10 Ways to Get Hacked: How to Protect Your Business

These days, the chances your business will get hacked are higher than ever. Here are some common hacks to be aware of, as well some fixes to help protect your organization's data.
‍

‍1. Social Engineering and Phishing

‍These days, our devices come loaded with so much security software that it’s pretty difficult to find and exploit a technological vulnerability in a victim’s machine. Our operating systems come with pre-installed security measures; we have antivirus software, adblocks and a variety of plugins to help us stay safe and feel secure.

Although it's possible, spending days probing for weak spots is expensive, and cyber attackers tend to go for the cheapest targets with the highest ROI. The easiest way to break into a computer system these days is to bypass a computer’s protection(s) altogether by aiming at a computer’s operator: a regular human being.

‍‍Fix: Spend a reasonable amount of time on security training to increase awareness across the whole company so your systems don't get hacked. You’re probably not spending enough on it—few companies have this in check—to find a way to improve existing processes and give more love to your corporate training.

You should also limit data access and encrypt data to further protect your company's content.

‍2. Dangerous Websites

‍Even tech-savvy users may visit malicious websites on occasion. These sites can infect their computers and compromise their data's safety. There are many attack vectors, including so-called "drive-by-download" attacks.

Drive-by-download attacks happen when a user authorizes the execution of untrusted and malicious software without realizing the potential danger, e.g., clicking run on malicious Java applet prompt. The name on the malware is often identical to its trusted counterpart, so harmful software is downloaded without the user knowing. Common examples include hidden exploits attacking popular software, such as web browsers or web browser plugins.

‍Fix: Conduct consistent employee education and monitor endpoint workstations to ensure they’re running correctly updated software.

‍3. Malicious USB Sticks

‍This risk is often self-generated by people with good intent. They try to figure out whose drive they’ve found in a parking lot so they can give it back. But in a malicious scenario, the USB stick is dropped on purpose by a criminal and it contains malware.

It doesn’t take a targeted attack to get yourself infected with malware. If you insert random devices such as CDs/DVDs, USB drives or any other device such as found mouse/keyboard, then you’re risking the chance you'll get hacked.

‍Fix: Use respected antivirus software and have it enabled to scan all connected devices. While it’s not foolproof and it doesn’t take much to bypass, it will reduce the likelihood of successful attacks performed by random malware or malware created by low-skilled attackers.

‍4. Weak Passwords

‍You can have the appropriate software protections in place, but it’s all for nothing if your users have weak passwords. No antivirus software or advanced web application protection techniques can protect a user from data leakage if their password is john1989.

People are often lying to themselves and others when they say they know how to create strong passwords, and this is one of the biggest problems in our industry. We’ve seen government organizations, big corporations, and individual tech giants use simple or obvious passwords, which can lead to personal accounts getting hacked and company-wide breaches.

‍Fix: Teach people how to create solid passwords and build internal systems that don't allow weak passwords. A strong password should be memorable, but it must also be long, unpredictable and unique so hackers can't guess it.

Popularize usage of password managers within your organization so you don't get hacked. These terrific tools can significantly improve the security posture of your corporation by easing the process of endpoint password management. You should also implement multi-factor authentication for an additional layer of protection against hackers with stolen credentials.‍

5. Insiders Threats

‍There is an entire industry built around stealing proprietary data. Don't make the mistake of assuming your company won’t be the target of sophisticated cyber attackers seeking the easiest way to steal your data. Hackers will often do everything they can to gain your trust, join your company and then infiltrate your networks.

But it doesn’t end there, because sometimes disgruntled employees go rogue after learning they're to be terminated. Bitterness and anger can push otherwise reasonable people to leak corporate data or destroy internal systems in hopes that no one will know who is responsible.

Whether intentional or not, data leaks happen often. Smart Content Governance is something many companies lack and need to take advantage of for added data protection.

‍Fix: Have the proper auditing software to monitor for anomalies in employee behavior. It is also wise to have good configuration of logging systems to trace attacks back to the person(s) at fault.

6. Physical Attacks

‍Many organizations forget how critical it is to protect their physical offices. If you're an attacker, why invest hundreds of hours hacking technology when you can easily follow an employee driving to the office in the morning? A real-life attack could mean hardware theft or connecting a malicious device to the corporate LAN in order to attack connected machinery and sniff the traffic.

Fix: Consider hiring a pen testing company to do a physical penetration analysis or read team engagement.

7. BYOD: Bring Your Own Doom

‍The greatest risk comes when employees bring outside devices and plug them into a corporate network. Connecting to corporate resources such as internal applications from an unsecured computer can be even more dangerous.

Often, employees connect their smartphones to corporate networks just to browse personal websites. This opens the company to digital risks because compromised devices can spy on and infect local networks.Also, when employees are allowed to bring their own infected laptops to work, which often have a variety of unmonitored software installed, their operating systems may lack security patches and basic security hygiene tools like antivirus systems.

When such computers are used, it's almost impossible to know when malicious software like spyware is installed. This can infiltrate corporate credentials and allow hackers an easy way in.

‍Fix: Provide employees with corporate computers they can take home.  WFH policies allows you to remain in control; otherwise, employee may feel tempted to use their personal computers to do a few small tasks that require connecting to the corporate VPN. Inform employees that they may use their corporate laptops anywhere they wish, but they should refrain from treating them like private computers, on which they may otherwise install games and other programs for personal use.

8. Network Hacking‍

Organizations are often unaware of all the assets that belong to them. They also lack the proper patch management policies and procedures to ensure they’re covered against newly discovered software bugs—all of which increases the likelihood they'll get hacked.

Ten years ago it was more acceptable to be a little out of date, but there is no place for such neglect today. There are bots that continuously scan the internet, enumerating and checking public services. Everyday, bots try to crack passwords to web applications and other services, including FTP and SSH.

We’re all exposed and there is no place to hide, so ensure your external infrastructure is properly hardened, or you’re endangering yourself and your company. We’re living in an era when the business behind cyber attacks is more lucrative than ever. There are many ways to monetize obtained access, including selling corporate data on the dark web and deploying ransomware to obtain personal information.

‍Fix: Know your assets, monitor them, audit them, and regularly apply patches to be ahead of the security curve.

9. Web App Attack Surfaces

‍In some cases, hacking a web application deployed in your framework may lead to a completely compromised infrastructure.

The vulnerabilities in your applications aren’t limited to those that can cause damage to the application alone. Often, breached web applications allow for elevated privileges hackers can use to dive deeper into networks. The odds you'll get hacked depend on how well architected the application and infrastructure are and what type of security vulnerability exists within the application.The joke's over when there is remote code execution, local file inclusion, or SQL injection vulnerability in your web application.

‍Fix: If you produce software, then secure coding training is critical to the well-being of your and your customers’ organizations. Web applications don’t float in space. They’re deployed in infrastructure that must be hardened and properly secured so if one application is compromised, it doesn’t put you out of business.

10. Vulnerabilities in Internal Applications

‍This deserves a special point, given how common it is to find internal corporate resources on the internet. The problem with internal applications is that they usually don’t receive as much attention as commercial software and products.

Usually, the mistaken assumption is that if it’s internal, no one will look for it and securing such devices requires a much smaller budget. Remember, when someone is trying to hack you, they're looking for the weakest link in the digital chain. If you’re not paying enough attention to securing corporate apps, hackers will take advantage of this by breaching the less-secure assets.

‍Fix: The solution is simple, but often not easy to implement. Use more resources to secure your internal apps and/or put them behind a corporate firewall/VPN to reduce risk. Doing this will minimize exposure and attack surface to internal hackers.
‍