People shopping in a clothing store showing how small businesses are now a target for data breach
New Data Breach Trends: Small Business Identity Records Now Target #1 for Hackers

New Data Breach Trends: Small Business Identity Records Now Target #1 for Hackers

A new report by leading cybersecurity and intelligence firm 4iQ is providing the tech world with some eye-popping perspective. The company’s comprehensive study of data breach incidents in 2018 indicates that these attacks were up by over 420% from 2017, exposing a total of almost 15 billion identity records. Personal identifying information in these records included credit card numbers, bank accounts and email addresses.

While the study did not unearth a significant amount of previously unreported data breaches, it is unique in encompassing all known incidents from a broad variety of sources – both the “open” and “deep” web, the “dark” web and similar underground information black markets, discussion forums and social media platforms.

This study is of particular interest to small businesses, because it confirms that they are now the favored target of cyber criminals. Data breach incidents had been trending slightly in that direction prior to 2018, but we now know that small businesses are being targeted much more frequently than previously thought and that even relatively tiny businesses are now on the menu for sophisticated hackers.

The new data breach numbers

4iQ counted 12,440 new breaches in 2018, which was an increase of 424% over the known breach count in 2017.

A total of 14.9 billion identity records were found to have been exposed during the year, up from 8.7 billion available in 2017. Of these, 3.6 billion were exposed for the first time in 2018 – that is to say, the same records had not already been available through any previous breach. About three billion of the total came from the combined top 10 largest breaches in the world, but many more were the result of many smaller-scale breaches of small businesses.

The biggest trend contributing to these increased numbers in 2018 is the appearance of “combo lists.” These mega-lists draw together data from previous breaches into one massive but relatively easily searchable file. In addition to making identity records more accessible for attackers that may not have encountered them before, these combo lists also sometimes make public information from a data breach that was previously only in a few select hands.

The average size of a data breach (in terms of number of identity records compromised) actually decreased just a bit from 2017, down 4.7% to an average of 217,000 per breach. While that might seem like good news at first reading, it’s the opposite for smaller businesses – it means that criminals are shifting their attention to smaller targets.

Why small businesses are in the crosshairs

Across the board, small businesses tend to have easier security to crack than their larger counterparts. This has been true for almost as long as the internet has been available, but hackers have historically tended to focus on the bigger targets due to the ratio of effort and risk to reward.

While larger businesses have been hardening their defenses, smaller businesses have had a tendency to believe that they are beneath the radar of hackers. This happens with troubling frequency even when that particular business has suffered a data breach in the past.

The relative ease of attacking a smaller business has become such that it’s now perceived as being worth a hacker’s time and effort in more cases – particularly when smaller businesses don’t patch out known vulnerabilities that hackers can use automated tools to quickly scan for and exploit.

The data profiles that cyber criminals trade in the underground have also become much like the far-ranging identity records that the giant tech companies gather. Identity thieves are scooping up as much personal data as possible to facilitate identity theft and financial fraud, which makes the contents of a home network or the files of a small business more valuable as supplementary additions.

At first look, it may appear that the world’s most populous nations are disproportionately targeted by hackers. 32% of the breached identity records belong to citizens of the United States, 15% belong to Chinese citizens and 6.7% belong to Indian citizens. However, the majority of these identity records were exposed in the largest individual hacks of the year, such as the hack of Indian government portal Aadhar and Florida-based data broker Exactis. When you separate out the largest individual events, there does not appear to be a clear national preference for hackers targeting small businesses – they cast as wide of a net as possible and will pick off vulnerable targets wherever they might be found. For example, the United States actually experienced fewer total breaches than most other countries.

Changes needed to protect identity records

It’s imperative that small businesses recognize how attractive they now are to cybercriminals, and take appropriate measures to protect themselves from a data breach.

While the ideal would be for all companies to have a dedicated cyber security consultant or internal team, the hard reality is that this just isn’t in the budget for very small businesses. Risk profiles also do vary by industry, and some industries are more vulnerable than others and need to devote more resources to security.

So there are still situations where it simply doesn’t make sense for smaller businesses to devote a lot of resources to their online security, particularly when they outsource most handling of identity records to third-party services. However, even companies on a shoestring budget need to recognize that they are more appealing and more vulnerable to hackers than they have ever been in the past. Every company should have at least some basic policies and practices in place, even if they are entirely DIY-ing their security measures.

Two-factor authentication on any and all business logins is as good a place to start as any. Options include USB keys, codes sent to an app, or a verification email as complements to the standard password. SMS is another commonly-used option; it’s the weakest one, but better than nothing. A good password manager can also help to keep all network users from slipping into bad login habits.

A major trend revealed by the new 4iQ study is the tendency for companies to leave their remotely accessible databases unprotected. Hackers are more than happy to steal information from these open databases, or even export and wipe the contents and then attempt to ransom them back to you.

And while some businesses may not have the budget for a cybersecurity contractor, it may make financial sense to invest in ID theft response and monitoring services (and insurance) to mitigate the damage a data breach can cause.