Six Surprising Reasons That Hackers Target Small Businesses

It’s likely that professional hackers and cyber-criminals get a good a chuckle over most of the passwords they encounter when breaking into the infrastructure of a small business.

Why do hackers come after small businesses and what do they want? Here’s a deep dive into the making of the perfect crime.

Small businesses don’t take passwords seriously.

A 2014 survey by BetterBuys revealed that a good hacker with the right software could crack a six-letter password such as “beagle” in 0.29 milliseconds. If you add in your beagle’s birth year and make that password “beagle2006”, the hacker’s time to crack it increases. Put a random character in front of the whole thing (#beagle2006) and the time to break it becomes exponentially more difficult. Unfortunately, too many small business owners use simple passwords because they are the easiest to remember. Hackers thrive on that sort of laziness.

Small businesses are much easier to hack.

The typical small business will probably invest in a firewall and some anti-virus software to protect itself from unwanted visitors. A big company will have multiple redundancies in place to protect its data. It will generally also have an IT department on the lookout for unexpected activity or have its entire infrastructure in the cloud where a separate entity is providing security.

A good comparison is a smash-and-grab thief eying the security at a department store compared with that at a Mom-and-Pop watch repair store. The department store might be the better pay off, but the protection is infinitely tighter. Better to use a bolt cutter on the padlock and snip the alarm cords at the little store for surefire success.

Small businesses have valuable data.

Hackers breaching your small business infrastructure aren’t going after your proprietary information or even your customers’ credit card numbers. What they really want is personal information, things like:

  •    Employee or customer names
  •    Addresses and phone numbers
  •    Dates of birth and Social Security numbers
  •    National insurance data
  •    Income data
  •    Drivers licenses or photo IDs

Credit card numbers have a meager shelf life for resell in the digital environment. The first sign of suspicious activity will have a credit card flagged, and the first word from its cardholder will cancel it and render it useless.

But stealing personal information usually does not set off any flags. More importantly, it allows criminals to use your identity to:

  •    Open a bank account
  •    Open a credit card
  •    Get a passport
  •    Get a driver’s license
  •    Fill medical prescriptions

Small businesses will pay ransomware demands.

Ransom malware (ransomware for short) is the result of hackers breaking into infrastructure and inserting malicious code that will activate at a specific time in the future. When active, ransomware will freeze a business’ infrastructure and make user activity or data retrievable impossible. The ransomware will demand a payment – usually in cryptocurrency – in exchange for a key to unlock the user’s data.

Big businesses rarely are affected by ransomware, either because they have the IT security to render it ineffective or because their data and systems have multiple redundancies to prevent precisely this sort of thing from happening.

Small businesses rarely have multiple backups in place and thus can find themselves entirely neutralized by such an event. In turn, they have to pay the ransom and hope the criminals behind it are honest enough to deliver the key in return. A 2017 report by CNet found that ransomware had hit 32% of all businesses and that a full 20% of those went out of business for good as a result.

Small business employees are not careful with their logins/passwords.

If you work for a large corporation, chances are you get at least half a day of on-job training about the security of your usernames, passwords, and public-issued hardware.  The nitty-gritty of such practice is often primarily forgotten over time, but the message usually gets through: Guard our stuff or face the music.

Small business employees are often contract or part-time employees who work from home while traveling or just when not at their other job. This sort of flexible employment can see them logging into the small-business network from unprotected locations such as airports, hotels, coffee shops, and schools.

Seeing what someone else is doing on a public system is Hacker 101 stuff. Usernames and passwords can be compromised without the employee ever realizing something has been stolen. When employees are careless with where and how they log onto the system, they allow cybercriminals to walk right through the front door of your network and start looking around for what’s worth taking.

Small businesses often have larger partners.

Remember the hack of Target’s customer database in 2013? The hackers that perpetrated it never broke into the retail giant’s infrastructure at all. Instead, they stole credentials from a refrigeration/HVAC company called Fazio Mechanical Services located in Sharpsburg, Pennsylvania, a town of just 3,300 people.

According to its website, Fazio Mechanical Services provides refrigeration and HVAC services to high-quality supermarket systems. Its HVAC systems are Internet of Things (IoT) devices, which commonly have security flaws. Fazio had an entry into Target’s database for billing, contract submission, and project management.

When hackers stole Fazio’s credentials, they realized that Target did not have a segmented database, meaning all of its data, including customer credit card information, was fair game. Plenty of small businesses have more prominent companies as clients. If a small business’ security is lax, it jeopardizes all of its clients as well, not to mention putting its own branding in considerable doubt for those same clients.