SMALL BUSINESS RISKS
Small business is the soft underbelly of network security, often lacking the sophisticated and comprehensive defense systems of larger corporations. Yet the threat to smaller entities is just as real, if not greater. The truth is that cyber-criminals do not distinguish between small or large businesses when probing the internet– viruses are equal opportunity vehicles of destruction. Furthermore, the data stolen from a small business can be just as valuable as data from a larger entity and can often provide a gateway into those larger organizations. The recent breach at Target is just one example of how weaknesses in smaller companies can compromise the security of a larger one, and how these side doors can remain unnoticed for months. Moreover, while any security breach can be painful, embarrassing, and expensive, smaller companies often lack the resources to fix and pay for cyber damages, and the future of a small business can be placed in jeopardy due to a single data breach. Therefore, it is in everyone’s best interest, large and small companies alike, to optimize cyber defense systems, and PacketViper’s unique power to protect, low cost, and ease of use make it an essential part of any sized company’s comprehensive security network.
IN THE NEWS
Small Businesses Now Bigger Targets In Cyberattacks
Half of all targeted attacks last year hit companies with less than 2,500 employees, and overall, targeted cyberattacks jumped 42 percent in 2012, new Symantec data shows
It's not just the big boys who the bad guys are hacking anymore: Smaller, more vulnerable, and defenseless organizations are now one of the most popular targets, newly published data shows. As targeted cyberattacks increased by 42 percent last year, nearly one-third of all of these attacks were aimed at businesses with less than 250 people.
"Smaller businesses presume they are not a target. But we think attackers [are targeting] them because they have weaker security settings and are probably easier to penetrate. Plus they do work with larger organizations ... and attackers can use small companies as a stepping stone to larger ones or as an entry point into getting the information they want," says Vikram Thakur, principal security response manager for Symantec, which today released these latest findings as part of its 2013 Internet Security Threat Report. "They need to expect that."
In some cases, the smaller firm may be a supplier of key elements of a larger firm's intellectual property, too, which also makes it a juicy target, he says. Attackers also infiltrate smaller, easier-to-hack businesses in hopes that they will ultimately lead to bigger, more lucrative firms, he says. "One theory is they stay under the radar in smaller firms in hopes the smaller ones will be acquired by a larger company and then their networks will merge, and they'll have an existing foothold," Thakur says. "Another theory is that if they get in smaller companies, they can then use" its tunnel to a larger business partner's network, he says.
Hackers put a bull's-eye on small business
by Robert Strohmeyer, PCWorld
When Pamela (not her real name) sat down at her desk one recent weekday morning, online security was the furthest thing from her mind. Sure, she had a basic knowledge of common-sense security practices. She wasn’t the type to use insecure passwords or download dubious content from the Web. As chief financial officer for a small Chicago-based manufacturing company, she regarded her PC as a no-nonsense work tool. Still, somewhere along the way, a little snippet of malware slipped onto her PC, and it would soon threaten her company’s survival.
According to Brian Yelm, CEO of Chicago tech services provider Technologyville, Pamela’s malware did one nefariously simple thing: It caused her browser to redirect all bank URLs to a set of phony sites that looked just like their legitimate counterparts—a technique called phishing. When Pamela logged in to the look-alike site, a message prompted her to call customer service about a problem with her company’s account. She dialed the number on the screen, and after a few simple questions from the agent on the line, every single penny in her company’s account disappeared. More than $300,000, gone in minutes.
Pamela and the company were lucky. They immediately discovered the missing funds and pulled out all the stops to recover the money from their bank. And with Technologyville’s help, they traced the IP addresses and phone calls back to a hacker group in Eastern Europe. Justice was served. The money was recovered. Pamela’s company survived.
Small businesses constituted 31 percent of targeted attacks in 2012.
Not every company that gets hacked is so lucky. According to the National Cyber Security Alliance, one in five small businesses falls victim to cybercrime each year. And of those, some 60 percent go out of business within six months after an attack.
Now let’s pause for a moment, and restate that another way: You’ve got a 20 percent chance of being hacked, and if it happens there’s a good chance your business is finished.
Of course, not every small business is equally likely to fall prey to cybercrime. Attackers don’t generally discriminate by company type, valuation, or any other characteristic of the business itself. Instead, they look for one thing: vulnerability.
“Most small business owners still don’t get security, don’t think it’s an issue, and are pretty defenseless,” says Neal O’Farrell of Think Security First, a security consultancy based in Walnut Creek, California. “They assume hackers would need to pick their business out of 27 million others, not realizing that the attacks are automated and focused on discovering vulnerabilities.”
“You’ve got a 20 percent chance of being hacked, and if it happens there’s a good chance your business is finished.”
Smaller companies are increasingly attractive targets for attackers, too. Symantec’s latest annual Internet Security Threat Report found that companies with fewer than 250 employees constituted a staggering 31 percent of targeted attacks in 2012—a massive jump from 18 percent the year before.
Why the huge increase? Smaller companies are simply easy pickings, and they don’t fight back like bigger companies.
“Small businesses represent low risk and little chance of exposure for thieves,” says O’Farrell. “They typically lack the monitoring, forensics, logs, audits, reviews, penetration testing, and other security defenses and warning systems that would alert them to a breach.”
And just because a company is small, that doesn’t mean it can’t net huge payoffs for attackers. Often, a breach against a small fry can yield useful data for attackers seeking to target bigger fish. So a series of easy attacks against more-vulnerable small businesses can ultimately enable a hacker to orchestrate a much bigger attack elsewhere, while uncovering plenty of valuable spoils—ranging from employee data and cloud logins to customer data and banking credentials—from the smaller players along the way.
No experience required
Meanwhile, finding victims has gotten easier for criminals. “The tools used by hackers and cybercriminals have become cheap and easy to acquire,” says JD Sherry, vice president of technology and solutions at security software maker Trend Micro.
Worse still, these hacking tools have become so easy to use that one need not necessarily be a bona-fide hacker to use them. Instead, with minimal input from the user, a hacking app can initiate a series of scripts to probe many thousands of IP addresses across the Web, seeking out open ports on endpoint PCs; planting spyware or Trojan horse software on websites using widespread weaknesses in technologies such as Java and Flash; or firing off thousands of phishing emails with the aim of getting a few people to click through and receive a small nugget of malware that will leave their PC vulnerable to further attacks.
Yelm concurs: “You don’t have to be very smart to do this.”
But small-business owners do need to be smart, and that starts with understanding that the security landscape has changed. Small companies can no longer rely on security through obscurity, because automated hacking tools from all over the world are constantly scouring the Internet for vulnerable machines. Meanwhile, every company of any size now has an overwhelming abundance of connected devices and cloud-based services that present a feast of opportunity for attackers.
Thanks to easy-to-use hacking tools, one doesn’t even need to be a “hacker” to launch a cyberattack.
Unsecured mobile devices—especially Android phones and tablets—used as BYOD (Bring Your Own Device) business equipment make it all too easy for a cybercriminal to slip malware onto a device and collect usernames and passwords for social networks, business networks, and even banking systems. Once a cybercriminal gets a single sales rep’s CRM login, he can wreak havoc with customer accounts.
According to the Ponemon Institute, which tracks data surrounding digital privacy and security, recovering from an attack on a customer database can cost an average of $194 for every compromised customer record. Those are just remediation costs, and that number doesn’t account for additional costs due to reputation damage, lawsuits, and lost business. No wonder so many small companies go bankrupt after an attack. If the hackers don’t siphon hundreds of thousands from your account, you may have to pay it out anyway just to fix the problems they cause.
by Robert Strohmeyer, PCWorld