editione1.0.0
Updated October 9, 2023Attackers love small businesses, especially ones with no technology budget, no security budget, and loose business processes. Your work email, website, and various Software-as-a-Service (SaaS) accounts are ripe with data, and are where your customers interact with you financially.
Most attacks that a small business gets caught in are those where an attacker uses the same technique against businesses using a specific tool or technology, and is playing a game of numbers in hopes that a good percentage of their attempts are successful.
For example, a popular target for attackers is Magento, a platform used by small businesses for running e-commerce websites. Attackers create automatic programs that scan for websites with unpatched Magento platforms and break their way in. Once inside, they add credit card skimming software to silently send copies of credit card data back to the attacker. This way the website owner is unlikely to catch on to the attack, and the attacker’s program can sit there collecting data forever. Back in September 2020, there were over 2,000 website hacks alone over one weekend after Magento announced an older version of their platform as “end of life.” This target is so popular that the attackers and their software even have their own name, Magecart.
In this part of the book, we focus on the “secondhand Windows laptop” type of security for your small business: steps that will be cheap (but usually free) and simple to do. They will be strategic in the sense you will be able to quickly think through the risks and make a call to secure something (or just live with the risk, which is a valid response when done intentionally).