Small businesses in cyberattack bull's-eye
- By Kevin Coleman
- Mar 28, 2012
Any business on the Internet is a potential target for cyber criminals seeking to infect computer systems, steal money or intellectual property and perpetrate their scams. Looking historically at cyber crimes, they typically result in serious damage to the businesses they target. In fact, business management must realize that cyberattacks have resulted in companies going out of business.
A report by security experts at Symantec said small businesses and their owners are becoming a priority target for computer hackers. “Small businesses are very attractive because they have more money in a bank account than consumers,” said Kevin Haley, director of Symantec’s Security Response. “The volume of [cyberattacks] they are seeing has gone up in recent years.” Haley added. The “explosive growth” in the number of cyberattacks can be attributed to the fact that cyber criminals no longer need deep technical expertise to break into computers, he said.
Grooming future cyber defenders
So what are the cyber criminals after? The criminals attacking small businesses are looking to clean out their bank accounts, which could easily mean an end of their business. Ponemon published a study that found the median annualized cost of cyber crime for 50 organizations studied averaged $5.9 million per year. That has a direct effect on an organization’s bottom line. The cost ranged from $1.5 million to $36.5 million for each year per company. How many small businesses can absorb that cost? Not many.
More than 27 million small businesses in the United States generated 64 percent of the net new jobs during the past 15 years, and these organizations are responsible for 44 percent of total U.S. private payroll.
In a survey of U.S. consumers, 93 percent said it’s important to support the local small businesses they value in their community and 73 percent deliberately shop at small businesses in their community because they do not want them to go away. That translates to a target-rich environment when it comes to acts of cyber aggression.
One category of incidents concerns phishing. In January 2012 , small businesses, government organizations and even online gamers were targeted by cyber criminals. The primary method of attack was phishing e-mail messages aimed at small business owners. The messages appeared to be a notice from the Better Business Bureau and claimed a customer had filed a complaint against the recipient of the message. If e-mail recipients clicked on one of the links they were directed to the phishing e-mail and their systems were infected with malware.
Another category of incidents began in early June 2011 and involves website attacks. One gang has been using a uniquely insidious type of automated attack to inject malicious code on some 20,000 to 30,000 websites, many of them for small businesses. Profit-minded hackers were relentless and took control of their targets' websites to run scams. The method used to compromise these systems included hackers obtaining the user names and passwords for the administrator accounts of small business websites.
There are questions small businesses owners should ask themselves. The first one is how secure are my systems? You can’t plot your course ahead if you don’t know where you are; a security assessment should be conducted and I recommend the assessment be based on the ISO 27000 standard. The second question is what are your legal responsibilities and could you be liable for the damage if your computers are used to attack others? With the answers to these questions, you can put together your plan to mitigate your risks.
The Defense Department and civilian agencies have great programs in place that support the use of small businesses for purchases. In fact, the military services and some defense agencies have small business specialists at most if not all of their procurement and contract management offices to support the use of small businesses.
Given the important role small businesses play in our economy and support of our military, making sure they are properly security is a matter of national security.
Kevin Coleman is a senior fellow with the Technolytics Institute, former chief strategist at Netscape, and an adviser on cyber warfare and security. He is also the author of "Cyber Commander's Handbook." He can be reached by e-mail at: [email protected]