Data breaches are a far more common occurrence than many people realize. Websites of all sizes and descriptions are potential targets for data breaches, for a variety of reasons. Many small business owners believe that they are far too insignificant for cybercriminals to bother with. However, this complacency is actually a big part of the reason that small and medium enterprises regularly find themselves targeted by cybercriminals.
Any business or entity that is holding a significant amount of personal data is a potential target for cyberattacks. There are innumerable ways of monetizing data, especially if you aren’t constraining yourself with legal concerns. Data breaches are becoming a threat that every business with a website or a database of customer information needs to take seriously.
Encrypting Vs Hashing Databases
Encrypting data means that even if someone does gain unauthorized access to it, they will not be able to read it. However, encryption is not perfect. While modern encryption standards are very impressive, there are ways of defeating them, at least in principle.
When data is encrypted, it is altered in a particular way. This process is two way. In other words, anything that can be encrypted can also be decrypted. Modern encryption standards are very difficult to crack, but computing power is increasing at an exponential rate. Eventually, these unbreakable codes can be cracked.
Hashing, on the other hand, is a one-way process. You can run data through a hash and check the end result. But you cannot work out what the original data is by reverse-engineering a hash. If an attacker has a database of hashed passwords, they will not be able to decrypt them without knowing the password used to hash them.
Add Salt to Your Hashes
Of course, if a hacker is able to work out the password used to hash data, then they will be able to decrypt it with ease. This is why using strong passwords, in general, is good advice. However, even if you have a strong password, if your hypothetical attacker has a database of passwords, one of which they knew was correct, they could brute force your hash.
Salting a hash will add random data before each password. This will result in a completely different hash and will prevent an attacker from being able to use a rainbow table-based attack. Salting pre-emptively heads off one of the few vulnerabilities that hashes have.
Launching a rainbow table-based attack is not easy. Rainbow tables are huge databases. They are far too big to fit on most people’s computers. They also require a lot of computing power and time, but a determined attacker could potentially use them to decrypt a hash.
Keep Secure Backups
It is better to be proactive about data breaches and try to pre-empt a breach by investing in good security before you are the victim of data theft. However, you should also have a plan for how to respond should one occur. Most of the time, when an attacker steals data they will leave the original data in place and simply copy it. However, if someone did want to sabotage your business and cause problems for you, they could erase data while they have access to your systems. It is, therefore, essential that you have a reliable system for creating and maintaining secure backups.
Secure backups should be encrypted at the very least and hashed and salted if they contain sensitive information. Your backup should also be kept physically secure and should be isolated from your main network. If an attacker gains access to your network and can delete your backups before attacking your main systems, your backups will be useless to you. Off-site cloud backups are essential today.
Make Sure That Everything Is Kept Updated
When new security vulnerabilities are found, developers release patches to address any security flaws and make software secure. While a lot of the software that we use today updates automatically, there are some pieces of software that need to be updated manually. There are also essential operating system updates that require a computer to be restarted, and these updates often give the user the option of deferring them to a later time.
If you want to ensure the security of your entire network, you need to keep everything updated at all times. Don’t let vital updates slip through the net. Every single out-of-date system on your network represents a potential weak point that an attacker can exploit. In some cases, attackers can even scan the internet looking for internet-connected devices that are vulnerable to specific attacks. They then can execute these attacks automatically.
Anyone who set up their own website or message board as a teenager using one of the many free services in the early to mid-2000s will probably have experienced at least one automated attack on their site. These attacks typically caused a nuisance. Back then, the average website or forum was not harboring the same amount of valuable data as they do today, and it was not as easy to make money from stealing data.
Now, the potential benefits to attackers from stealing the right data make keeping up with the latest vulnerabilities in common software more than worth it. If your software is out of date, then assume that it is vulnerable. Install updates in a timely manner and automate the process wherever possible.
Educate Your Staff about Common Threats
There are a handful of techniques that cybercriminals employ in order to access networks illicitly. If you are able to educate your staff about some of the most common threats, you can easily avoid the majority of attacks.
For example, phishing attacks involve sending emails to your workers that appear to come from you, or from elsewhere in your business. Clicking a link in this email will take the recipient to a login page that looks like a legitimate login page they would expect to see. However, once they enter their information, it will immediately be passed on to the attackers. They can then forward the password to the legitimate website, and log the user in as normal, with them none the wiser as to what has occurred.
Phishing attacks can take a slightly different form, but they all involve the same principle: tripping your workers into handing over their login information.
Social engineering is also another very effective and very common attack vector. It involves convincing people to do things they shouldn’t, by using a variety of coercive techniques.
The takeaway here is that humans are generally the weak points in cybersecurity systems. Educating your staff will help to prevent attacks that rely upon their ignorance. In businesses where there is a lot of staff who use the network but are not very tech-savvy, there is plenty of scope for simpler attacks to succeed.
Preventing Data Scraping
For businesses that need to protect their data, either to prevent competitors from harnessing it for their benefits or to prevent other people from undercutting them with free alternatives, it is worth taking some steps to prevent data scraping.
- Rate limit IP addresses. This won’t stop everyone – rotating proxies won’t be stopped – but you can deter the most basic scrapers.
- Protect your data behind a login. If you require users to login before accessing data, you can keep them from scraping it.
- Change your website’s markup regularly. Scrapers rely on it being the same every time.
- Use CAPTCHAs. CAPTCHAs are constantly evolving and have become very accurate thanks to machine learning.
Protecting data is essential for protecting your business’s reputation. Data breaches can cost you in lost revenue, or even legal fees and damages. And that’s not to mention the costs of fixing cybersecurity issues. Don’t wait for something to go wrong. Invest in your security now and make sure that you keep up with new developments.
Remember, these tips are not fool-proof and they might not always apply.