Cyber attacks are on the rise, leaving large and small companies increasingly vulnerable to targeted attacks. While the world’s largest companies are better equipped for handling and mitigating attacks, small and medium sized firms with a weaker security infrastructure remain easy targets for hackers.
The weaker security levels of small businesses, says Chiranjeev Bordoloi, in Why Hackers Love Breaking Into Small Businesses’ Email, leaves potential “gateways” open, allowing hackers to infiltrate the more sophisticated networks of corporate powerhouses. “If it takes days to penetrate a sophisticated corporate network and only minutes to penetrate a small business, they will pursue the path of least resistance,” says Bordoloi. “Once the small business network has been compromised, they can use that company’s trusted partner relationship with a large corporation to launch an attack or conduct corporate espionage activities.”
Small business are increaingly the focus of cyber attacks for hackers phishing for account information, credit card numbers, Social Security numbers and other security susceptibilities. Bordoloi explains:
“Criminal hacking works in many ways, but one of the more popular methods involves using hundreds of computers to form a cyber-army that can be controlled from one location to launch a cyber-attack. This is called an illegal botnet. If one hacker can penetrate ten small businesses with only ten computers each, suddenly he can have 100 computers working at once, trying to exploit weaknesses in multiple corporate networks.
Another way cyber-criminals use small businesses for corporate espionage is by utilizing document and e-mail exchanges between small businesses and large corporations that exploit vulnerabilities.”
The evidence is showing that when smaller businesses are hit by cyber attacks, the results can be disastrous. In the US, of the 40 percent of attacks aimed at businesses with less than 500 employees, some 60 percent closed their doors as a result, according to a 2011 Symantec report. In the UK, a government 2013 Information Security Breaches survey found that a whopping 87 percent of small businesses across sectors had been attacked within the last year, costing the average firm between £35 to £65 thousand in damage for the worst breaches.
However, attacks and security threats can also come from unsuspected places. According to George Westerman, a research scientist in the MIT Sloan School of Management’s Center for Digital Business and co-author of IT Risk: Turning Business Threats Into Competitive Advantage, in Forbes, some 40 percent of security breaches are committed by in-house employees, “Some are disgruntled workers or ex-workers; some are serious bad guys. But often it’s people doing things they don’t even know are unsafe.”
Westerman recommends three guidelines to follow for small business managers to better protect their companies, including training employees to identify IT risks and creating clear policies regarding the use of technologies such as using personal devices and having strong passwords. And he says not to be afraid to relate the horror stories of serious security breaches to employees.
“Use vivid examples so they get it,” Westerman says, “In 2011, for instance, Condé Nast received an email that appeared to have been sent by its printer requesting that payment be sent to a different account. The magazine publisher lost nearly $8 million before learning that its printer had never changed its banking information and hadn’t received any of the money.”
Once policies have been put in place, it’s critical to routinely check to ensure they are being followed, “Run low-cost phishing experiments—it’s amazing how many people still click on URLs in emails purporting to be from the email administrator, the CFO, or their bank,” says Westerman. “Occasionally audit computers and network log-ins for suspicious activity. Check peoples’ desks for passwords and other sensitive information.” He also says that accountability is important, and that consequences must be established for those who fail to follow the policies.
And although small companies don’t have “armies” of security specialists, Westerman emphasizes the need to appoint someone to take responsibility for the role. This doesn’t necessarily require a major investment, “Leading security doesn’t have to be a full-time job, but it must be part of someone’s,” says Westerman, “You may need to invest in training or hire part-time consultants to help your security person get up to speed. Then be sure you give them attention and support when they want to make a change.”
Small firms will continue to be inordinately more susceptible to cyber attacks than larger corporate entities without focusing more on security. As Westerman notes, “When it comes to security, being small is not a protection. It doesn’t take a lot of investment to put basic protections in place. But it does take attention and effort. Start now to protect your company, your employees, and your customers.”
Heather Turner is a writer based in London who has worked in the fields of print and broadcast journalism, PR and film. Turner moved to London in 2009 from the rural Ozark Mountain region of Missouri to pursue a B.A. in Mass Communications and to gain more hands-on experience in film and marketing. She currently writes about trends in digital media and maintains a blog in her spare time on subjects including politics and media criticism.