When it comes to hacking and cyber-attacks, certain targets are obvious. The government, large universities, banks and big businesses have all been the victims – or intended victims – of a targeted attack at one time or another. The purpose of the attacks varies, but is generally designed to steal vital information or disrupt normal operations (or both). Thankfully, most of the larger organizations have security controls in place that prevent such attacks from causing disaster.
However, there is a growing segment of targets for these types of attacks and it’s one that is cause for concern. According to a report by Trend Micro entitled “It’s Big Business and It’s Getting Personal,” attackers steal as much as 1 billion in USD from USBs on a yearly basis. And that’s just examining the United States and Europe, not the rest of the world. In one attack in particular, Trend Micro discovered more than 2,000 distinct URLs that posed a serious threat. Small business owners, due to the nature of their business and their resources, have all the reason to be concerned.
Why Small Business?
You might be thinking “Why small businesses? Don’t larger businesses have more to offer in terms of information and money? Isn’t it more effective to disrupt a large company than a small one?”
Conventional wisdom would say that you are right, that small businesses have less to offer hackers. However, in most cases, targeted attacks on small businesses are a means to an end; a back door, if you will, to gain access to the larger targets.
For example, a small business may work with another company that provides services to the Department of Defense. By illegally accessing the small business’ system, the hacker can then gain access to the DoD system. Or the purpose of the attack could be to gain information and strategic intelligence about a competitor, by getting access to proposals, proprietary software or other tools.
Addressing the Problem
One reason small businesses are so vulnerable to targeted attacks is that they generally do not have the resources to prevent targeted attacks that larger companies do. Businesses with a few dozen employees, for example, may have one person handling all of the IT security, and a limited budget. They cannot afford complex security systems that will deflect attacks. In fact, a recent survey showed that a little more than half of small businesses do not have any kind of security policy at all.
Not having the proper controls in place, though, leaves small businesses vulnerable to targeted attacks and makes them a weak link in the supply chain. There are some steps that a business can take, though, to reduce their vulnerability and prevent becoming a victim.
- Assess the protection you have, and what you need-If you handle a great deal of sensitive customer data, for example, you need a higher level of protection. And don’t focus only on computers. Protect mobile devices, e-mail servers and network servers as well.
- Test your security systems regularly-Knowing where you are vulnerable is the first step to reducing the risk. If you don’t have the staff or ability to run tests yourself, hire an outside firm for help.
- Consider physical security as well-Do employees take laptops on the road or home? Do they use mobile devices for work? Employ security controls on those devices that will prevent unauthorized access if the device is lost or stolen.
- Educate employees-Many small business attacks come in the form of malware, phishing or e-mail viruses. Teach them how to identify questionable material and what to do in the case of a suspected attack. Use multi-factor authentication for access to company systems, and establish a password policy (or use a password generator) to create strong access credentials.
Keep in mind that as security controls become more sophisticated, so do the criminals. IT security is an ever-changing landscape, and it’s important for small businesses to stay abreast of the latest threats and developments and act accordingly. Simply installing an anti-virus program is not enough. Small businesses need a strong plan and advanced controls to prevent their data from falling into the wrong hands, and potentially devastating the company.
Jamie Weymouth has spent the past ten years working for an internet security company, identifying potential threats to data security. She has a degree in IT security and is working toward CSSA certification. When she is done, she is hoping to put her education to use in the government sector, where she feels it might be the most valuable. Jamie lives in the tech-friendly city of San Francisco.PS: Digging this story, news or review? Let us know! Comments open.
About Jakk: Jakk Ogden is a professional self-employed blogger and the founder / owner of Technology Blogged. 22, with a love for good writing, you'll find me playing 'Drag Racing' on my HTC One X and rocking a pair of Grado headphones. If you love technology, be sure to subscribe to my feed for unique editorials. Find me on Google+. View author profile.