Why would a cyber criminal hack a small business employee?

Today I overheard a customer of ours say - “Why would a hacker want to access my computer? There’s nothing valuable on it!”.  Unfortunately, in today's digital world, he couldn't be further from the truth.

Small businesses (with fewer than 250 staff) are three times more likely to be targeted by cyber criminals. And 60% of businesses that suffer a cyberattack go out of business within six months. So not only are small businesses much more likely to be attacked, but they also have much more at stake in comparison to large businesses.

A lot of small business leaders assume that hackers won’t target them due to their size or location. They think that they have nothing of worth, so they presume they’re safe. But truthfully, every device has something that a hacker wants, and so every device is at risk.

Money makes the world go round

The vast majority of hacking is motivated by money, which is unsurprising. Hackers can make money by accessing data, which they can use themselves, or (more likely) they sell to criminal groups. This data could belong to the victim or their customers, employees, partners, and the data could be as simple as an email address. Financial data, including transactions, is also valuable, as well as identity information - National Insurance numbers, dates of birth, addresses etc. This information can be used to build profiles to lead to further hacking or for identity fraud.

Once a criminal has access to one employee from a company, the criminal can pivot onto other devices or servers to gather more information. This lets them move around a company seamlessly to build a full picture. Even personal devices can lead to this migration if an employee brings a personal device into the office that isn’t protected.

Often, hackers lay dormant on devices until they have gathered sufficient information. This means the user is unaware they’ve been hacked, so they keep supplying the hacker with more information. Then, once they’ve built up a detailed profile of the victim, they’ll make themselves known. This profile can then be used to spear-phish a colleague that has more decision-making power or to blackmail the victim for cash.

An alternative method is for the hacker to encrypt the system or hold it ransom. This in the hopes that the company will pay for their data and system, which is often thousands of pounds.

After hacking a device, some criminals use the device to launch further attacks, or to store other victim’s data. Sometimes they make the device part of a botnet, so they can use processor cycles to mine bitcoin or other cryptocurrency, or distributed password hacking.

Sometimes, cybercriminals access a small company’s data so they can get through the backdoor of a larger company. This may be because the small company provides a service to the larger target company or partners with them. By going through the smaller company, they have a much higher chance of getting into the larger company. This could be through software, or even identity fraud.

A different motivator

On some occasions, the criminals aren’t motivated by money. Some are motivated by a challenge or by their ego and will simply try to hack into as many devices as they can. While this seems less threatening than those looking for financial gain, they’re still a significant threat to companies.

We know the reasons, but what's the risk?

All of this may seem scary or disheartening, but it’s a real risk to businesses. Small businesses are much easier to hack in comparison to large businesses, due to the lack of money and resources. They also think they’re not a target, because they’re not big enough or don’t have enough data. But as we’ve said, that couldn’t be any further from the truth.

In short, cybersecurity solutions are essential for every single business, no matter the size. There is something on every device that a hacker wants to steal.