Video Screencast Help
Security Community Blog

Does ‘Small’ Have To Mean ‘Vulnerable’?

Created: 24 Nov 2013 • Updated: 24 Nov 2013
Philip Routley's picture
0 0 Votes
Login to vote

“What’s the worst that could happen?” It’s one of those hackneyed phrases we’ve all grown tired of. But for small businesses, when it comes to cyber-crime and the threat it poses to commercial success and maybe even survival, this is exactly the sort of question you seriously need to ask yourself.

Small businesses are increasingly the prey of choice for clever, callous, determined cyber-criminals worldwide, with a rising tide of firms paying a crippling price for not putting effective defences in place. Take the firm that had key financial data locked by a ‘ransomware’ attack and caved in to a demand for $3000 to release it – a hefty bill no doubt compounded by the cost of business downtime, system clean-up, damaged reputation and the sheer trauma of this sorry saga. Or take the firms that found their customer records frozen, with unbreakable encryption making it impossible to pinpoint how the malware used in the attack had achieved its break-in.  

The brutal truth is that more small businesses are falling victim to a whole array of secret-stealing, data-freezing, brand-busting, efficiency-crushing cyber attacks. In 2012, over 30% of all targeted malware attacks – which overall saw growth of more than 40% during the year – were fired at companies with fewer than 250 employees.*

Make no mistake: individual small firms are being coldly and clinically targeted by the criminals behind these money-spinning assaults. In today’s cyber battlezone where almost any confidential data can be turned to criminal profit, no business can claim that it’s “too small to attract attention” or has “nothing worth stealing”.     

THE HOW AND THE WHY

There are two key reasons why small businesses are being targeted like this. Firstly, the faceless cyber-gangs that harness the internet for criminal ends know smaller firms tend to have modest IT budgets – which often translates into lack of expertise and of technical tools capable of keeping malware out and confidential data in.

Secondly, cyber-criminals eyeing up bigger prizes – such as major multinationals with confidential data and trade secrets worth a potential fortune on the shadowy but flourishing black market for sensitive information – know a frontal assault on these well-defended organisations is likely to come up short. But by infiltrating and infecting smaller businesses that populate supply chains, they could find an ideal stepping stone or back door into big businesses’ IT systems and treasure troves of lucrative data.

But even more important than the ‘why’ is the ‘how’. Getting to grips with cyber-criminals’ tactics is an essential first step to standing firm in the face of the threat. And the first key point to be absolutely clear on is that any employee and any device could potentially be the weak spot that offers them a way in.

Crucially, the bad guys aren’t simply intent on exploiting technical weaknesses – lack of up-to-date virus defences, unpatched vulnerabilities in operating systems, browsers and software programs etc. – in order to get rogue programs onto your machines and networks.

They’re also expert in probing psychological vulnerabilities: perhaps ‘grooming’ an employee with emails from fake accounts or phone calls from an equally fake ‘potential client’, then luring them into clicking on an infected attachment; or using a carefully crafted email to entice an unguarded click on a link to a website loaded with malware; or seeding popular websites with malware and sitting back to await the inevitable outcome – in 2012, one such ‘watering hole’ attack infected 500 organisations in a single day.

And the threats have a behavioural dimension too, often exploiting the more relaxed, less sceptical mind-set that accompanies use of smartphones and other mobile devices. In 2012, a third of all mobile threats were specifically designed to steal data.      

STOP THE FIRE STARTING  

So if small businesses are increasingly under fire from cyber-criminals, what can you do to dowse the flames or even prevent them flaring up in the first place?

·           First, heighten awareness among each and every one of your employees not just about cyber-criminal tactics but also about the dangers of risky behaviours – especially the ill-judged click on an attachment or weblink from a suspicious or unknown source. The mantra ‘think before you click’ needs to be reinforced by a recognition that the very best defence against cyber-crime is usually to assume the worst.

·           Second, implement a vigorous, rigorous, relentless patching and updating strategy to protect servers, software etc. and eliminate the vulnerabilities that malware is designed to exploit.

·           Third, ensure your business has effective backup and recovery capabilities in place for all key systems and all key data. For small businesses operating in competitive and often cut-throat markets, downtime simply isn’t an option.

·           Finally, set up defences that comprehensively combat internet-borne threats. Geared specifically to the needs of small businesses, Symantec Endpoint Protection Small Business Edition 2013 delivers benchmark protection against viruses and other malware targeting your business. Similarly, Norton Mobile Security is the high-level sentinel you need to ensure smartphones, tablets and other mobile devices aren’t the missing brick in the protective wall you build around your business. For a free trial or demo of these proven, affordable, market-leading solutions, click here and here

Taking these four steps to better security will help any small business punch well above its weight in the face of cyber-crime. Because small really doesn’t need to mean weak. And it certainly doesn’t need to mean vulnerable.

* All statistics are taken from the Symantec 2013 Internet Security Threat Report