- Small Business Trends - https://smallbiztrends.com -

Top Five Small Business Internet Security Threats

Ron Teixeira of the National Cyber Security AllianceEditor’s Note: A key trend coloring the world of small business is how our computers have transformed into critical business systems that we cannot function without. But don’t think your computer systems are safe from attack because it “won’t happen to my business.” In fact, it could. Ron Teixeira, Executive Director of the National Cyber Security Alliance [1] outlines the top five computer threats that small businesses may face and what to do about them, in this guest article.

By Ron Teixeira

Over the past two years, there have been a number of high-profile data breach cases involving major corporations. While this may give the perception that only large corporations are targeted by hackers and thieves, the reality is that hackers are increasingly targeting small businesses because they usually do not have the resources or know-how that large corporations do.

However, that does not mean small businesses need to spend a large sum of money and resources to protect themselves for the latest threats. In fact, according to a recent Symantec Threat Report, 82% of data that was either lost or stolen could have been avoided if the business followed a simple cyber security plan.

In order to begin development of a cyber security plan, you must understand the Internet threats and how protecting your business from those threats directly affects your bottom-line. As a result, the National Cyber Security Alliance, whose partners include the Department of Homeland Security, the Federal Bureau of Investigations, Small Business Administration, National Institute for Standards and Technology, Symantec, Microsoft, CA, McAfee, AOL and RSA, developed top 5 threats your small business may face on the Internet, business cases on how those threats can hurt you and practical measures you can take to avoid these threats.

Here is a summary of the top five threats:

Read on below for more information and detailed advice about how to protect your computer systems —

1. Malicious Code (Spyware/Viruses/Trojan Horse/Worms)

According to a 2006 FBI Computer Crime Study, malicious software programs comprised the largest number of cyber attacks reported, which resulted in an average loss of $69,125 per incident. Malicious software are computer programs secretly installed on your business’s computer and can either cause internal damage to a computer network like deleting critical files, or can be used to steal passwords or unlock security software in place so a hacker can steal customer or employee information. Most of the time, these types of programs are used by criminals for financial gain through either extortion or theft.

Case Study:

A northeast manufacturing firm captured contracts worth several million dollars to make measurement and instrumentation devices for NASA and the US Navy. However, one morning workers found themselves unable to log on to the operating system, instead getting a message that the system was “under repair.” Shortly after, the company’s server crashed, eliminating all the plant’s tooling and manufacturing programs. When the manager went to get back up tapes, he found they were gone and the individual workstations had also been wiped out. The company’s CFO testified that the software bomb had destroyed all the programs and code generators that allowed the firm to customize their products and thus lower costs. The company subsequently lost millions of dollars, was dislodged from its position in the industry, and eventually had to lay off 80 workers. The company can take some solace in the fact that the guilty party was eventually arrested and convicted.


2. Stolen/Lost Laptop or Mobile Device

Believe it or not, stolen or lost laptops are one of the most common ways businesses lose critical data. According to a 2006 FBI Crime Study [2] (PDF), a stolen or lost laptop usually resulted in an average loss of $30,570. However, a high profile incident, or an incident that requires a company to contact all their customers, because their financial or personal data might have been lost or stolen, can result in much higher losses due to loss of consumer confidence, damaged reputation and even legal liability.

Case Study:

Last year, a Department of Veterans Affair’s employee took a laptop home that contained 26.5 million veterans’ medical history. While the employee was not home, an intruder broke in and stole the laptop containing the veterans’ data. In the end, the laptop was recovered and the data was not used; however, the VA had to notify 26.5 million veterans of the incident, resulting in Congressional hearings and public scrutiny. This phenomena is not limited to the government, in 2006 there were a number of high profile corporate cases involving lost or stolen laptops that resulted in data breaches. A laptop containing 250,000 Ameriprise customers was stolen from a car. Providential Health Care Hospital System had a laptop stolen, which contained thousands of patients’ medical records.


3. Spear Phishing

Spear phishing describes any highly targeted phishing attack. Spear phishers send e-mail that appears genuine to all the employees or members within a certain company, government agency, organization, or group. The message might look like it comes from an employer, or from a colleague who might send an e-mail message to everyone in the company, such as the head of human resources or the person who manages the computer systems, and could include requests for user names or passwords.

The truth is that the e-mail sender information has been faked or “spoofed.” Whereas traditional phishing scams are designed to steal information from individuals, spear phishing scams work to gain access to a company’s entire computer system.

If an employee responds with a user name or password, or if you click links or open attachments in a spear phishing e-mail, pop-up window, or Web site, they might put your business or organization at risk.

Case Study:

A medium size bicycle manufacturer that produced bikes that were used in well known races, relied heavily on email to conduct business. In the normal course of a business day, the company received as many as 50,000 spam and phishing emails. As a result, the company installed numerous spam filters in an attempt to shield employees from fraudulent emails. However, many fraudulent emails still go through to employees. In one case, an employee received a “spear phishing” email that looked like it came from the IT Department, and asked the employee to confirm the “administrator password.” Luckily for the company, when the employee asked the line manager for the “administrator password” he investigated further and realized the email was a scam. While this example didn’t result in a financial loss, it could easily have, and is a common problem for all businesses.


4. Unsecured Wireless Internet Networks

Consumers and businesses are quickly adopting and implementing wireless Internet networks. According to an InfoTech Study, wireless Internet networks penetration will reach 80% by 2008. While wireless Internet networks provide businesses an opportunity to streamline their networks and build out a network with very little infrastructure or wires, there are security risks businesses need to address while using wireless Internet networks. Hackers and fraudsters can gain entry to businesses’ computers through an open wireless Internet network, and as a result, could possibly steal customer information, and even proprietary information. Unfortunately, many businesses don’t take the necessary measures to secure their wireless networks. According to a 2005 Symantec/Small Business Technology Institute Study, 60% of small businesses have open wireless networks. In addition, many other small businesses may not use strong enough wireless security to protect their systems. Not properly securing a wireless network is like leaving a business’s door wide open at night.

Case Study:

According to news reports, hackers pulled off the “biggest data breach ever” through a wireless network. A global retail chain had over 47 million customers’ financial information stolen by hackers who cracked through a wireless network that was secured by the lowest form of encryption available to the company. In 2005, two hackers allegedly parked outside a store and used a telescope wireless antenna to decode data between hand-held payment scanners, enabling them to break into parent company database and make off with credit and debit card records of nearly 47 million customers. It is believed the hackers had access to the credit card database for over two years without being detected. Instead of using the most up to date encryption software to secure its wireless network – Wi-Fi Protected Access (WPA), the retail chain used an old form of encryption called Wireless Equivalent Privacy (WEP), which according to some experts can be easily hacked in as little as 60 seconds. Currently, this security breach has cost the company $17 million, and in particular $12 million in one quarter alone, or 3 cents per share.


5. Insider/Disgruntled Employee Threat

A disgruntled employee or an insider can be more dangerous than the most sophisticated hacker on the Internet. Depending on your business’s security policies and password management, insiders may have direct access to your critical data, and as a result can easily steal it and sell it to your competitor, or even delete all of it, causing irreparable damage. There are steps and measures you can take to prevent an insider or disgruntled employee from getting access to key information and damaging your computer networks.

Case Study:

A former employee for a company handling flight operations for major automotive companies, deleted critical employment information two weeks after he resigned from his position. The incident caused around $34,000 in damages. According to reports, the employee was upset about being released by the company earlier than he had anticipated. Allegedly, the company’s firewall was compromised and the perpetrator broke into the employee data base and deleted all the records. Statements from the company indicate that the disgruntled former employee was one of only three people who knew the log-in and password information for the firewall that protected the employee data base.


There are a number of ways your company can protect itself from insider or disgruntled employee threats:

* * * * *
About the Author: As the executive director of the National Cyber Security Alliance (NCSA) [3], Ron Teixeira is responsible for the overall management of cyber security awareness programs and national education efforts. Teixeira works closely with various government agencies, corporations and non-profits to increase awareness of Internet security issues and to empower home users, small businesses and the education community with tools and best practices designed to ensure a safe and meaningful Internet experience.