Complex Cyber Crimes Targeting Small Businesses

October 10, 2018

October is National Cyber Security Awareness Month, so it’s a good time to review your cyber security strategy. Many small businesses think they won’t be targeted by cyber criminals  because the hackers will go after large companies instead. In reality,  nearly half of small businesses have suffered a cyber attack in the past year.  Hiscox claims data shows that a business is 40% more likely to be the victim of a cyber attack than a burglary. Attacks are becoming more sophisticated, more varied, and more difficult to detect.

Cryptojacking and Ransomware Related Cyber Crimes

Ransomware, payment diversion fraud, and targeted hacks are the most common types of cyber attacks. But more sophisticated crimes like cryptojacking (surreptitiously using a business’s network to mine for cryptocurrency) and Border Gateway Protocol (BGP) hijacking (taking over groups of computer IP addresses) are increasing.

Another trend that is increasing is the ‘man in the middle’ cyber attack, where an email in intercepted and altered. A hacker intercepts an email message from a vendor requesting payment, and changes the account number to which the payment should be sent. The recipient thinks they are paying a legitimate bill, but the money is actually going to the hacker.

Cyber Alert: Form Jacking is a Potential Threat for All Business

Form jacking is a new cyber attack in which cyber criminals  harvest credit card details from e-commerce websites. Specifically, hackers take advantage of code that businesses use to process credit card details and infect them with a malicious JavaScript code. This malicious code captures credit card details that were used for a legitimate purchase and diverts it to the attackers. JavaScript is a ubiquitous programming language used in the development of websites and website enhancements.

By infiltrating a third party service provider, the hacker gets access to that company’s customers, enabling the hackers to harvest large amounts of data, representing a significant risk to providers. In short, the service provider is inadvertently distributing the malware on behalf of the hacker.  Symantec reports over 250,000 recorded attack attempts since August 13th.  Often, the malware is specifically designed to work with the target company’s infrastructure, making it difficult to detect.

The Implications for Victims

In most cases, affected companies must pay to notify those whose information may have been compromised, and pay the cost to issue new credit cards. There may also be a business interruption cost while the threat is isolated and eradicated. 

As hackers are becoming more sophisticated, regulations are becoming more onerous, resulting in a one-two punch for businesses. The European Union recently enacted the General Data Protection Regulation, or GDPR. This policy is responsible for all the notices you’ve been getting about companies updating their privacy policy, and it affects all companies in the EU, and any company anywhere in the world that maintains information on citizens of the EU. 

GDPR requires a response within 72 hours if personal information had been breached. In the US, businesses may be subject to different regulations. 

Protect Your Business from Cyber Crime

To protect your business and your customers from these evolving threats, your company should have a cyber security plan in place. To learn how to prevent, detect, and mitigate a cyber attack, download the 2018 Hiscox Small Business Cyber Risk Report.

Cyber insurance can protect your business from the costs associated with a cyber attack, and Hiscox’s cyber coverage includes access to expert resources to help deal with an attack, minimizing the downtime and cost to your company.

October is a good time to look at what more you could be doing to protect your company from emerging cyber threats all year long.