Business owners finally recognize the threat that cybercrime poses and for good reason. Nearly half of all breaches annually are of companies with fewer than 1,000 employees.[1] They also were targeted in 82% of all ransomware attacks in 2021[2] and the average cost per breach for small to mid-sized businesses has been between about $2.5 million to $3.0 million.[3] Unsurprisingly, many business owners have upped their spending on cybersecurity.
However, this money will be wasted so long as owners continue to operate recklessly online away from work. More specifically, cybercriminals rarely directly attack companies that are hardened targets. It requires too much of their time and resources to be economic. Instead, they breach them through weak points where company systems intersect with less secure entities and individuals. And the personal online behavior of business owners are examples of this.
Many use the same or similar passwords for multiple online accounts. They also ignore security settings for their personal devices and accounts. They do not take steps to protect their cyberprivacy, allowing cybercriminals to identify and target not only them, but also their families. Some are even so foolish as to use Post-it notes or the Notes app on their phone to store their passwords.
Cybercriminals capitalize on this behavior to hack owners and their businesses when they are at home or on vacation. For example, devices and web browsers without engaged security settings automatically record the passwords for every online account that the device accesses, even if the individual is using a password manager. Thus, if the device is compromised, so too is every such online account, including work ones.
Moreover, hacking most devices is not very challenging using malware – malicious software that gets behind a device’s defenses - which exports its information and allows outsiders to potentially take control of systems Should an owner inadvertently open an “phishing” email or “smishing” text (something that happens one billion times per day worldwide[4] and that even Jeff Bezos has done[5]) the device can become infected with malware and the passwords it has recorded are now in the hands of cybercriminals. Far worse, if the device is subsequently connected to the company network, every device attached to it is at risk for infection.
Cybercriminals also regularly breach devices when someone is at home. Indeed, they seek out homes with smart technology (i.e., security cameras, digital light bulbs, smart coffee pots, etc.) They are enticing targets because this type of technology is usually easy to hack and breaching just one device usually compromises everything else connected to the network unless the homeowner knows how to segment the technology. Once in, cybercriminals can watch and copy passwords as they are entered, including when someone is working from home. They also can infect every attached device with malware.
Owners’ personal email accounts are also ideal for using in breaching a company’s cyber defenses. If inadequately protected, they generally are uncomplicated to hack and can be used to generate emails with malware infected attachments to employees. Cybercriminals recognize that it is highly likely that the emails will be opened, and the attachments clicked on because they are from the owner. Once this happens, the company’s systems are compromised.
However, reckless owner personal online behavior threatens businesses far beyond just breaching cyber defenses. For example, cybercriminals recently have become even more aggressive, conducting “over-the-shoulder” attacks in bars and restaurants. They memorize device passcodes as they are entered and then later distract and steal devices from their unwitting owners. The criminals then quickly loot the company’s bank accounts.
Additionally, many businesses market themselves through social media. If the credentials for a company’s social media sites are stolen, the business may be forced to choose between paying ransom to a cybercriminal or having to redo/rebuild their online marketing presence.
Owners’ failure to protect their personal cyberprivacy can also endanger businesses’ ability to borrow money. Identity theft is a $52 billion business that impacts forty-two million Americans each year.[6] Stolen identities are used to misappropriate credit, healthcare insurance and even tax returns.
Unfortunately, it requires relatively little information to steal someone’s identity. And a cybercriminal does not have to hack an account to steal the identity of anyone so foolish as to not engage the necessary settings on online accounts, devices, and apps. The information is out there for the taking.
More problematic, the credit of many businesses is directly linked to that of their owners because of personal guarantees. And it is almost a certainty that, shortly after an owner’s identity is stolen, criminals will try and use it to borrow as much money as quickly as possible. Imagine trying to operate a business without access to credit for months or even years while the owner tries to unwind dozens of fraudulent transactions.
What all of this means is that the cybersecurity of any company is no more robust than that of its owner away from work. Of course, at some point everyone and everything online will be breached. However, owners can reduce the frequency of such events as well as the resulting damage by using some widely available, low-cost technology and taking several relatively easy, commonsense steps that turn them into hardened, less attractive targets. They are so simple that we have prepared a step-by-step guide for business owners that can be downloaded for free from our website, www.dpripro.com/owners.
Cybersecurity is an exercise in minimizing and not eliminating risk. It requires building layers of defenses, each of which complicates a hacker’s life. However, business owners who act irresponsibly online effectively strip away an essential layer of protection for their companies and it is only a matter of time before they are victimized.
