Small businesses - The next target for heavyweight hackers

It’s fair to say cyber criminals follow a pattern, at least as far as the headlines are concerned. Whether it’s Sony or JPMorgan, they routinely appear to seek out large multinationals with extensive supply chains and look for the chink in their armour.

Whilst these stories reflect the truth of the threat facing big corporates, they also act to conceal the wider story involving hacks to smaller, growing businesses with more vulnerable systems and highly valuable intellectual property.

The truth is, even the businesses you pass on the high street are now becoming a prized target for cyber criminals. According to a 2013 survey by the National Small Business Association, 44 per cent of SMBs admit they have been victimised by a cyber attack.

This lack of visibility is part of what makes SMBs and local government agencies such prime targets. Attacking a host of smaller businesses lets attackers work largely under the radar whereas large, well-publicised hacks quickly get the attention of law enforcement and government agencies. A subsequent trend is for hackers to go after multiple businesses within vertical market segments, letting them take advantage of common vulnerabilities such as retailers’ point-of-sale devices or patient records from small and mid-sized clinics.

Many small businesses and local agencies believe they’re not big enough to be a cyber crime target. But according to Visa, small businesses represent 90 per cent of all the merchant data breach compromises. Small organisations store valuable data that give hackers big returns, such as credit card numbers, medical records, or personal information kept by legal offices, accountants or even the local court house. In some cases, the SMB may not be directly targeted, but still takes a hit. Hackers have honed their abilities to perform automated, opportunistic attacks that constantly scan the Internet looking for unprotected systems. So even if the victim doesn’t have valuable data to steal, its network could be hijacked and become an unwitting proxy through which new attacks are routed.

Of course, Main Street also offers plenty of low-hanging fruit. Small companies and agencies may not have the budgets or in-house expertise to keep software and systems at their peak defensive capabilities. In fact, the recent PwC Global State of Information Security Survey found that small firms (with revenues under $100 million) actually cut security spending by 20 per cent in 2014, compared to a five per cent increase in security investments by larger companies. With restricted budgets and knowledge, SMBs often limit their network security to a standard stateful packet filter firewall and signature-based antivirus, which only block limited network attacks and are days or even weeks behind new zero-day malware variants. Limited security makes small firms attractive targets for the sophisticated and constantly changing attacks being used by today’s hackers.

Attacks on SMBs have impacts on larger companies as well. Hackers have learned that the way into a well-protected big target is by infiltrating the network of a smaller supply-chain partner in order to gain back-door access to the larger company’s systems. Reports indicate the 2014 Target store breach occurred when attackers stole network credentials from Target’s HVAC provider.

So what can small companies do to protect themselves without a big-company IT department - and corresponding budget? Here are four simple and budget-friendly steps SMBs can take to keep Main Street safe from cyber crime:

Software updates and patches: More than 90 percent of Internet exploits leverage old flaws that manufacturers have already addressed but that users simply haven’t incorporated. Software patches and upgrades are free or relatively low-cost, take no special technical expertise to install, and are one of the most important basic security steps for any size business. Make a habit of regularly patching operating systems and other applications, and apply firmware updates to hardware.

Basic firewall upgrade: New cyber threats are far more sophisticated than they were even a year ago. Advanced security devices such as next-generation firewalls (NGFW) and unified threat management (UTM) appliances are designed to stop today’s broad array of new and evolving attacks, including zero-day malware. What’s more, these technologies are now cost-effective and easy for SMBs to manage.

Strong password policy: Adopt, communicate, and enforce a strong company password policy. Adopting a password manager for the organisation is an easy way to help employees use new, effective passwords for every application, change them regularly, and keep them safe and secure.

Awareness training: All the defenses in the world may not prevent an employee from making a silly mistake. Train employees on Internet safety so they’re wary of attachments or links in emails, even if they seem to come from people they trust.

Corey Nachreiner, CTO at WatchGuard Technologies.

Image Credit: Shutterstock/Benoit Daoust