Cybersecurity threats continue to expand, with hackers targeting small businesses and nonprofit organizations as well as large corporations. Cybercriminals want financial information, customer information and business secrets. Sales of stolen digital data are estimated to be a multibillion dollar market—equal to if not greater than the illegal drug market (Schmid, 2015).

Regardless of the type of business or organization, key threats from hackers include:

Ransomware is a general name for malware that is designed to lock data files via encryption and demand payment to receive a key to unlock the files. Common versions of ransomware include CryptoLocker and CryptoWall. Police ransomware is a variation that tells the victim a law enforcement agency, such as the FBI, caught the victim performing an illegal act on the Internet and demands payment (Zetter, 2015).

The FBI is highly concerned about the increase in cyber economic espionage (Bruer, 2015; FBI, 2015). Nation-states and possibly individual criminal hackers or organized gangs increasingly target businesses to steal company secrets (Goodman, 2015; Zetter, 2015). They penetrate a business’s network and steal blueprints, sales strategies, merger plans, product designs, patents, and formulas. The stolen information is used for gain in another company to improve the other company’s competitive advantages.

Hackers continue to make their malware more sophisticated. They target specific audiences to improve their odds of success. The attacks are more secretive, with hidden coding and paths of entry.

Businesses are susceptible to malware attacks on their public websites. The intent is often to use the website as a distribution point for malware. Commonly called “drive-by downloads,” a visitor to the site is unknowingly infected with malware that is then added to the visitor’s PC for future attacks or theft of information.

Many businesses allow employees to use their personal mobile device for work. The practice is called “Bring Your Own Device” (BYOD). While this allows for great interaction by employees between their work life and their personal life, it creates potential cybersecurity risks. The most commonly used mobile devices operate with the Android operating system. Many applications designed for Android smartphones include malware. The malware on the device can steal company information stored on the device such as passwords, client information, and other business details. When the device is connected to a network, the device can transfer the malware to the network, allowing hackers to penetrate the company’s network.

Cyber criminals steal many types of personal private information from system networks that have access flaws. Personally identifiable information, frequently referred to as PII, can include any information that is not commonly available (Ashford, 2015). Types of information include Social Security numbers, personal identification numbers (PINs), health records, and financial information (BakerHostetler LLP, 2015).

Cybercriminals have numerous ways to perpetrate their crimes. They may use technology flaws, human behavior patterns, or penetration attacks. They may need to gather intelligence to further their efforts, or they may attack broadly, knowing that volume will work in their favor. The criminal hacker’s end-game is to either plant malware for future access or gain knowledge to penetrate a business’s network system. Once they have access, the criminal can steal valuable data, customer information, company secrets, or other digital data (Rainie, Anderson, and Connolly, 2014).

It is estimated that over 50 percent of all e-mail contains malware (National Small Business Association, 2013). In June 2015, over 57 million new malware variants were identified. By spear phishing, hackers target employees with an e-mail that contains either an infected document or URL that spreads the malware into a company’s network if opened. With spear phishing, the e-mail includes information that creates the illusion that the e-mail is from a known source, either by personalizing the e-mail, by including reference to a senior management request, or by including specific knowledge. The recipient is led to believe the e-mail and any attachments are safe.

Cybercrime social engineering is often described as a way to get a victim to do something a hacker wants, often without the victim realizing it. The hacker uses tactics such as pretexting, manipulation, and authority. Pretexting is a form of social engineering that includes a plausible lie, or pretext, to make the scam believable to the victim. Manipulation is when a victim is simply tricked by the social engineer to provide information, and authority is when scammers act as if they are in a position of authority, such as stating the hacker is an agent from the home office or tech support and demand information from the victim, as many people seek to please those in authority. The hacker’s objective is to elicit information from a source that can help the hacker learn how to penetrate the system.