Size does not matter, at least for hackers

Why your business is not “too small to be hacked.”

When many business owners read about huge cyberattacks  like the one that hit Equifax, they’re interested, but not overly worried. They tend to believe that they, themselves aren’t at risk for a similar breach, because their business isn’t “big enough” to attract the attention of a would-be hacker. Unfortunately, the nature of today’s cybercrime means that each and every business is at risk, regardless of size—and in fact, small businesses are much more highly targeted than large ones. Here’s why.

Real hackers don’t wear hoodies

Countless movies and TV shows have popularized the image of the lone, hoodied hacker, bent over his keyboard as neon numbers flash over his head while he carries out his nefarious work. While this image works great for creating a sense of drama, it obscures the fact that most hacks aren’t performed by humans at all. Most cyberattacks are carried out by robots which attack thousands of sites at the same time, otherwise known as a “brute force” attack. These bots don’t really discern between big sites and small ones—they simply throw everything at the wall and see what sticks. As long as your business is in their firing range, you’re a target—no matter what assets you have.

Small businesses are targeted more than large ones

Of course, there are humans at the helm of every cyberattack, and they do make decisions about the general areas they’d like to target. While most people might think that hackers go after the big money—huge credit bureaus, law firms, and accounting firms bristling with super-sensitive data—they are actually far more likely to target small businesses. In 2017, for instance, over 70% of cyberattacks targeted businesses making $60,000 a year or less.

Why? It’s simple—small businesses are easy money. Small businesses are much less likely to set up security software, delete unused admin accounts, and make regular website updates that can minimize their risk of a breach. They’re also far less likely to have audit logs and other data needed to identify the culprit after the fact—meaning someone attacking a small business is far less likely to get caught and punished.

Think of it like a thief trying to decide which neighborhood to rob. Sure, the big, fancy neighborhoods contain more valuable stuff—but they also have fences, high-tech security systems, and private security patrols. The smaller neighborhoods are likely to have much less barriers to entry, and their TVs are just as nice.

The bottom line: Protect yourself from cyberattacks

The biggest reason small businesses are easier to hack than large ones? They don’t see it coming. Ironically, since small businesses tend to discount themselves as targets, they never take the security precautions that bigger companies do—and thus ensure that they will be targeted at some point.

But lest we sound too doom-and-gloom, there’s a bright side to all this, which is: the vast majority of cyberattacks aren’t very sophisticated. They’re sent out to locate outdated, unprotected websites, and they only succeed because that’s what they find. A few small, simple precautions, like preventative website maintenance, are usually enough to prevent the vast majority of issues.

GDPR Compliance Is Mandatory For All Websites: Are You Prepared?

The GDPR has been implemented for a month. Here’s what’s changed.

The Internet would like to apologize for all the scary-sounding warnings you received over the last month or two. You know the ones we’re talking about. There’s something saying “Our privacy policy has changed” and there’s something else about yadda yadda yadda. Also: the initials GDPR appear, and that sounds like a vast, invisible criminal organization in a 007 movie. You are asked to click a button that says something like “Got it”—but you’re worried that maybe you just agreed to something you’ll regret later.

But the GDPR is not malevolent. It stands for General Data Protection Regulation. The regulation presents a massive overhaul in the way companies process and protect user data, and is set to force sweeping changes in every industry from technology to advertising.

It forces organizations to report data breaches. And they can’t drag their feet about it.

Over the past decade, we’ve seen incidents—such as the Equifax hack—where companies either failed to report a data breach, or took months to do so. (It took Equifax over two months to report its security breach to its clients and investors.)

The GDPR requires organizations to directly notify users when user data is lost or stolen. And they can’t bury it in a press release, on their website, or in a social media post—under the new regulations, companies must directly report breaches to users. Breach notices have to be specific, too, laying out the extent of the hack, the potential consequences, and what’s being done to minimize the damage.

It gets rid of legalese in privacy policies—and requires explicit consent

Back in 2008, one notable study found that if a user were to read every privacy policy he encountered in a year, he’d need to take a month off work—about 244 hours—just to do it. And he’d need a PhD in Linguistics to understand what he was reading; most privacy policies were so cluttered with tech jargon and legalese, they were basically illegible.

The GDPR requires companies to list how they’ll use consumer data in “an intelligible and easily accessible form, using clear and plain language.” In terms of describing what constitutes clear and plan language, it doesn’t get more specific than that; presumably, this is an intentional decision that will give legal teams more flexibility in the future.

Companies must also ask users to give active, explicit consent to having their data collected, rather than what the GDPR calls “passive acceptance”—a pre-ticked box prefaced by 20 pages of jargon. That consent can be revoked at any time, for any reason.

It requires companies to hold someone accountable

All too often, when a company suffers a data breach, it will try to dodge blame by passing the buck around the organization, arguing over who was responsible. Now, the GDPR requires most large companies to appoint a specific Data Protection Officer whose job is to ensure compliance.

Only companies which perform large-scale behavior tracking, process massive amounts of data, or constitute a public authority will be required to have a Data Protection Officer. However, companies which don’t meet the aforementioned requirements aren’t off the hook; they are defined under the GDPR as “data controllers”, and the third parties they hire are “data processors.” Controllers are responsible for ensuring their data processors are compliant; processors are responsible for reporting breaches immediately; and both parties can be held accountable.

It gives law enforcement sharper teeth

So, what happens to companies who aren’t GDPR compliant? Well, for one thing, they’ll be fined—and these fines are no slap on the wrist. The worst offenders can be fined a maximum of 20 million Euros, or 4% of the company’s annual global turnover, whichever is larger. For some companies, that could mean billions.

If you’re reading this in the U.S., you might be wondering, “Can the EU really enforce a fine on a company in another country?” Put simply, yes. The EU is legally justified under international law to enforce its regulations, and it is likely that U.S. authorities will help it do so.  Since breaches usually don’t have geographical boundaries, the EU and US have a strong relationship when it comes to cybersecurity.

What does the GDPR mean for me?

On the surface, the GDPR is—let’s face it—a bunch of boring-sounding letters. But underneath all the stone-faced legalities is something truly revolutionary: a law created by a foreign government that ended up protecting the entire world.