Protecting your business from burglars can be as simple as installing a few security cameras and locking the doors every night before heading home.
Hackers, however, tend to be much more creative. As technology continues to evolve and businesses become more aware of the importance of protecting their valuable private data, hackers continue to figure out new and deceptive ways to bypass security measures.
This is why it’s crucial for you and your team members to familiarize yourselves with the various tricks and tactics hackers and cybercriminals have up their sleeves in order to avoid falling victim to them.
Here are just 6 of the ways that your business might get hacked.
1- Credential Stuffing
Credential stuffing works under the assumption that many people use the same password for multiple accounts, which is unfortunately very true.
Suppose a social media site your business uses gets breached, and a hacker obtains your account’s credentials. The hacker might then take those credentials and try using them in some other places around the web, hoping that they work there as well.
If you do use the same password everywhere, this one set of leaked credentials would have effectively given a hacker immediate access to pretty much all your other accounts.
Cybercriminals send out phishing emails en masse, hoping to trick people into clicking on a shady link or downloading some malicious software (also known as malware).
Suppose one of your team members receives an email which claims to be from “Google”, informing them that their account is at risk and that they need to follow a certain link for instructions on how to fix this issue. The link might take them to a very convincing-looking page which asks them to provide their email address and password.
As you’ve probably guessed, that isn’t actually an email from Google, and that Google login page isn’t the real deal. It’s a direct line to a clever hacker, patiently waiting for anyone gullible enough to willingly send them their private credentials.
3- Spear Phishing
Spear phishing is a much more sophisticated form of phishing where a hacker specifically targets one particular person or organization.
Suppose you receive an email from your longtime team member, Jim. He starts his email with a friendly “Hiya”, like always, and asks if you can send him the credentials for one of your shared work accounts because he forgot them. You’re mildly annoyed but quickly reply to Jim with the password in question so you can carry on with your work.
In reality, “Jim” was a hacker who did a bit of research on the real Jim, in order to convincingly mimic his writing style, and used email spoofing to make it look like the email you received wasn’t from some suspicious unfamiliar email address, but from your trusted coworker.
A keylogger is a piece of malware that secretly records everything you type on your keyboard and relays it directly to a third party, allowing them to monitor everything you type.
Suppose one of your team members falls for a particularly convincing phishing email and downloads its nasty attachment. If that attachment is a keylogger, then they’ve just given one particularly lucky hacker a window into some very private information.
Since a keylogger records everything you type, it’s not just your passwords that would be relayed to them. Your team member could inadvertently be sharing all kinds of sensitive information about your business, and even personal information, all without realizing it.
Ransomware is a form of malware designed to remotely encrypt your files and lock you out of them. As the name suggests, the only way to get all your data back is by paying an often hefty ransom.
Suppose you download an innocuous looking email attachment one night, after which you shut down your computer and head home. The next morning, you log back on, only to be greeted by a popup window informing you that your files have been encrypted, and that you must pay $1000 worth of Bitcoin to regain access to them.
Compared to someone stealing your passwords, this sounds like something straight out of an action thriller. But it’s much more common than you might think. Ransomware has affected all types of businesses and institutions, including shipping companies and hospitals, and even entire cities like Baltimore.
6- Insider Threats
As hard as it might be to believe, sometimes the risks can come from within. An insider threat is defined as a malicious threat to an organization that comes from people within the organization, such as employees, former employees, etc.
The keyword here is “access”. Suppose one of your team members leaves your business on less than favorable terms, but one day they realize that they still have access to all their work accounts and decide to have some sinister fun. Or suppose one of your junior team members accidentally leaks some private information they were never meant to have access to in the first place.
Human error and malicious behavior are often difficult to predict, which makes this one of the toughest security risks to prevent.
Use the right tools
When it comes to protecting your team and your business against these kinds of threats, two of the best tools would have to be: common sense and a password manager.
It’s not exactly a good idea to reuse the same password for all your accounts, but with a password manager, you’ll be able to quickly and easily set strong and unique passwords for each of your accounts and quickly change any of them in case of a data breach.
Be sure to carefully scrutinize any suspicious emails you receive, though it also wouldn’t hurt to use a password manager to set up two-factor authentication, adding an extra layer of security to an account in case its password falls into the wrong hands.
Unfortunately, common sense can’t autofill your passwords for you, but a password manager absolutely can, thwarting any keyloggers that may be monitoring your keystrokes.
Another thing common sense can’t do for you is to make sure none of your ex-team members tries to wreak havoc after they’ve left the company, unlike a password manager, which gives you control over what data each of your team members has access to, current or former.
Use common sense. Use a password manager.
The above article was written by Myki and originally published on the Seedstars World blog.