facing small businesses. They mention that setting up a business online has never been easier, but with so many low-cost services out there, cyber security is often kicked into the long grass.

No matter the size or nature of your company, it’s important to understand the value of the data you hold. E-commerce start-ups are in the same boat as your local gardening company.

“You might think: I don't sell anything online, so people aren't going to steal from me. But there’s so much you can harvest. Even if it’s your password, if someone gets that, they can change privileges on your website and manipulate your visitors”

Brett agrees, adding that he doesn’t think the common cybercriminal is very skilled. They’re social engineers. That means they're part of a wider network of hackers who exchange information online. These criminals use known exploits to access a website, bypassing generic security measures.

“Does the website have a known bypass? Read their Terms of Service, look at what type of security they use. If anything looks new, I’d ask my network: ‘Hey, have you guys encountered this? How did you get past the security?’ Usually, the answer is there.”

Brett thinks the free sharing of information is the hacker's most powerful tool.

“You see it with every single crime that takes place.’”

THE TAKEAWAY: Hackers don’t need to be sophisticated to access your business data. Think about upgrading your website’s security features. Practice good cyber security hygiene, such as checking data breaches, and changing your password at least every 90 days (and ideally more often).

Why SMEs are more vulnerable now than ever

Data leaks surged by almost 500% during the pandemic. Now, as some semblance of normalcy returns, there’s still a raft of ill-gotten info for hackers to trawl through.

“The pandemic kept everyone at home, which made it even easier to compromise a human, tricking them into giving up information,” Brett says.

Nearly one in five SMEs were victims of hacking via social media. Known exploits like phishing are nearly always responsible. Social media passwords get leaked, resulting in hijacked accounts and reputational damage.

Phishing emails aren't new. They are among the first social engineering techniques. Your junk box is probably full of them; during the pandemic, phishing prevalence rocketed, resulting in huge data breaches.

“SMEs typically don't have a lot of money, so the threat landscape facing a small company is huge,” Brett explains.

We volunteer all kinds of information every day that could harm us. A simple job spec on LinkedIn can be a valuable source of information for a hacker, warns Gill.

“Say you’re advertising for a PHP programmer with certain skills. Someone can scan this and know what the tech stack the company uses. They can match that with a job application. They can guess emails because it's usually first name dot last name.”

THE TAKEAWAY: There’s value in all data. Assess what's at risk — from your website security to your business socials — and see where you might be oversharing.

How to better protect your business

“Typically, a company doesn't worry about cyber security until they've been hit. And at that point, it's too late.”

Brett advises SMEs to take the time to understand their unique vulnerabilities. This provides insight into how a hacker could exploit them. For instance, if 31.4% of untrained employees fail phishing tests, well, it’s time to start training them.

Writing a phishing email takes less time than exploring zero-day vulnerabilities. So, if your employees can’t spot cyberattacks, you could spend millions of pounds on security software and it won't make a jot of difference.

“Education is paramount, and the first education base has to be your employees,” says Brett. According to him, in fact, it’s the single-most effective strategy for any company.

“Business plans should include it, and you need to know how you're going to educate yourself first", Gill adds, saying that preconceived notions about cyber security can be problematic.

"People have this idea that cyber security training is boring," Isla says, pointing out that she failed to spot spoof emails during a work training exercise, despite coming from a techie background.”

For many SMEs, lack of budget is the main barrier to cyber security training. Gill recommends accessing free talks online.

THE TAKEAWAY: If you only do one thing, invest in cyber security training. Knowing how to handle confidential data and communicate online can help your business avoid costly mistakes.

Keeping hackers out, letting customers in

Some companies take cyber security measures too far, which can scare off customers. Or they don't do enough, ignoring the problem until it's too late. What's the key to finding a happy medium?

“It’s called friction. You don't want customers to know there's any security in place. It needs to be a seamless transaction, but for the criminals, you want them to know there's security on site.”

Brett provides the example of CAPTCHA, a challenge-response test, which verifies that a visitor is human.

A legitimate user might experience one or two tests. But, clicking their way through 20 or so takes a long time for someone with a foreign or obscured IP address.

Two-step verification is essential for security as it eliminates the threat of compromised passwords. If two-factor authentication is in place, a password has no value to hackers.

“It's all about increasing the time and the effort it takes a hacker to hit your site”

THE TAKEAWAY: Make your website more frictional by using two-factor authentication. Just make sure it's still easy to access for your customers.

Want help and support with your cyber security? Speak to our expert V-Hub Business Advisers, who offer tailored guidance on a range of topics.

Lookout Mobile Security

Secure your business mobiles from a host of cyber threats.

Free one-to-one support

Available Monday to Friday, 8am-6pm, our friendly team are here to provide guidance and support on the topics that matter to your business.

0808 005 7400

Content made available to you on this website is for general information purposes. Independent advice should be obtained for your needs. Read full disclaimer

Call me back