- Over the past decade, cyberattacks have increased in sophistication and reach, affecting small businesses alongside tech giants and government agencies.
- Incidents such as the global “NotPetya” ransomware attacks, the giant Equifax hack, and the SolarWinds and Kaseya supply-chain attacks are wake-up calls that no organization can afford to ignore when it comes to security.
- While cyberattacks have become more advanced, cybersecurity best practices have also evolved and can provide effective defenses for organizations.
- This article is for business owners who want to learn about cyberattacks and cybersecurity.
How secure are your business’s website and computer network? That question becomes more relevant every day as cyberattacks increase in sophistication and reach. While companies today have more security tools than ever before at their disposal, hackers have likewise improved their attack capabilities.
The past decade has been littered with high-profile cyberattacks that should serve as lessons on cybersecurity for businesses everywhere. Whether they’re schemes orchestrated by competitors or someone with a checkbook and a grudge, attacks of significant magnitude can happen to large and small organizations alike. Take a look at some of the biggest attacks in recent years and see what steps businesses of all sizes should take to help defend themselves.
High-profile cyberattacks in the past decade
Over the last 10 years, we’ve seen a significant expansion in the number, breadth and impact of cyberattacks. The incidents highlighted below demonstrate that, while almost no organization is fully protected from potential security incidents, there are actions more prepared organizations can take to prevent the worst possible outcomes.
2013: The New York Times hack
In 2013, hacker activists (also known as hacktivists) took over The New York Times’ website in a “defacement” attack, which replaced the site’s content with a logo and the message “Hacked by the Syrian Electronic Army” (SEA). The attackers also compromised the Times’ Twitter account. The attack, while damaging to the Times’ reputation and temporarily prevented the company from providing content online, did not cause any lasting harm.
The hacktivists didn’t appear to compromise any of the Times’ internal systems, either. Instead, they targeted the paper’s domain name registrar, which had lax security standards. By targeting the registrar, the attackers were able to get the access they needed to temporarily take down the Times’ website and Twitter account.
2014: Sony Pictures hack
In late 2014, a group calling itself Guardians of Peace breached Sony Pictures Entertainment’s internal systems. The group stole terabytes of private data from the company, deleted the original data, and slowly leaked the stolen information to journalists and eventually to Wikileaks. Sony faced a public relations disaster, financial losses, and technological damage to its internal networks that took administrators several days to repair.
While the Guardians of Peace portrayed themselves as hacktivists, the group also threatened terrorist attacks. Ultimately, the FBI and the NSA attributed the hack to a North Korea-linked group.
2017: Maersk attack
In 2017, the world suffered its first true cyber pandemic as the ransomware cyberweapon NotPetya spread rapidly and uncontrollably around much of the world. Thought to have been developed by Russia-linked hackers dubbed “Sandworm,” the group deployed NotPetya against select Ukrainian companies by hijacking the update procedure for a ubiquitous Ukrainian accounting software called M.E.Doc. By taking control of M.E.Doc’s update servers, Sandworm was able to install NotPetya across thousands of computers in Ukraine. [Learn how to protect your business from ransomware.]
NotPetya was created to spread rapidly and automatically. It quickly traveled to businesses around the globe, ultimately inflicting an estimated $10 billion in damages. Global shipping company Maersk was one of the hardest-hit organizations in the world. NotPetya spread through an office Maersk had in Ukraine to its network and then to every one of its offices worldwide, encrypting all of the company’s data.
2017: Equifax hack
In September 2017, credit reporting agency Equifax suffered a data breach impacting up to 143 million Americans. The breach led hackers to access and steal customers’ personally identifiable information, including Social Security numbers, birth dates and home addresses. The incident also affected some Canadian and British consumers.
The hack was made possible due to an unpatched website application vulnerability. While it was not immediately clear who hacked Equifax, the U.S. government in 2020 indicted four members of China’s military in relation to the attack. The indictments suggest the Equifax hack was a continuing operation by Chinese military and intelligence agencies to steal personal information from various sources. The hackers’ ultimate goal was to better target American intelligence officers and officials in various operations, including for bribery or blackmail.
2020: SolarWinds attack
In early 2020, attackers believed to be associated with the Russian government secretly compromised the update server belonging to Texas-based SolarWinds’ Orion IT resource management tool. The compromise allowed the attackers to add a small amount of malicious code that, when downloaded by businesses as part of a software update, granted the attackers backdoor access to the affected companies as part of a supply-chain attack. This backdoor allowed them to install additional malware to spy on affected businesses and organizations.
Over the span of months, SolarWinds estimated up to 18,000 customers installed the malicious updates that left them vulnerable to additional attacks by the hackers. Impacted organizations included cybersecurity company FireEye, tech companies like Microsoft and Cisco, and U.S. government agencies, including parts of the Pentagon, Department of Energy and Treasury.
The perpetrators’ goal was espionage and data theft. As the attacks lasted for months and were highly stealthy, many companies were unaware they were affected or unsure what data may have been stolen.
2021: Kaseya VSA attack
In July 2021, REvil — a cybercriminal group specializing in ransomware attacks — launched a supply-chain attack via the software company Kaseya’s VSA platform. The attack, which exploited unpatched vulnerabilities, moved through Kaseya to a number of managed service providers (MSPs) using the VSA platform and ultimately to clients of the MSPs. All together, the ransomware attack affected more than 1,000 companies.
REvil demanded a $70 million ransom after launching its attack. Kaseya wouldn’t confirm, however, if it ended up paying for the decryptor tool it eventually used to regain access to the affected files. This incident marked the adoption of highly sophisticated tactics by a cybercriminal group using methods that had previously only been successfully used by government-linked hackers.
2022: Lapsus$ attacks
Throughout the course of 2022, a highly capable cybercriminal group calling itself Lapsus$ carried out a string of cyberattacks against some of the biggest names in the technology industry. The attacks largely led to data breaches and leaks.
Lapsus$ primarily carried out attacks against its targets by tricking unsuspecting individuals into inadvertently sharing passwords or other login credentials in a process called social engineering. After gaining access to a company network via the nefariously obtained credentials, Lapsus$ stole data and then extorted the affected business into paying a ransom in exchange for the group not leaking the stolen information.
The following companies were among those affected by Lapsus$ throughout the year:
- NVIDIA (breach impacted tens of thousands of employee credentials and proprietary information)
- Samsung (internal company data and source code for Samsung’s Galaxy devices stolen)
- Ubisoft (incident disrupted games and company services)
- Microsoft (portions of source code for Bing and Cortana stolen)
- Uber (internal Slack messages and information from an internal invoicing tool stolen)
Lapsus$ appeared to have slowed its operations in April 2022 after a string of people connected to the group were arrested. The group made a comeback a few months later, which was followed by another series of arrests that September.
Did you know?: While cybersecurity incidents have increased in scope and sophistication over the past decade, the majority of attacks still begin through the same starting points: human error, likely due to phishing emails, as well as outdated or unpatched systems that introduce technical vulnerabilities.
Cybersecurity best practices evolving alongside cyberattacks
With the combination of growing security vulnerabilities and employees that fall prey to malicious web and email schemes, small businesses need more protection than ever. The rise of malware variants like ransomware have radically shifted the destructive potential of attacks, as well as the financial impacts companies need to be prepared to weather. Fortunately, mitigation tools have evolved alongside these attacks. The following best practices can help secure your business as cybersecurity risks increase.
Invest in technology — and employee education.
Training should include activities like phishing email exercises and teaching employees the importance of using unique, strong passwords. Additionally, staff should be taught to use multifactor authentication — which requires a password as well as an additional, temporary security code only the employee should have access to — whenever possible. Workers should also know the signs a computer is infected with viruses or malware.
Craig Kensek, the chief marketing officer of IT-Harvest, stressed that protecting your business from cyberattacks doesn’t just mean implementing technological solutions. It requires a multifaceted strategy that involves both technology investments and education.
“The most effective protection from hacks include educating your user base to not click on risky links, understanding how advanced malware manifests, and having a solid defensive plan to your exposed cyber footprint,” he said.
While Kensek advised businesses to invest in malware protection and Generation III products, which include the ability to protect web, email and file-share traffic, employee training is at the heart of mitigating phishing-based attacks.
“Consider web surfing training and make sure employees know what to look for on website downloads, suspected bad links and social networking. Have a defined use policy for the web, applications, file shares and email communication,” Kensek said.
Look at your network architecture.
Cyberattacks have evolved in large part to take advantage of the growing complexity of business networks. Companies no longer have to secure only a few computers connected to each other over a physical network. They also need to grapple with mobile cyberattack risks stemming from cell phones and tablets, the ubiquitous nature of the cloud and even internet-connected smart devices and the Internet of Things. Each of these provides additional avenues of attack for hackers and can function as access points into your wider company network.
Businesses can help limit their cybersecurity complexity by applying zero-trust architecture (ZTA). ZTA is a security practice that focuses on users, assets and resources with an eye on setting appropriate access controls and management. Essentially, ZTA assumes that any network is already breached when someone tries to gain access, no matter who they are, and that administrators should focus on authenticating and validating all users.
By applying ZTA, businesses limit the scope of any potential security breach by restricting how much access any single user has. Additionally, ZTA systems monitor typical employee actions on a network; if a user is behaving irregularly, the system will flag that as suspicious — helping to catch potential breaches in action.
Talk to your providers and spread your resources.
“In order to protect yourself, you have to do as much as you can to ensure that the company you registered your domain name with is protecting that domain name,” said Cedric Leighton, founder and president of Cedric Leighton Associates, a strategic risk management consultancy. The problem is that most companies don’t have adequate protection, he said.
“[The] key is to have something like OpenDNS, which registers websites used by hackers like the SEA [involved in The New York Times hack],” Leighton said. “When attempts come from such websites to re-direct legitimate internet traffic to ‘bad’ or unauthorized sites, the request to do so is automatically blocked. Unfortunately, most people don’t know that they need to look into this to protect themselves from such hacks.”
This means businesses need to be more well-informed about their security options and have mitigation and disaster recovery plans established for not if but when an attack happens.
Start by having an in-depth conversation with your internet providers. Talk to them not only about whether or not you are protected but about precisely how you’re protected if an attack occurs.
“First off, you need to ask your [internet service provider], ‘What will you do if I am attacked?’” said Pierluigi Stella, chief technology officer of Network Box USA, a computer security provider. “Don’t hope for them to say, ‘We’ll protect you.’ That’s not going to happen. The ISP will most likely reply, ‘We’ll take you offline.’”
Next, determine exactly which areas of your website need to be protected, such as the website itself and your DNS servers. To protect against an attack that takes down your DNS servers, Stella said your modus operandi should be to divide and conquer.
“Have multiple DNS hosted in different locations. If you’re really wanting to host your own DNS servers, host a backup somewhere else, maybe with a registrar or maybe with some other large web-hosting company with sufficient resources to not be too worried about DDoS attacks. Hosting DNS is not an expensive endeavor, and if you spread your presence, it’s far more difficult to take you down completely,” Stella said.
To keep your website online and prevent data loss, Stella recommended having copies housed in cloud storage. Should attackers lock your main website, you will be able to reconfigure your DNS to point to the secondary website for the time being, he said.
Apply “defense in depth.”
As cyberattacks become more complex, businesses need to think beyond one-size-fits-all security approaches. The days of installing a firewall and antivirus software and calling it a day are unfortunately gone. Now, companies need to prepare with a defense-in-depth security posture.
This refers to an effective business cybersecurity policy that involves a multilayered approach to security. Firewalls and antivirus programs are still integral defenses, but these tools are no longer enough to secure your devices from hackers. Instead, they should be combined with elements like ZTA, employee training, VPN connections for remote workers, top employee monitoring solutions and computer encryption for all data.
While no security solution is foolproof, layering defenses greatly increases the odds of minimizing the worst outcomes from any security incident that arises.
Don’t overlook maintenance.
A common theme among some of the worst cyberattacks in the past decade was how attackers managed to first gain entry to the affected systems via unpatched software vulnerabilities. Businesses can significantly increase their overall cybersecurity by auditing their systems regularly and creating a running inventory of all software and hardware, noting the version of each program and the last time it was updated.
After creating this inventory, companies should maintain a regular patch-management schedule. Businesses should also sign up for vendor alerts warning of critical vulnerabilities that should be patched as soon as possible. If working with an MSP, ensure they are also monitoring and applying patches at an acceptable cadence.
Preparing for the worst
Cyberattacks have become more common, more sophisticated and more destructive over the past decade. Unfortunately, businesses continue to face higher rates of cybercrime year after year. Businesses of all sizes should prepare for worst-case scenarios in their security planning.
There is a silver lining, though. While there is no such thing as perfect security, businesses can greatly reduce the chances of a damaging attack by following cybersecurity best practices, such as those outlined above. These practices can change a cybersecurity incident from potentially being a business-shuttering attack to a moment of controlled chaos. Learn more in our detailed cybersecurity guide for small businesses.
Sara Angeles contributed to this article. Source interviews were conducted for a previous version of this article.