How SMBs can better protect sensitive data against cyberattacks
Know your enemy and know your risk are two pieces of advice offered in a new report from security company eSentire.
Any organization can be the victim of a cyberattack that results in stolen data, customer mistrust, and a damaged reputation. Large enterprises may possess the necessary expertise, money, and resiliency to help them survive such an attack. Small and medium-sized businesses, however, might lack the resources it takes to bounce back from a severe cyberattack. But there are strategies that SMBs can and should employ to better safeguard their critical data, as described in a Friday report from eSentire.
SEE: 10 books every small business entrepreneur should read (free PDF) (TechRepublic)
Know your enemy
Understanding the means and motives of cyberattackers is one crucial way to defend against a breach. Though financial gain seems like the logical motive behind most cyberattacks, industry studies and interviews with hackers point to other reasons, according to the report. Among the responses from hackers, 86% said they hack because they like the challenge to learn, 35% said they hack for the fun of it, 21% pointed to financial gain, while 6% said they hack for political or social reasons.
Many hackers look at the theft of sensitive data as a trophy. And the more sensitive the data, the greater the status. Though cybercriminals are obviously aware of the risks of prosecution, many discount the likelihood of being caught. Some 77% of hackers said their presence is rarely identified during an attack. A full 90% boasted that they can cover their tracks after a breach in less than 30 minutes.
The key to protecting your data is to think of a cyberattack from the attacker’s perspective. As such, SMBs should analyze their sensitive data by looking at the following questions from the hacker’s point of view:
- What is my data worth from a social perspective?
- What is my data worth from a financial perspective?
- What is the ease of obtaining my data?
- What is the risk of being caught?
- What are the consequences of being caught?
Knowing how and where a hacker may attack your business is also crucial. Businesses may be careful about what data they expose to the Internet. But the increased use of cloud-based applications and IoT devices has made this task more challenging. For example, hackers typically hunt for vulnerable areas by using mass scanning tools such as Shodan, which is touted as the world’s first search engine for Internet-connected devices.
In a simulated attack, an ethical hacking team at eSentire was able to identify specific IP ranges and domain names within the target organization’s infrastructure, leading them to a password reset tool. Using this tool required four items: a username, date of birth, the last four digits of a social security number, and the answer to a custom security question. Through social engineering, the team was able to identify an employee they could leverage to gain this information. Then, by using the Dark Web and other resources, the team obtained the necessary information, through which they gained access to an Active Directory where they were able to control other accounts.
The simulated attack revealed two strategies that lend themselves to cyberattacks: brute force and weak passwords.
A brute force attack uses an automated program to attempt thousands or millions of login attempts with different usernames and passwords. Though many login applications will lock out an account after a certain number of failed attempts, a smart hacker can use brute force without tripping the security.
Further, people in an organization tend to use the same passwords simply because they can’t remember a different password for everything. Many companies also require employees to change their passwords regularly. But rather than concoct an entirely new password, users may simply use a date or season as all or part of the password. Knowing this, the eSentire team was able to brute force two passwords: summer2017 and summer17, which gave them access to 39 different accounts.
Know Your Risk. To protect your sensitive data, you also need to evaluate the level of risk, specifically the financial risk, if that data were to be compromised. That means identifying the data in your organization you consider to be sensitive.
In a recent eSentire survey of 300 security professionals, a full 63% said they had not clearly identified what constituted sensitive data in their business. Among those, 55% said they had no formal data classification policy, while just 51% said they felt confident in their ability to detect and respond to an attack directed toward their sensitive data.
Pages 8 and 9 of the report offer an equation that you can use to calculate your financial risk of compromised sensitive data. The equation is based on several factors, including your industry, number of locations for your business, and the number of data records you’ve determined to be sensitive.
Many SMBs are still trying to catch up to the sophisticated methods used by cyberattackers. But knowing your enemy, knowing your risk, and knowing what sensitive data you need to protect are crucial first steps to mounting the right type of defense.