For years, small businesses were an unlikely target for sophisticated cyber attacks. Anonymity and smallness, it was thought, would provide a level of security in and of itself. Not anymore! In 2012, a report from Symantec found that attacks on small businesses had increased 300 percent from the previous year. And that trend has shown no signs of slowing down. The reality is that most small and medium businesses (SMB) are attractive targets because they tend to be less secure and automation allows modern criminals to mass produce attacks very cheaply.
Why Prey On Small Businesses?
Well. . .in part because SMBs are much more interconnected now. Instead of a simple e-mail account and website, they have much more complex networks that involve on-premises, mobile, & cloud connections with customers and partners. And the data generated by all that is what’s attractive to criminals. Because larger enterprises themselves have become better defended, attackers are looking for a way in any way they can. SMBs are often viewed as a point of entry into the larger enterprises they partner with. They’re more a means to a larger end than being the ultimate target themselves. Indeed, when Target had their massive security breach in late 2013, hackers gained entry to Target’s network using login credentials stolen from Target’s HVAC vendor. So, while you may not think your agency’s data is all that enticing, if it can in any way help an attacker gain access to a larger organization you partner with then it’s pure gold - and must be protected as such. To think otherwise is to invite a great degree of financial and reputational risk.
Attacks against small businesses are on the rise because, quite frankly, they’re easier targets. Larger enterprises are better defended than ever. And while they’re a bigger potential payoff, the amount of skill required has risen dramatically. As a result, crooks are moving downstream to the low-hanging fruit - small and medium businesses. Unlike larger enterprises, small businesses generally don’t allocate the time, budget, or expertise toward security. When we first engage a client, we’re used to seeing cheap consumer-grade networking equipment like you’d find at Best Buy - which provides virtually no protection at all. In one case, we talked to a firm that was using a poorly-configured consumer-grade router that had firmware which hadn’t been updated in a couple years. Hackers had managed to bypass this cheap $100 router and helped themselves to $500 worth of international long-distance calling because they found an equally out-of-date PBX (phone system) on the network. We explained to them that they got off easy. Even though they were still out the $500 plus all of the time and hassle with the phone provider trying to get it sorted out, it could have been much much worse. They just hadn’t been educated on the importance of investing in proper network security. When they signed on with us, the first thing we did was install business-grade networking components configured according to best practices - and then ensure they’re updated regularly.
They Also Want Your Money
Small business owners open their business checking accounts with the mistaken belief that it is covered by the same fraud protections that apply to their personal checking accounts. WRONG! Federal regulations that protect financial accounts from fraud cover only personal accounts - not business accounts. So if a cybercrook manages to gain access to your account, you’re almost guaranteed to be out of luck in getting the bank to give your money back. The internet is littered with stories of small businesses that have been wiped out because their business checking account was compromised and the bank refused to cover the loss. For the most part, the only way the bank will cover the loss is if you can show that they didn’t provide commercially reasonable security or if they should have reasonably been able to spot the fraudulent activity. Yeah, good luck with that.
How You Can Protect Yourself?
We always advise clients that with the right combination of time, talent, and motivation, a hacker can breach any system. So you need to make it more expensive and time-consuming for the crooks so they'll move on to easier targets. But here are some steps that go a long way to keeping out the riff-raff. . .
- Use business-grade devices and keep them updated. All the time, we see businesses with cheap network gear and we cringe because we know it just doesn’t provide any protection. And even business-grade gear needs updating as new threats are uncovered and patched.
- Keep your Macs updated - both operating system and apps. It seems like every couple days Adobe has a new update for Flash - because a new security hole was found. All vendors regularly release updates that fix critical flaws in their software that prevent hackers from gaining access. We use tools & processes to make this easy for our clients.
- Implement policies that lay out what’s OK and what isn’t. If you don’t inform your staff what is and is not acceptable online behavior and how data should be shared & restricted, then they’re going to make up their own rules. When it hits the fan, the last thing you want to hear from an employee is “Was that wrong?”.
- Limit access to data based on need-to-know. Too often we see agencies where everyone has access to everything. This is fine for things like jobs, design files, and such. But everyone doesn’t need access to financial and strategic information.
- Talk to your insurance agent. Just like the commercial says, it’s important to know the gaps in your coverage. Most business owners assume that their general liability or professional liability policies will cover them in the case of a cyber attack. Most likely, this isn’t the case. Talk it over with your agent.