If you haven’t been worried about cybersecurity so far, it’s time to start worrying. No business is safe anymore, and better security can put you on a pedestal in your customers’ minds.
The digital world is a goldmine of business opportunities and wealthy potential clients. But it’s also a world full of scams and hackers, people who will steal your data and bleed your bank accounts dry.
If you’re lucky and you encounter a white hat hacker, maybe it will just be a warning. Like the recent hack of Poly Network, a distributed finance platform where somebody stole $600,000,000 “just for fun”. Soon after, the hacker started paying the money back, and was even offered a job as Chief Security Advisor at Poly.
Or it might end up like the very recent hack of the whole country of Argentina. The person who stole 45,000,000+ ID records of Argentinian citizens is selling that data to any person interested, and doesn’t seem to have any intention of stopping his evil plan.
Over $5,2 billion worth of Bitcoin transactions in the past few years were identified as ransom-related. That’s a lot of money that could have been saved if companies had better cybersecurity.
So, the main questions are:
- what are the main dangers to look out for, and
- what can you do to improve your security?
In this article, I’ll try to answer these questions for you without boring you with the technical details.
Most common cybersecurity vulnerabilities in 2021 😱
There’s a great study of over 500,000 applications done by the Open Web Application Security Project (OWASP). You might want to send this to your development team, it has a detailed guide on how to avoid every cybersecurity issue defined in the study.
The most common vulnerabilities on the web in 2021, according to OWASP, are:
Broken Access Control
People can access your system without your authorization, this might be as simple as forgetting to revoke login data for ex-employees.
The data in your system is easy to steal because it’s not protected with appropriate cryptography.
This is a bit complicated, but basically, the code that moves your data around is insecure, and someone can insert a few lines of their own code to exploit your system.
Essentially, it’s a failure of planning and testing that leaves your system incomplete. As a basic example, if you don’t have a limit of 1 seat reservation per user ID, someone might reserve all the seats and never come to your restaurant, causing you to lose money.
Similar to insecure design, but more about faulty code and less about bad design ideas. A great example of this is the recent Twitch leak caused by a server configuration change.
Vulnerable and Outdated Components
Modern applications often integrate a myriad of different technologies from various sources. Updating your system isn’t as easy as pressing “yes” when a pop-up appears. Developers need to keep track of all components in your system and keep updating them. This is very tricky because some updates might force developers to rewrite a lot of code—but, unfortunately, it’s necessary.
Identification and Authentication Failures
This is about bad practices in managing user authentication and user sessions. For example, do you know how most online banks have session timeouts? It’s one of the many methods to keep your bank account safe and protect the bank’s servers.
Software and Data Integrity Failures
Basically, this is about a messy development process. For example, developers using insecure plugins and integrations, or ignoring best Continuous Integration/Development practices.
Security Logging and Monitoring Failures
With a limited budget and stressful timeline, developers might forgo integrating any logging and monitoring in your system, or do it poorly. This is a huge mistake because if you can’t monitor exactly what’s going on in your system, you’ll have a very hard time finding and fixing any flaws.
Server-Side Request Forgery
If server requests in your system aren’t secure, someone might force an unsafe URL address into them, endangering your whole system in the process.
These are the most popular entry points for hackers to enter your system. But what do hackers do when they infiltrate your online presence?
The most popular cyber crimes🕵️
Here are some of the most popular tactics that hackers use to bring businesses to their knees.
Malware is basically a virus. Once it enters your system through any of the vulnerabilities described in the previous point, it usually locks up all access to your system and tells you to pay a ransom in Bitcoin to regain access.
Phishing doesn’t have to include any hardcore hacking in order to be successful. All it takes is a cunning person that calls your company, pretends to be an employee that lost login data, and they might get that data without asking many questions.
A hacker can listen in on your conversations, or better yet, control them in such a way that you think you’re talking to a client, but in fact you’re communicating with a criminal who might lead you to send money or data into the wrong hands.
The classic DDoS attack. Basically, a hacker opens up the gates of hell on you by sending an extreme amount of requests to your server. This request can even be a simple login request repeated thousands of times. Protection against DDoS attacks is pretty standard nowadays, so your developers probably implemented some measures against it (the “confirm you’re not a robot” captcha is a way to protect against DDoS).
Basic cybersecurity practices to adopt in your business 🔒
Below are some suggestions of what you can do to improve your security, and you can do/plan all of them right now. However, the only 100% sure way to make your system secure is to implement cybersecurity from day 1, and make it a priority for everyone in your company.
If you’re handling any sort of sensitive data, it needs to be encrypted. When hackers steal encrypted data, for example when it’s travelling from your server to your user’s iPhone, it will just be a useless set of symbols rather than actual data.
Secure your website with an SSL certificate
You know that green padlock in the address bar of your browser? It’s there when you’re on Facebook or on your bank’s page, however not all websites have it. Websites without SSL certificates are considered unsafe, so search engines and browsers will try to keep you away from them. So, it’s easy to see that if your business website doesn’t have SSL, you’re shooting yourself in the foot quite badly.
Educate your team
Does everyone in your company have secure passwords? No, really. Do they? Those small / big characters and alphanumeric symbols really make a big difference!
Yes, you can have two-factor authentication and all that other stuff, but technology isn’t everything. Your team needs to know how important it is to have a secure password, and to change it regularly. This is just one of many basic, secure online practices—if your business has a digital component, then everyone on your team should know all of them by heart.
Ensure your remote workers are safe as well
Remote work is tricky, because your employees might need to work on vulnerable data from their own private machines and networks. All remote employees should be instructed exactly how to use your system securely, and given tools (like VPNs and virtual machines) to work safely without having to go to the office.
Discuss and plan security regularly
Maintaining cybersecurity never stops. New threats keep popping up, new types of attacks keep being created. So, cybersecurity needs to be a constant priority for you and your team. Don’t think of it as a one-off strategy. Cybersecurity is a critical component of any online business, and it should be treated as such.
Backups, backups, backups
Pretty basic, right? And yet, people lose data all the time simply because they don’t back it up. With a proper regular back-up strategy, you might be able to avoid paying ransom if a hacker infects your system and locks it from the inside.
But, even if you’re not at risk of hacking, it still makes sense to back up all of your sensitive information. Digital technology can fail in many ways, so you can’t rely on just one place to store all of your vulnerable data. That’s just a disaster waiting to happen.
Don’t do this if you get hacked ⛔
If you do get hacked, it’s impossible to say exactly what you should do. Consult your security officer, CTO, or an outside cybersecurity consultant, prepare an action plan, and stay cool. You don't want to damage your reputation like in the two stories below.
Don't prosecute white-hat hackers
Chances are that your infrastructure is not secure at the moment. I’m not trying to be negative, it’s just the reality. Someone might come along and show you exactly what’s wrong with it. Hopefully, someone that doesn’t have bad intentions.
That’s exactly what happened in October 2021, when a journalist found that a local government website in Missouri was leaking private data in publicly available HTML code. To find it, he just had to press “F12” and look at the source code of the website. It wasn’t even hacking!
However, one governor was not happy with this. He didn’t appreciate the work of the journalist. He dedicated himself to prosecuting the journalist who exposed a flaw in a government website. What a great way to appreciate someone who’s just trying to help.
Lesson: if someone exposes flaws in your system with good intentions, don’t prosecute them. Admit your fault and plug the holes as fast as you can. You should also pay the person who exposed flaws (as long as they're a white-hat hacker). Many companies have bug bounty programmes, where people can get paid for exposing security vulnerabilities.
Don’t threaten your users
Don't respond with aggression, especially not towards your own users. Like the founder of Compound, a decentralized finance platform where users received too much cryptocurrency in their accounts because of a bug.
The founder responded in the worst possible way. He threatened his own users that he would doxx and report them to American tax authorities. In this whole situation, the funniest thing is that Compound users legally don’t have to return those funds. They can just keep them. By threatening them, the founder only showed his ignorance, and probably convinced at least a few people to keep the money.
Lesson: don’t respond with aggression, and definitely don't ever threaten your users after your own mistake or bug causes problems with your system. Remain calm, and prepare an action plan to fix the issue.
Ignore cybersecurity at your own risk. It’s getting more and more dangerous out there for online businesses, so security is a necessary priority if you don’t want to lose money. Simple as that.
Work with development companies that understand the importance of security. Hire security consultants, educate yourself and your team. Keep cybersecurity in the back of your mind, always. This is the only real way to protect yourself from the many threats that are waiting for you online.
About the Author
Michał Słupski is a tech content writer at Angry Nerds.