Close dialog
A phone with Berlin showing on a map is held in front of a laptop

How to keep your business safe from hackers

Things to look for according to a ‘superhacker’


To defeat any enemy, you have to know how they think. Read on to understand what hackers look for – and how they spot vulnerabilities – so that you can protect your business from black-hat tricks.

There is something soothing about a world underwater. 
Fish tanks are relaxing to look at. Research shows that watching these aquiline animals reduces our stress and lowers blood pressure. One study even found that an aquarium effectively chills out patients waiting at a dentist’s office.
Impressive stuff.
But for at one business at least, the lobby fish tank became a source of considerable stress. 
According to The Washington Post, a North American casino was hacked through its aquarium in 2017. The artificial habitat was equipped with sensors that modulated its temperature, food, and conditions. This digital device connected to a local PC, and so cyberattackers used it as a port of entry to the larger network. 

And boom. They were in. 
The rise of homeworking during the pandemic exposed us without us noticing. Away from the office, we connect our work laptop to our home internet without thinking. We connect our work mobile to our Virtual Assistants, and other IoT.
In fact, 80% of IT organisations found IoT devices on their networks that they did not install, secure, or manage.
Cybercriminals jumped on the opportunity to target unsuspecting users and unsecured devices. IoT devices, according to one study from Berkley, are attacked thousands of times every single month. Most IoT devices are inherently insecure, as they lack the bandwidth for serious encryption.  
Cybercriminals use them to leapfrog into the real target. Without the right protection, something as banal as a fish tank thermometer could sink your business.
Even before the pandemic, one study from Hiscox found that a small business in the UK is successfully hacked every 19 seconds.  Since COVID-19, the problem has only gotten worse.
In the wake of the COVID-19 pandemic, cyber criminals have only gotten bolder.
In the first half of 2020, 4.83 million DDoS attacks were recorded. So-called ‘zero-day’ attacks, a name that refers to the amount of time the vulnerability was known before the attack (0), doubled in 2021. Moreover, a lot of compromised data is floating around online, unbeknownst to its owners, and available to anyone with a computer and an appetite for clandestine information.
So: what can small businesses do to protect themselves from this new breed of post-pandemic hacker?
Understanding the mindset of a cybercriminal is a good place to start.

Black hat, white hat

Brett Johnson was on America’s Most Wanted List for 39 cybercrime felonies. He built the world’s first cybercrime community called Shadow Group, a precursor to today’s darknet.
“The United States Secret Service called me the Original Internet Godfather” he says, from his studio in California, backdropped by a giant vinyl logo bearing his name.
Brett was ‘on the ground [floor]’ of modern financial cybercrime as we know it. He's a progenitor of the online fraud schemes we encounter every day (thanks, Brett).
Now a white-hat expert with a YouTube channel, he helps companies tackle cybercrime. There are few in the industry with the same 'hands-on' experience as Brett.

Pictured: Brett Johnson, formerly on America's Most Wanted List, is now a white-hat expert.

Brett Johnson, who was on America’s Most Wanted List for 39 cybercrime felonies.

Lookout Mobile Security

Secure your business mobiles from a host of cyber threats.

Discover more

Protecting your business against super hackers

Many SMEs treat cybersecurity as an afterthought. That’s a mistake, according to Gill and Isla Wilson, the wiz web developers behind Buttered Host, both of whom also serve as consulting security experts for Vodafone and as business.connected advisors.
“If you own a building, you invest in contents insurance, but what are you doing to protect your digital assets? You'll buy a lock for your door, right? So why wouldn’t you have a lock on your website?”
From side hustles to homeworking, the pandemic heralded a shift in the way we work. Gill and Isla say that has intensified the threats facing small businesses. They mention that setting up a business online has never been easier, but with so many low-cost services out there, cybersecurity is often kicked into the long grass.
No matter the size or nature of your company, it’s important to understand the value of the data you hold. E-commerce start-ups are in the same boat as your local gardening company.
“You might think: I don't sell anything online, so people aren’t going to steal from me. But there’s so much you can harvest. Even if it’s your password, if someone gets that, they can change privileges on your website and manipulate your visitors”
Brett agrees, adding that he doesn’t think the common cybercriminal is very skilled. They’re social engineers. That means they're part of a wider network of hackers who exchange information online. These criminals use known exploits to access a website, bypassing generic security measures.
“Does the website have a known bypass? Read their Terms of Service, look at what type of security they use. If anything looks new, I’d ask my network: ‘Hey, have you guys encountered this? How did you get past the security?’ Usually, the answer is there.”
Brett thinks the free sharing of information is the hacker's most powerful tool.
“You see it with every single crime that takes place.’”

THE TAKEAWAY: Hackers don’t need to be sophisticated to access your business data. Think about upgrading your website’s security features. Practice good cybersecurity hygiene, such as checking data breaches, and changing your password at least every 90 days (and ideally more often[1]).

Why SMEs are more vulnerable now than ever

Data leaks surged by almost 500% during the pandemic. Now, as some semblance of normalcy returns, there’s still a raft of ill-gotten info for hackers to trawl through.
“The pandemic kept everyone at home, which made it even easier to compromise a human, tricking them into giving up information,” Brett says.
Nearly one in five SMEs were victims of hacking via social media. Known exploits like phishing are nearly always responsible. Social media passwords get leaked, resulting in hijacked accounts and reputational damage.
Phishing emails aren't new. They are among the first social engineering techniques. Your junk box is probably full of them; during the pandemic, phishing prevalence rocketed, resulting in huge data breaches.
“SMEs typically don't have a lot of money, so the threat landscape facing a small company is huge,” Brett explains.
We volunteer all kinds of information every day that could harm us. A simple job spec on LinkedIn can be a valuable source of information for a hacker, warns Gill.
“Say you’re advertising for a PHP programmer with certain skills. Someone can scan this and know what the tech stack the company uses. They can match that with a job application. They can guess emails because it's usually first name dot last name.”

THE TAKEAWAY: There’s value in all data. Assess what's at risk — from your website security to your business socials — and see where you might be oversharing.

How to better protect your business

“Typically, a company doesn't worry about cybersecurity until they've been hit. And at that point, it's too late.”
Brett advises SMEs to take the time to understand their unique vulnerabilities. This provides insight into how a hacker could exploit them. For instance, if 31.4% of untrained employees fail phishing tests, well — it’s time to start training them.
Writing a phishing email takes less time than exploring zero-day vulnerabilities. So, if your employees can’t spot cyberattacks, you could spend millions of pounds on security software and it won't make a jot of difference.
“Education is paramount, and the first education base has to be your employees,” says Brett. According to him, in fact, it’s the single-most effective strategy for any company.
“Business plans should include it, and you need to know how you're going to educate yourself first", Gill adds, saying that preconceived notions about cybersecurity can be problematic.
"People have this idea that cybersecurity training is boring," Isla says, pointing out that she failed to spot spoof emails during a work training exercise, despite coming from a techie background.”
For many SMEs, lack of budget is the main barrier to cybersecurity training. Gill recommends accessing free talks online.

THE TAKEAWAY: If you only do one thing, invest in cybersecurity training. Knowing how to handle confidential data and communicate online can help your business avoid costly mistakes.

Keeping hackers out, letting customers in

Some companies take cybersecurity measures too far, which can scare off customers. Or they don't do enough, ignoring the problem until it's too late. What's the key to finding a happy medium?
“It’s called friction. You don't want customers to know there's any security in place. It needs to be a seamless transaction, but for the criminals, you want them to know there's security on site.”
Brett provides the example of CAPTCHA, a challenge-response test, which verifies that a visitor is human.
A legitimate user might experience one or two tests. But, clicking their way through 20 or so takes a long time for someone with a foreign or obscured IP address.
Two-step verification is essential for security as it eliminates the threat of compromised passwords. If two-factor authentication is in place, a password has no value to hackers.
“It's all about increasing the time and the effort it takes a hacker to hit your site”

THE TAKEAWAY: Make your website more frictional by using two-factor authentication. Just make sure it's still easy to access for your customers.

  • [1] Source
  • “5 IoT Threats to Look out for in 2021.” Security Intelligence,
  • Bogush, Pia. 20% of small and medium businesses have been hacked on social media - [online] Available at:​
  • CISOMAG. “4.83 Mn DDoS Attacks Reported Globally in H1 2020.” CISO MAG | Cyber Security Magazine, 1 Oct. 2020,
  • “IBM Security X-Force Threat Intelligence Index.”, 23 Feb. 2022,
  • “How Often Should You Change Your Password?”,
  • Johnson, B. (14AD). Conversation with a superhacker. Vodafone Business V-Hub. Mar. Interview.
  • KnowBe4. “Report: Phishing by Industry Benchmarking Report | KnowBe4.”, Accessed 12 Apr. 2022.
  • Lundberg, A. and Srinivasan, M. (2021). Effect of the presence of an aquarium in the waiting area on the stress, anxiety and mood of adult dental patients: A controlled clinical trial. PLOS ONE, 16(10), p.e0258118.
  • Peters, J. (2021). Another 500 million accounts have leaked online, and LinkedIn’s in the hot seat. [online] The Verge. Available at:
  • “Securing IoT Devices | Information Security Office.”,
  • ‌SOLUTIONS, A. (n.d.). IOT OPERATIONS: Reduce IoT infrastructure complexity. [online] Hewlett Packard Enterprise company. Available at: [Accessed 12 Apr. 2022].
  • StrategicRisk 2020-08-26T14:25:00. “Data Leaks Surge Almost 500% during Pandemic.” Global Reinsurance, Accessed 12 Apr. 2022
  • Vodafone Business. Cybersecurity Report. Edited by Anne Sheehan, 2nd ed., London, United Kingdom, Protecting our SMEs: cybersecurity in the new world of work, 1 Mar. 2021, pp. 3–18, Accessed Apr. 12AD.
  • SchifferReporterBioBioFollowFollow, A.S. closeAlex (n.d.). How a fish tank helped hack a casino. [online] Washington Post. Available at:

For more support discover our free business support helpline and ​speak to one of our Business Advisers by phone, contact form or web chat.
Wondering what you can ask? Our team can help with a range of digital topics

Related articles

Let's talk

Free one-to-one support

Available Monday to Friday, 8am-6pm, our friendly team are here to provide guidance and support on the topics that matter to your business.

0808 005 7400

Chat loading...
Content made available to you on this website is for general information purposes. Independent advice should be obtained for your needs. For full disclaimer, click here.

Social Facebook Footer

Social Facebook Footer


Social Twitter Footer

Social Twitter Footer


Social Linkedin Footer

Social Linkedin Footer


Social YouTube Footer

Social YouTube Footer


Social Instagram Footer

Social Instagram Footer