Cyber attacks on small businesses continue to rise. And small businesses are vulnerable targets. That’s because small businesses are the path of least resistance for cyber criminals, according to a recent report by Internet security provider Symantec.
Symantec reports that companies with fewer than 250 employees were the focus of 31 percent of all cyber attacks in 2012. That’s a dramatic jump from 18 percent in 2011.
The “Internet Security Threat Report 2013” is the latest annual update on the state of cybercrime by Symantec, which has been issuing such reports since 2002.
The report notes, “While it can be argued that the rewards of attacking a small business are less than what can be gained from a large enterprise, this is more than compensated by the fact that many small companies are typically less careful in their cyberdefenses.”
A false sense of security is one reason small businesses may take less care. An earlier survey by Symantec discovered many small businesses believe they’re “immune” to a cyber attack. They believe no one could possibly stand to gain from cyber attacks on small businesses.
What Cyber Attacks on Small Businesses Seek
Hackers attack small businesses looking for customer data (such as credit card numbers), intellectual property and small-business bank account information.
Attacks often seek information small businesses have obtained from their customers through online transactions. Another example: hackers could plant malware software on a small business website. A customer or client visiting a compromised site then unknowingly shares their information with the hackers.
When targeting companies to attack or steal data from, hackers do not just target upper management. Attacks are frequently launched against every level of an organization. Knowledge workers, i.e., employees in roles such as research and development, as well as sales employees are the most targeted.
Ultimately criminals are seeking information or activity that they can make money from.
Cyber Attacks Move to Social Media and Mobile
Social media has become a frequent place for spam and phishing attacks aimed at collecting confidential information. Twitter, Facebook, Instagram, Pinterest, and Tumblr include some of the often-targeted places. Here’s the anatomy of one type of threat — suggesting you be careful what you click on in social media:
“Typical threats include fake gift cards and survey scams. These kinds of fake offer scams account for more than half (56 percent) of all social media attacks. For example, in one scam the victim sees a post on somebody’s Facebook wall or on their Pinterest feeds (where content appears from the people they follow or in specific categories) that says ‘Click here for a $100 gift card.’ When the user clicks on the link, they go to a website where they are asked to sign up for any number of offers, turning over personal details in the process. The spammers get a fee for each registration and, of course, there’s no gift card at the end of the process.”
Protecting your computers may not be enough, either. Attacks on mobile devices continue to increase as the devices become more popular. The Symantec report identifies a 58 percent increase in mobile malware from 2011 to 2012. Nearly one-third of those attacks also aim to steal information.
If all this news sounds worrisome, there was a bit of good news. Email spam is down. In 2010 spam was a whopping 89 percent of all emails sent. In 2012 spam accounted for just 69 percent. According to the report, better email filtering and law enforcement’s ability to shut down some spam bot networks has helped. However, social media spam has replaced some email spam. So the news may not be as positive as it first seems.
The report comes as a major piece of cyber security legislation is under debate in Washington, D.C. Large companies (targeted in about half of all cyber attacks) support the Cyber Intelligence Sharing and Protection Act (CISPA). But some privacy advocates worry that the price may be too high, fearing the proposed law would force surrender of too much data to government officials unless adequate restrictions are built in.
[Disclosure: Symantec has been a sponsor of this site and its events.]
More in: Cybersecurity
So what are we to do?
Ha! That would require a book to answer. Like all of us you do the best you can. Take as many steps you can:
– Insist that employees use strong passwords
– Don’t use the same passwords for multiple accounts, and change them frequently. Have a “password change” party some afternoon in your business. Bring in pizza and everybody changes their passwords.
– Make sure computers are protected by security protection. Scan regularly.
– You can also now purchase third-party security monitoring services for servers and networks. That’s something to consider instead of doing everything in-house because there’s no way you can keep up on everything. ISPs and independent scanning services (TrustGuard, Sucuri) are growing and there are more choices than a couple of years ago.
– While BYOD (“bring your own device” to use at work) is popular these days, companies should insist on knowing which devices first so yr tech team can OK them.
You can do a lot but you have to take it seriously put in time and effort. Like John says don’t treat it with contempt.
Switching to Linux could be a good start since Linux is more secure than windows.My business uses Linux Mint 13,has been running for 15 months and I’ve never had a problem with viruses or malware.
So, a company that sells security software warns the biggest market segment for its software that they are the most vulnerable. Nope. No conflict of interest there. Fact is, with organisations such as ASIO, DOD, NASA telling us regularly that even they can’t protect their systems and data what chance does small business have really. And Peter, Linux won’t protect you from a targeted attack, furthermore, do you use websites that require java? or have acrobat reader installed? how about a flash player plugin???
small businesses dont listen to and treat IT with contempt so this is the result. hopeless backups, hopeless security (one i worked for renamed the desktop icon for their main business program to the password to access said program). taking the cheap route at every turn eg rdp forwarding rather than a proper vpn solution, they basically reap what they sow. very little sympathy.
Hi John, That’s unfortunate that some act so recklessly, but I wouldn’t say that all or even most small business owners treat IT with contempt. Just the opposite — I believe many are concerned and trying to learn, and feel their IT staff or outside IT providers are important to the business. And if they’ve ever tried to buy cyber risk insurance, they begin to appreciate the kinds of $$$$ potentially involved.
But put yourself in the business owner’s shoes. They’ve got a gazillion things to worry about every single day they get up and go to work. This is complicated stuff and they may not have enough knowledge to recognize what kind of behavior is risky. Education is a starting point. There no easy answers, but as one of the other commenters said you do the best you can.
I’m actually writing a paper on small business under cyber attacks. Very interesting report. I’m kinda surprised that 31% of ALL cyber attacks were against those small businesses with 250 or less employees, but it seems to make sense. Though, large companies like Microsoft and Google probably use their own proprietary security schemes so it’s the small businesses that need to purchase software from vendors like Symantec…
I am a MSP in the Philadelphia market and see similar trends with some small businesses taking shortcuts to keep costs/billable hours down and putting off infrastructure upgrades, such as strong firewalls.
MSP’s need to lead the charge in developing a comprehensive toolkit that includes a best practices checklist for small business owners to follow. By making IT costs understandable, predictable and reasonable, small businesses will be able to understand their consultant and heed the advice.