Why Small Businesses Get Hacked?

It’s hard to believe that small businesses get hacked when we see the news about large-scale breaches happening in big corporations. Recent events have shown us that a lot of big corporations have had immense breaches due to poor security measures.

Highlighting the WannaCry outbreak and Equifax breach, we somehow think that the big corporations are more of a target than small businesses.

Actually, the situation is not what it looks like, of course, the attacks targeted to small and medium-sized businesses are not on the first page of the newspapers, but in reality, according to the statistics, more than half of the attacks usually are against small business websites.

They got hacked four times in a row

A really good example comes from Austria and it’s about a hotel, that was hacked four times in a row. A beautiful hotel in Austria Alps was hacked four times between December 2016 and January 2017 where hackers got access to the hotel’s electronic door locks.

“We got a ransomware mail which was hidden in a bill from Telekom Austria,”  says Mr. Brandstatter. – BBC News

In addition to unusable door locks, the hotels hard drive was compromised and the hotel had to pay a ransom of two bitcoins, which, at the moment, is a really big amount of money.

So why small businesses get hacked?

Small businesses get hacked because they are usually the ones low in security and therefore are a primary target for hackers.

Awareness in the cyber world is still one of the biggest problems as business executives and employees are unaware of the risks that the cyber world holds.

“Actually, as a small business you do not really think that anybody’s interested in you for hacking, so we had no plan what to do,” Mr. Brandstatter. via. BBC News

No organization wants its data to be compromised, as the result is not only a reputation loss but also penalties or fines. Proper security awareness and protection will reduce the risk to the organization’s data and information systems.

To small and medium-sized enterprises wondering why would anyone hack them, we have to say that it’s not them the hacker is targeting in most cases, but first, let’s clear out the most common ways small businesses get hacked.

How many small businesses get hacked?

As mentioned, in most cases hackers do not target specific businesses in particular. They get data and use the data to their advantage. We will give an example of how WordPress sites get hacked.

Hackers are targeting known vulnerabilities in WordPress plugins and are using automated tools to try and get access to thousands of sites at once. For example, this website hacking statistics article shows that 98% of WordPress vulnerabilities are related to plugins.

Vulnerabilities are used to get access to your site, infect it with malware of insert SEO spam to gain financial profit using your site.

Statistics show that cybercriminals started to shift their focus already back in 2017. In the 2019 report, it was stated that hackers are starting to target more and more small businesses, which has resulted in a 424% increase in authentic and new breaches from 2017.

Another example comes from the Manifest which surveyed 383 small business owners who use a mobile app and/or website to connect with customers. They wanted to know how they protect themselves from cyber-attacks and how has it worked out.

They found that 64% of small businesses are going to invest more in cybersecurity in 2020 than before. The reason can be that they experience their sites getting hacked and attacked more frequently.

The latest data from Forbes shows that about 30 000 websites get hacked every day. And what’s more, these 30 000 sites are usually legitimate small businesses sites, that are unwittingly distributing malware. 

How do companies get hacked?

Let’s look over the most common ways companies and small businesses get hacked to know how to protect your business.

Phishing scams

It is a known fact that human is one of the weakest links when it comes to cybersecurity. One popular technique in phishing is to trick you into entering your username and password (such as website admin panel password) to a fake login form.

How to detect a phishing scam?

When you start typing your credentials look at the URL at the browser bar. Make sure the URL is written correctly. Better yet, if the email contains a link to a site you often sign in to, don’t use the links sent to you in the emails. Open a new tab and sign in by writing the URL yourself.

This will ensure that you are most definitely log in to the right site, not a replica made to get your username and password.

Third-party code – plugins and themes

The plugins and themes that you use on your websites, for example, WordPress sites, are build by developers around the world. When a plugin is listed in the WordPress repository, it is checked by the WordPress security team.

After that when a plugin receives updates, there is no one who checks it for vulnerabilities rather than hackers and web security teams.

We do constant monitoring for these kinds of vulnerabilities since it is usually the most common way websites get hacked. After checking for vulnerabilities we send a virtual patch to our web application firewall. All the sites that have our firewall installed will be safe from the vulnerability when hackers try to use it to access sites.

This is why you should invest in website protection, so that your website, which is the face of your company could be safe and would not be a gateway to getting more of your data.

You can learn about how to protect your website by clicking on the online chat on the bottom right side of this page and we will help you to understand how to keep your company safe from these kinds of attacks.

Password security

Passwords are a topic that is usually present in every cyber-security how-to article. It is simply so important to use strong passwords and set up brute-force protection.

We have written an in-depth article on how to manage passwords, which will help you understand each angle you need to stay protected. You can read more about passwords here.

3 most important key takeaways from the article:

1. It’s important that all your passwords are unique. 
2. To remember your password start using a password management tool – see the free ones here.
3. Set up 2-factor authentication on all your important accounts. See how to do that here.

Small business website security is crucial

A lot of hacks happen because the staff is not aware of the risks. We encourage you to educate more in terms of cybersecurity. Not only about your website (what to do and what not do to, how to update and patch the vulnerabilities) but also everything that is happening all over the web.

Hackers like everyone else innovate and sometimes it is very hard for you to understand what is legitimate and what not.

Cybersecurity is often misunderstood as a technical problem, but almost every breach is directly or indirectly caused by bad cyber hygiene or just the lack of security awareness.

Of course, there is a happy ending to the incident mentioned above, the hotel installed firewalls and new antivirus software, trained its staff, and changed the locks into manual (which isn’t actually necessary if you have proper security measures in place).

Take your first step towards protecting your company. It’s an ongoing process that should always stay in the back of your mind. You can start a 7-day trial here for free, by protecting the online face of the business – your website.