Cyber Attacks: Small Business Guide
By Susan Buckner, J.D. | Legally reviewed by Aviana Cooper, Esq. | Last reviewed May 23, 2024
Editorial Note: We earn a commission from affiliate partner links on FindLaw. Commissions do not affect the editorial integrity of our legal content.
This article has been written and reviewed for legal accuracy, clarity, and style by FindLaw’s team of legal writers and attorneys and in accordance with our editorial standards.
The last updated date refers to the last time this article was reviewed by FindLaw or one of our contributing authors. We make every effort to keep our articles updated. For information regarding a specific legal issue affecting you, please contact an attorney in your area.
In June 2023, the most devastating cyberattack to date hit the file transfer. Using a type of hack called SQL injection, a cybercriminal gang began intercepting personal data from data transfers. MOVEit continues working with cybersecurity agencies in the U.S. and overseas. But as of October 2023, the breach affected as many as 2000 organizations and 60 million individuals.
Cyberattacks are not only on large corporations. Small businesses have the same vulnerabilities as big ones. Hackers look for weaknesses in computer systems to steal data and money and open access to other systems. Cybercriminals can use your system as a backdoor to inject viruses into other computers. Cybersecurity for small businesses is essential for everyone's protection.
Small business owners should remember that "small" is a comparative term. A small business may have up to 500 employees and many locations. Your small business is as vulnerable to cybercrime as to more traditional crime. Owners are liable for protecting customers, employees, and assets from both types of criminals. Business owners should have strategies to identify threats and respond to attacks, no matter what size they are.
Types of Cybersecurity Threats
Cyberattacks have changed since the early days of the internet. Today's attacks use a combination of sophisticated software assaults and clever social engineering that preys on human psychology. The focus is not always data or money. Hackers can use sensitive information like passwords, birth dates, and other personally identifiable information (PII) to access other secure areas.
Below are some of the most common threats facing businesses today:
Malware
Malicious software, or malware, is any type of software introduced into a target system. The malware may damage the target software or set up the system for use in other types of attacks.
- Ransomware: A ransomware attack encrypts or locks the target data. The hackers demand payment for the decryption key. Hackers install ransomware phishing or other downloads.
- Spyware: This malware is not directly malicious. But it collects data about the user's web activity and passes it to the hacker. Adware, another type of spyware, actively uses collected data to direct ads and content to the user.
- Trojan: This is malware disguised as a legitimate program. Trojans often hide in free apps and upgrades. Trojans can carry many kinds of malicious software.
- Worm: A worm is a self-contained program that installs itself on the target computer and replicates. It may remain in the host computer and damage the host operating system or upload itself into the host's email and spread to other computers.
- Rootkits: A more sophisticated type of hack, a rootkit installs itself in the operating system. It gives the hacker control over the host computer.
All types of malware are viruses put into computers by exploiting vulnerabilities in the internet or the human psyche.
Phishing and Spoofing
Despite warnings against opening suspicious emails, people do it every day. Business owners can protect themselves and their sensitive data by reminding employees about these common tactics:
- Scareware: These are popups, banner ads, or emails that warn users that their computers are infected with a new virus that can be fixed by downloading free antivirus software.
- Phishing: One of the oldest forms of hacking, phishing attacks now target individuals ("spearphishing"), executives ("whaling"), and texts ("SMiShing"). All these techniques encourage the victim to open the message and download an attachment containing malware. Phishing emails often use spoofed addresses or appearances to fool victims into opening the message.
- Spoofing: You've been spoofed if you open an email that looks exactly like a trusted company but didn't come from them. Domain spoofing creates websites and emails that are nearly identical to the original.
DOS/DDOS Attacks
Small- and medium-sized businesses are unlikely to fall victim to these attacks. But they may suffer the fallout from larger companies hit with these cyberattacks. A denial of service, or DoS attack, occurs when cybercriminals flood a network with more requests for service than the network can handle.
During the DDoS (directed denial of service) assault that paralyzed Google Cloud in August 2023, almost 400 million requests per second clogged the network. Similar attacks hit Cloudflare and Amazon Web Services during the same period.
For smaller companies that use cloud-based storage and delivery systems, DoS and DDoS attacks result in processing slowdowns and potential data loss. There is little you can do if a DoS attack hits your cloud provider. However, your cybersecurity plan can prepare for these issues and have a response ready.
Business Liability for Data Breaches
The costs of a data breach can be high. Lacking a solid cybersecurity strategy may place your company in violation of federal and state laws. You can face legal action and financial costs for:
- Customer costs due to data loss, such as credit card chargebacks
- Notification costs as required by state laws
- Regulatory fines for failure to meet PCI DSS requirements or other rules
- Individual or class action lawsuits following data compromise
- Costs of system recovery and shutdown
When your business collects and retains private customer information, you're responsible for protecting that data to the best of your ability.
Cybersecurity Practices 101
Small- and medium-sized businesses are not expected to have the multi-billion-dollar firewalls and other online architecture cloud servers use to fight off DoS attacks and SQL injectors. You do need a response plan and to take all cybersecurity risks seriously.
Educate employees on cyberattacks. Training employees is not a one-time event. Your human resources department or other responsible person needs to keep everyone current on the latest cybersecurity news.
Stress the need for strong passwords. Consider using multi-factor authentication (MFA) and password management. Avoid using easily guessed passwords or similar passwords for all mobile devices.
If you update it regularly, off-the-shelf security software is acceptable for most antivirus needs. If your IT department has not set your systems for automatic updates, ensure the computers have regular upgrade schedules.
If you have remote employees, provide them with company equipment or consider a VPN (virtual private network). Unsecured laptops, tablets, and cell phones that use public WiFi networks are targets for hackers.
Enforce policies against the use of social media on company equipment. If your company has a social media presence, set your filters to the highest privacy settings possible. Do not allow anyone to download apps or other programs through the platform.
If you maintain customer data files, for instance, if you are a medical office or a law practice, back up your files often and store a copy offsite. This simple safety measure is often overlooked. It can save you time and liability in the event of a breach or other data loss. Many commercial antivirus programs include a backup and storage plan.
Cyber Liability Insurance
If your business is data management, you may consider a cyber insurance policy. These specialized policies protect against losses resulting from cyberattacks and data breaches. Look for policies that cover you for vendor attacks and terrorist and ransomware attacks on other carriers besides your own, and global breaches or DoS/DDoS attacks.
Next Steps in Cyber Security: Hire a Legal Expert
Your incident response plan should include a discussion with a business and commercial law attorney or an intellectual property attorney. You can discuss liability for data protection and reporting in your state. These laws are constantly evolving, so be sure your risk management program is up to date.
FindLaw will earn a commission if you purchase business formation products through these affiliate links.
Meet FindLaw's trusted partner LegalZoom, an industry leader in online business formations
Kickstart your LLC in minutes!
Join the millions who launched their businesses with LegalZoom.
LLC plans start at $0 + state fees.
Prefer to work with a lawyer?
Stay up-to-date with how the law affects your life
Learn more about FindLaw’s newsletters, including our terms of use and privacy policy.