Two people in a business meeting using a laptop
© HSB Canada

15 ways hackers can enter and attack your business

    alt txt

    properties.trackTitle

    properties.trackSubtitle

    Don’t assume all cyberattacks are the same. The truth is that there are a number of ways hackers can infiltrate a company. The vulnerabilities increase with the amount of entry points a business has, including the hardware, software, operating system and even phone equipment. Read on to learn 15 ways hackers can gain entry opportunities to steal company data or disrupt operations.

    Network exposures

    1.     Denial of service

    A hacker overwhelms the site with traffic, preventing real work from being accomplished.

    2.     Network devices

    A hacker gains access to the router, switch or firewalls and can take control of the device, manipulate the configuration, allow unwanted traffic, or shut it off completely.

    A stressed man using a laptop
    © HSB Canada

    IT equipment exposures

    3.     Servers

    Operational exposures

    • gaining access to the server and changing the password or configuration.

    Physical exposures

    • changing the server’s internal settings, rendering the server useless or causing                                  damage.
    4.     Storage

    Operational exposures

    • gaining access to the storage device and changing the password or configuration. This can            also impact stored data.

    Physical exposures

    • changing the internal setting, encrypting and holding it ransom.
    • changing the operational characteristics and possibly rendering the device useless or causing            damage.
    5.     Printers and copiers

    Though not normally the focus, printers/copiers can be hacked remotely if they’re connected to the internet and not protected.

    6.     Specialized equipment

    In any given company, there is specialized equipment unique to the industry, segment or process. It’s not normally a target unless valuable or supports a very visible business process.

    A stressed man using a laptop
    © HSB Canada

    Operating environment exposures

    7.     Operating system

    The Operating System (OS) supports the control of the servers. Operating systems, especially those supporting the low-end server market, have historically been targets for hackers because of their install base, access to the internet, and relatively relaxed security.

    Once the hacker gains access to the OS, the objective is to:

    • alter it, the subsystems, or the applications
    • to perform unauthorized activities
    • to change the operating environment configuration
    8.     Subsystems

    Multiple subsystems operate under the operating system and are often referred to as shared services, including security, monitoring, measurement, performance, file management, and databases.

    If a hacker gains access to the OS, they usually:

    • try to alter or disable subsystems
    • hold the company ransom by encrypting a given subsystem and/or the associated data
    9.     Applications

    Applications perform business functions for human resources, payroll, customer relationship management, etc.

     

    Data Exposures

    10.     Stealing

    Stealing files that contain financial, personal or proprietary information are the most common type of data breaches.

    11.     Destroying

    Hackers have destroyed data by deleting entire files or databases.

    12.     Altering

    While less common, hackers have been known to alter financial and personal records, and use them to their advantage. The most common alteration is encrypting a file or database and demanding a ransom.

    A stressed man using a laptop
    © HSB Canada

    Phone system exposures

    13.     PBX

    PBX systems are usually installed on company premises, and maintained by a group separate from IT.

    • Operational risk: the hacker gains access to the PBX and alters the configuration or copies/alters/destroys the directory data.
    • Physical risk: the hacker gains access to the PBX and alters the operating characteristics, causing it to crash or physical damage.
    14.     VOIP

    VOIP (Voice over internet protocol) systems are often newer and more closely follow IT standards and procedures. This is not a large target for hackers unless the company is a VOIP service provider.

    15.     Process control systems

    These can take the form of Supervisory Control and Data Acquisition (SCADA), Programmable Logic Controllers (PLC), and Distributed Control Systems (DCS). Their major function is to control both the support of the facility and manufacturing process, including electrical power, boilers, HVAC, ovens, motors, generators, refrigeration, etc.

    A hacker can take control of the entire system then hold it for ransom or alter the controls to cause damage.

    A global attack could result if a given vendor’s Process Control System is infected with a virus and modifies the operating specifications of a very common piece of equipment. Once triggered, this would impact multiple companies, similar to ransomware. A major concern is that dormant viruses have already been discovered in several vendor’s Process Control Systems.

    What should you do?

    Companies need to update their disaster preparedness documents and incorporate the potential attacks listed above. This should include all the steps necessary to address the cyberattack, as well as the processes and procedures to prevent it from happening again.

    To learn more about HSB’s Cyber solutions check them out below.

    Or speak to your HSB representative.

    This article is for informational purposes only and is not intended to convey or constitute legal advice. HSB makes no warranties or representations as to the accuracy or completeness of the content herein. Under no circumstances shall HSB or any party involved in creating or delivering this article be liable to you for any loss or damage that results from the use of the information contained herein. Except as otherwise expressly permitted by HSB in writing, no portion of this article may be reproduced, copied, or distributed in any way. This article does not modify or invalidate any of the provisions, exclusions, terms or conditions of the applicable policy and endorsements. For specific terms and conditions, please refer to the applicable insurance form. Posted on October 21, 2022