As money and corporate information have morphed from hard currency and blueprints to digital files, small and midsized businesses have become the new banks to rob. In fact, bank robberies across the U.S. have plummeted from 9,400 in 1991 to just 3,870 last year. As Doug Johnson of the American Bankers Association puts it: "As more and more transactions become electronic, more bank crimes become electronic."
Look at it from the criminals' perspective: why risk getting arrested breaking into an engineering company or, worse, shot sticking up a bank when you can sit in an ergonomic office chair with an espresso on your desk and music in the background while plundering small companies thousands of miles away?
"Small and medium businesses are being targeted at an alarming rate," says Brian Burch, Symantec's vice president, Consumer & Small Business Segment Marketing. SMBs are easy targets primarily because "they don't believe they have the public visibility of bigger companies so they don't believe they are in the gun sights of the bad guys. As a result, SMBs do not put the needed effort into securing their businesses. Further, even if they want to, smaller companies tend not to have the funding, staff or knowledge needed to formalize let alone maintain more secure policies and procedures all combining to make them the path of least resistance . . . and the bad guys have discovered this."
The numbers bear out this alarming trend.
"It began in 2011, when attacks on companies with less than 250 employees shot to about 18% of all targeted attacks; then in 2012 the number jumped to 31%," says Burch, referring to statistics found in Symantec's latest Internet Security Threat Report.
According to TrendMicro, cybercriminals unleash a new threat targeting SMBs every second. And, according to the 2012 Data Breach Investigations Report by Verizon's RISK Team, 96% of companies subject to PCI DSS (for credit card processing security) had not achieved compliance. That's a lot of SMBs with merchant card accounts leaving their digital cash registers open.
Another attraction to cybercriminals is the sheer number of targets. In the U.S., there are about 23 million SMBs, 52% of which are home-based. And, even in this slow economy with weak new business start numbers, there are more than 500,000 new SMBs launched every month. Then add another 20 million in the E.U. and even more in Asia.
Furthermore, criminals increasingly look at SMBs as part of the supply chain of a larger company that they want to raid. By penetrating an SMB with an established communication path into the larger company, cybercriminals can often bypass much of the larger firm's more sophisticated security. The SMB, unknowingly, becomes a kind of Trojan horse.In a frightening example from 2009, China purportedly wanted access to Lockheed Martin but could not breach the company's walls. However, by penetrating a smaller defense contractor, they were able to make their way in and steal blueprints for the joint strike fighter planes F-35 and F-22 worth more than $1 trillion.
How cyberattackers are attacking SMBs
Just as the goals of cyberattackers have evolved, so too have their methods. Down in numbers are the broad-based malware attacks and up are the more targeted forms including ransomware, mobile malware, website-based attacks and brute-force attacks.
Ransomware is the newest tool in the cybercriminal's kitbag. After finding a way into a system within a company the program either locks the user out or uses an embarrassing tactic to jolt the owner into action. A pornographic image might be displayed on the screen or the computer's webcam might be turned on showing a live video feed giving the idea that they are being watched.
In other cases a message will appear claiming to be from the FBI stating that the system is being used for illegal activities and that a fine must be paid. To regain use of the system, remove the porn, turn off the webcam or pay the fine, a fee of around $100 to $400 is demanded. In many cases the criminals can make hundreds of thousands of dollars per day because SMBs, desperate to remove the problem, pay the fee and seldom report the theft.
Symantec's report also cited a 58% increase of mobile malware. And, according to Kaspersky Security Bulletin 2012, 6,300 new mobile malware samples appear every month and the number of known malicious samples for Android increased more than eight times. Trojans, the bulk of the threats, drain victim's mobile accounts by sending SMS texts to premium-rate numbers, install malicious programs or steal personal data.
Brute-force attacks, where botnets are employed to break passwords, made big news recently when WordPress which powers some 64 million websites worldwide was attacked by a botnet of tens of thousands of individual computers. In these attacks, systems run through lists of passwords, words, or characters (letters, numbers and symbols) until gaining access to the victim system. Wordpress is a favorite target for criminals because they can enjoy the economy of scale by figuring how to exploit one program that is used by such a vast number of targets, in this case, SMBs.
Web attacks are up 30%. As Symantec's report states, "Many of these attacks may have originated from the compromised websites of small businesses. Such compromised sites are being used in targeted watering hole' attacks where the weak security of one entity is leveraged to defeat the strong security of another. One such attack infected 500 organizations in a single day."
Burch adds that "when a large company is attacked it is terrible. When a small company is attacked it is often a death knell." He added that Symantec has partnered with the National Cyber Security Alliance because "of the worry that there's just not enough awareness, there's not enough education taking place inside these companies, there are not enough formal policies that help govern the Internet connectivity activity".
What hosting companies are doing
What are hosting companies doing to protect the online presence of the tens of millions of small businesses while they unsuspectingly go about their business of making pizza, preparing legal briefs, or manufacturing widgets? Todd Redfoot, Chief Information Security Officer (CISO) at Go Daddy, says the hosting company watches the security of its own website, as well as the security of every hosting customer.
"We monitor what's going on out there in the world because we have to assume, from a security perspective, even if it's not happening here yet it's probably about to." When the security response team discovers that a client site is at risk they will proactively notify them, often before the customer is aware that they have suddenly become a target.
In addition, Go Daddy and other large hosting providers have teamed up to form the Hosting Security Forum with vendors sharing sightings. Members include Media Temple, Lunar Pages, Network Solutions, WordPress, Trend Micro, DreamHost, DemandMedia, Go Daddy, Blue Host and Parallels. The Forum increases the number of eyes-on-the-net, dramatically increasing the ability to identify cyber threats.
Redfoot also recommends that SMBs pay attention to password security. He recommends that passwords should be difficult to guess and not in the dictionary. Ideally a combination of upper and lower case letters, numbers, and special characters should be used. And, change your passwords regularly.
What if your SMB is attacked?
So, what do you do when your SMB is robbed through a cyberattack? Burch says to call your local police and ask for cybercrimes. "Law enforcement is becoming very sophisticated about cybercrime. They are organizing, they are investing in their own IT systems, and they are linking together local and national centers like DHS and FBI." To learn more about how small and midsized business can step up their security visit the Department of Homeland Security's Stop.Think.Connect website.
Smith is president of Alexander LAN Inc., a freelance consultant and writer in IT. He can be reached at [email protected].
Read more about wide area network in Network World's Wide Area Network section.