Too big to ignore: SMBs confronting today’s cybersecurity threats

July 7, 2014
No matter the size of a business, cyber criminals are working overtime to find a way to get in

Ever get that feeling you’re being watched? In simpler times, you might have been labeled paranoid. But these days you’re probably right. No matter the size of your business, cyber criminals are working overtime to find a way to get in. They’re trying to steal your money, your data, or your access. Think you’re too small to be on their radar? Think again. If you have a bank account, you’re a target.

The threat of being compromised by cyber crime looms larger every day. If you’re not thinking about it, you’re among the most vulnerable. Fortifying your cyber security posture should be seen as an essential part of doing business, like balancing the books and managing employees. The threat matrix is constantly mutating; the volume of intrusions is increasing, but attacks are also becoming more sophisticated and targeted.  Until recently, the supposed solution was to build an impenetrable perimeter around your digital infrastructure and network assets, throwing up firewalls and the like in an attempt to keep out the bad guys.

Unfortunately, your employees are no longer operating behind the cosseted confines of the corporate firewall. More often than not, they work on a mobile device that leaves the office with them. They stay connected through various Wi-Fi points, most of which are less than secure, and some of which may be hacker traps. Traditional perimeter security measures can’t cover those remote and mobile users, leaving the organization’s data and assets at tremendous risk.

Most of the cyber attacks that make the news are about big dollars and big players – eBay, Lowe’s, and Target, not to mention those devious Chinese generals. Large commercial and government organizations supposedly have the capabilities, staff and resources to buy the latest security products and get them to work together to fend off attacks and root out intruders. SMBs are just beginning to acknowledge the reality that they are faced with exactly the same cyber security challenges as their larger counterparts, and must defend their assets even though they have smaller IT budgets and teams.

The security industry has let SMBs and SMEs down. Their incentives are clear: call out and create urgency around the latest security threat, produce a targeted solution to address the problem, and sell it at premium prices to the large organizations with the resources to implement it.  Obviously, this model is not accessible or sustainable for SMBs. They are left to fend for themselves, which is frightening when you consider that small business accounts for nearly 50 percent of the US GDP. The more SMBs stick their head in the sand, the easier they are to prey on.

You must become more aware of the nature of threats you are facing. Assuming you are too small a target to be of interest to online thieves is no way to protect your hard-earned assets and customers.  The National Cyber Security Alliance (NCSA) has warned that one-third of all cyber-attacks now target SMBs, and of those small businesses that experience an attack, 60 percent will close within 6 months. Criminals targeting SMBs aren’t as interested in stealing intellectual property and trade secrets – they’re going straight for the cash. They may trick you into paying them money, steal it from your customers by obtaining their credit card data, or drain it straight from your bank account (and don’t assume you’re insured against this type of loss).

However, because they are often connected to larger enterprises through supply chains and outsourced service contracts, vulnerable SMBs can also be targeted by sophisticated cybercriminals looking for a way to tunnel into more protected targets. The recent breach at Lowe’s, for example, was traced to a single unsecured back-up system at a small driver safety business that was a third-party vendor for Lowe’s human resources management.

Currently, the major threats to SMBs are ransomware and Trojan horses. Ransomware encrypts files on the computers it infects and demands a ransom to decrypt the files; if a victim does not have the data properly backed up elsewhere, they often cave and pay the ransom. An international law enforcement operation recently cracked down on one such scheme, dubbed Cryptolocker; the FBI estimates that over $27 million in ransom money was handed over to an international cybercrime ring in the first two months, and that at least 234,000 computers have been infected. One big bust will not eliminate the threat; ransomware attacks have increased an estimated 500 percent over the past year.

Trojan horses are delivered through email or malicious websites; they are the first stage of an attack. After silently gaining entry to your system, they download spyware or bots and begin stealing data and damaging systems. Small and midsize businesses already know that their people are their biggest asset, and they can also be a strong line of defense. Train your employees to recognize social engineering attacks. In addition to planting Trojan horses, cybercriminals can trick employees into handing over sensitive data to an imposter, or providing a point of entry via social media accounts.

You should be alarmed—even the federal government is paying close attention to SMB vulnerability. The Department of Homeland Security is actively urging the cybersecurity industry to provide broadly scalable and affordable solutions for SMBs. They are also encouraging SMBs to get smart and start implementing standard best practices to secure critical systems and address their weakest points. Taking a few basic precautions will go a long way. For example, only access your bank account from one endpoint, and don’t use that device for other activities.  Make sure your passwords are robust, change them frequently, and use multi-factor authentication whenever possible. Back up and encrypt your critical data, and ensure that access is limited to essential employees. Put acceptable use policies into place, monitor your employees’ online behavior, and follow up with training and enforcement.

Finally, look for a security solution that fits the capabilities and resources of your company. If you don’t have a dedicated IT staff, you need a solution that is simple to set up, run, and monitor. Automated controls are key; a robust solution includes the ability to limit which applications can be run by your end-users, enforcing your acceptable use policies immediately, so you are focused on business instead of playing cops and robbers.

A flexible, comprehensive solution doesn’t require an upfront investment in hardware, software, or professional installation. For example, a multilayered cloud-based security solution will cover your essential security needs with a single solution from a single vendor. These solutions are priced per user, so they will scale with your business. The protection they offer is constantly updated to cover ever-mutating malware and vulnerabilities, is globally available, and incorporates all the digital points and platforms on which you do business, including web sites, email, laptops, tablets, and smartphones.

About the Author:

Paul Lipman is the Chief Executive Officer of iSheriff