An error message on a computer screen to designate what brute force attacks might look like

Small business owners can often feel like they’re safe from cyber attacks and brute force attacks because of their size. However, that couldn’t be further from the truth. According to Cyber Crime Magazine, more than half of all cyber attacks are directed toward small businesses, and over 60% of those that fall victim to cybercrime go out of business within six months of the attack.

As with all aspects of cybersecurity, there are many reasons why cybercriminals choose to target small businesses. With 43% of all small businesses lacking cybersecurity defense plans, and one in five lacking endpoint security protections, cybercriminals know that small businesses are typically an easy target.

While there are hundreds of different ways cybercriminals can infiltrate a small business, brute force attacks are one of the most common. Here’s what every small business owner needs to know about brute force attacks:

1. There’s More Than One Type of Brute Force Attack

A brute force attack is when a hacker attempts to log in to user accounts by trying different username and password combinations. Simple brute force attacks rely on hackers logically attempting to deduce login credentials, such as attempting to log in as “admin,” or trying the password “guest123.”

In some cases, hackers will attempt to guess passwords using a dictionary of common names or phrases, which is referred to as a dictionary attack.

Hackers also tend to have access to websites with “dumps” of login credentials from previous breaches, so they may try previous passwords associated with a username or email address. This is known as credential stuffing.

2. Attackers Often Use Brute Force Attack Automation Tools

Both hackers and security analysts have access to a range of tools to help them run brute force attacks. While simple brute force attacks often don’t require the use of a cracking tool to guess passwords, more complex ones will often use them.

Hydra is one of the most popular tools for simple or dictionary attacks as it quickly runs through thousands of different password combinations for any specified username. Hashcat is another favorite because it supports over 200 different types of hashing algorithms, which are algorithms that encrypt passwords before they’re sent over a network.

3. Brute Force Attacks Aren’t Always Financially Motivated

Small business owners need to understand that while most website security breaches happen for financial reasons, such as to siphon money from bank accounts or to steal and sell proprietary information, this isn’t always the case.

In some cases, hackers may want to run a brute force attack against a small business’s network so they can spy on their Internet traffic or conduct what’s known as a man-in-the-middle attack to steal even more information.

Hackers may also want to bypass website security so they can use a small business website for their own ends. This may involve infecting it with malware to attack users that visit the website and ruin the small business’s reputation by posting offensive or inflammatory content.

Brute force attacks can also be conducted for political reasons, as was suspected to be the case when hackers gained access to 90 email accounts within the UK Government.

4. Remote Working is a Big Risk for Brute Force Attacks

For small businesses whose employees can work remotely, not being connected to a secured network poses a big risk for password security.

Even if a small business has protected its network within the office, home routers often don’t have the same level of security. Home computers also aren’t likely to be secured in the same way as office computers, and, particularly for employees who are less technologically savvy, may already have malware installed without the user’s knowledge.

In addition, phishing attacks, like emails that trick users into entering their usernames and passwords on fake sites, have been on the rise since the beginning of the COVID-19 pandemic.

These are only two of the risks facing remote employees and small businesses’ password security, but they’re two of the biggest areas of concern when it comes to weakening defenses against a brute force attack.

5. The Best Mitigation is a Strong Password Policy

While brute force attacks can sound scary, the best way to protect against them is, surprisingly, by ensuring that employees follow a strong password policy. Common password policies include:

  • Requiring users have passwords with at least one special character, one number, and one capital letter, and a minimum length of ten characters
  • Requiring users to change their passwords, usually every three months
  • Implementing two-factor authentication or captcha verification

Small businesses should also consider not having accounts with the usernames “admin” or “guest,” as these are commonly guessed usernames. In addition, randomizing usernames can be a good way to make it harder for hackers to find accounts with more control over a website, network, or system.

Small businesses should also invest in encryption that makes it harder for hackers to discover passwords or, at the very least, consider using a VPN with military-grade (or 256-bit) encryption. Using a VPN is particularly important for employees who work remotely via their home network, or use their personal devices to work from home.

In Summary

Brute force attacks against small businesses are on the rise, but there’s plenty of options for small businesses to protect themselves. It’s important to assess security risks ahead of time to make sure the business has the strongest password, network, and website security it can have.

Vervology is here to help small businesses learn more about what they can do to stay safe, as well as provide cost-effective security solutions to suit every budget. To learn more, contact our experts today.