When Pamela (not her real name) sat down at her desk one recent weekday
morning, online security was the furthest thing from her mind. Sure, she
had a basic knowledge of common-sense security practices. She wasn’t
the type to use insecure passwords...
or download dubious content from the
Web. As chief financial officer for a small Chicago-based manufacturing
company, she regarded her PC as a no-nonsense work tool. Still,
somewhere along the way, a little snippet of malware slipped onto her
PC, and it would soon threaten her company’s survival.
According to Brian Yelm, CEO of Chicago tech services provider Technologyville,
Pamela’s malware did one nefariously simple thing: It caused her
browser to redirect all bank URLs to a set of phony sites that looked
just like their legitimate counterparts—a technique called phishing.
When Pamela logged in to the look-alike site, a message prompted her to
call customer service about a problem with her company’s account. She
dialed the number on the screen, and after a few simple questions from
the agent on the line, every single penny in her company’s account
disappeared. More than $300,000, gone in minutes.
Pamela and the company were lucky. They immediately discovered the
missing funds and pulled out all the stops to recover the money from
their bank. And with Technologyville’s help, they traced the IP
addresses and phone calls back to a hacker group in Eastern Europe.
Justice was served. The money was recovered. Pamela’s company survived.
Small businesses constituted 31 percent of targeted attacks in 2012.
Not every company that gets hacked is so lucky. According to the National Cyber Security Alliance,
one in five small businesses falls victim to cybercrime each year. And
of those, some 60 percent go out of business within six months after an
attack.
Now let’s pause for a moment, and restate that another way: You’ve got a
20 percent chance of being hacked, and if it happens there’s a good
chance your business is finished.
Of course, not every small business is equally likely to fall prey to
cybercrime. Attackers don’t generally discriminate by company type,
valuation, or any other characteristic of the business itself. Instead,
they look for one thing: vulnerability.
“Most small business owners still don’t get security, don’t think it’s
an issue, and are pretty defenseless,” says Neal O’Farrell of Think Security First,
a security consultancy based in Walnut Creek, California. “They assume
hackers would need to pick their business out of 27 million others, not
realizing that the attacks are automated and focused on discovering
vulnerabilities.”
Smaller companies are increasingly attractive targets for attackers, too. Symantec’s latest annual Internet Security Threat Report
found that companies with fewer than 250 employees constituted a
staggering 31 percent of targeted attacks in 2012—a massive jump from 18
percent the year before.
Why the huge increase? Smaller companies are simply easy pickings, and they don’t fight back like bigger companies.
“Small businesses represent low risk and little chance of exposure for
thieves,” says O’Farrell. “They typically lack the monitoring,
forensics, logs, audits, reviews, penetration testing, and other
security defenses and warning systems that would alert them to a
breach.”
And just because a company is small, that doesn’t mean it can’t net huge
payoffs for attackers. Often, a breach against a small fry can yield
useful data for attackers seeking to target bigger fish. So a series of
easy attacks against more-vulnerable small businesses can ultimately
enable a hacker to orchestrate a much bigger attack elsewhere, while
uncovering plenty of valuable spoils—ranging from employee data and
cloud logins to customer data and banking credentials—from the smaller
players along the way.
No experience required
Meanwhile, finding victims has gotten easier for criminals. “The tools
used by hackers and cybercriminals have become cheap and easy to
acquire,” says JD Sherry, vice president of technology and solutions at
security software maker Trend Micro.
Worse still, these hacking tools have become so easy to use that one
need not necessarily be a bona-fide hacker to use them. Instead, with
minimal input from the user, a hacking app can initiate a series of
scripts to probe many thousands of IP addresses across the Web, seeking
out open ports on endpoint PCs; planting spyware or Trojan horse
software on websites using widespread weaknesses in technologies such as
Java and Flash; or firing off thousands of phishing emails with the aim
of getting a few people to click through and receive a small nugget of
malware that will leave their PC vulnerable to further attacks.
Yelm concurs: “You don’t have to be very smart to do this.”
But small-business owners do need to be smart, and that starts
with understanding that the security landscape has changed. Small
companies can no longer rely on security through obscurity, because
automated hacking tools from all over the world are constantly scouring
the Internet for vulnerable machines. Meanwhile, every company of any
size now has an overwhelming abundance of connected devices and
cloud-based services that present a feast of opportunity for attackers.
Thanks to easy-to-use hacking tools, one doesn’t even need to be a “hacker” to launch a cyberattack.
Unsecured mobile devices—especially Android phones and tablets—used as
BYOD (Bring Your Own Device) business equipment make it all too easy for
a cybercriminal to slip malware onto a device and collect usernames and
passwords for social networks, business networks, and even banking
systems. Once a cybercriminal gets a single sales rep’s CRM login, he
can wreak havoc with customer accounts.
According to the Ponemon Institute,
which tracks data surrounding digital privacy and security, recovering
from an attack on a customer database can cost an average of $194 for
every compromised customer record. Those are just remediation costs, and
that number doesn’t account for additional costs due to reputation
damage, lawsuits, and lost business. No wonder so many small companies
go bankrupt after an attack. If the hackers don’t siphon hundreds of
thousands from your account, you may have to pay it out anyway just to
fix the problems they cause.
What you can do
Safeguarding your company against security threats doesn’t necessarily
mean hiring a full-time IT security pro for your small business. There
are four simple steps any small company can take to protect against
cyberattacks.
1. Use protection on every device: Regardless of the
platform, use secure passwords and encryption on every device that
touches your business, from phones and tablets to laptops and desktops.
If the device supports third-party anti-malware apps like those from
McAfee, Symantec, or Trend Micro, install one.
2. Run business-grade unified malware protection: Consumer
antivirus apps aren’t sufficient to secure a business’s tech
infrastructure. Business-class security suites offer multidevice
protection that includes ensuring that all devices get regular updates
and security patches. This is key, since 90 percent of attacks exploit
outdated software bugs on unpatched computers.
3. Train your staff (and yourself) to practice good digital hygiene:
Don’t use the same password on multiple accounts. Don’t follow links in
email. Learn to spot phishing threats. Make sure everyone on your staff
knows this stuff, and remind them often.
4. Get a security audit and heed its findings: One of
Technologyville’s clients learned this lesson the hard way last year
when its financial services website fell prey to a teenage hacker who
exploited open ports on the site’s server to take control of the
company’s online presence. The security consultants had identified those
threats in an audit for the company a year earlier, yet the company
chose not to act until it was way too late.
The unfortunate truth about digital security is that protecting your
business from online threats isn’t a one-time expense or a
set-it-and-forget-it solution. It’s an ongoing process and a necessary
part of running any business that relies on data and the Internet for
its survival. Your website, your desktop and laptop computers, your
mobile phones, and all the online services you use to manage every
aspect of your business are all potential entry points for an attack.
And if you don’t protect them, or if you put security on the back burner
as a future project, your company may not survive to get a second
chance.
No comments:
Post a Comment