If you are like millions of small-business owners in America, you probably can't imagine how a cybercriminal halfway around the world could possibly want to target little old you. After all, with so many large corporations out there in the big, bad cyberworld, your laptop or web server is hardly worth the bother, right?
"People expect targeted attacks to go after large enterprises, but the bad guys and the crooks don't really care where the money comes from," says John Maddison, senior vice president of software-as-a-service and managed services at the security firm Trend Micro, whose North American division is based in Cupertino, Calif. "If they've managed to get identity and credentials and information from a small business, they'll go after them as well."
The truth is that small businesses are increasingly becoming some of the most attractive targets today for enterprising cyberthieves. Take Support.com, for instance. The relatively small remote technical-support provider of about 600 employees finds its website under constant attack, says Mazdak Hashemi, head of technical operations at the company.
"Even though we're a small player, we're getting attacks from all over the world," Hashemi says. "We're not a big name that people hear about all the time, but apparently we have some interesting stuff that people are interested in stealing or abusing."
Security research shows that as large enterprises do more to lock down their infrastructure, less-secure small businesses become the low-hanging fruit for cybercriminals looking to cash in on stashes of intellectual property, unprotected credit card numbers or simply the computing power of unprotected computers. And as these bad guys hone their technological tool sets, they're building more and more automated attacks that make it easy to scan the Internet for unsecured small-business computers to infect, take over and plunder.
"It used to be that some businesses were small enough to not matter to attackers," says Paul Judge, chief research officer for Barracuda Networks in Campbell, Calif. "But with the volume of the attacks and the automation levels of the attacks, any business that is connected online needs to be prepared with proper security measures."
"Every day we see thousands of mom-and-pop websites being compromised," he says. "And it's not compromised in the traditional sense of 'graffiti' all over your site. Instead, your site still works, it looks fine--but the attackers are secretly infecting all of your customers as they visit the site. That can't be great for business."
Understanding the Infection Chain
The explosion in cybercrime comes down to one thing: money. Hackers have come up with thousands of ways to make money off of their fraudulent schemes.
"The biggest risk we're seeing right now is a lot of bank account fraud targeting SMBs," says Rich Mogull, a security analyst for the Phoenix-based firm Securosis, referring to small and midsize businesses. "We've seen cases where there have been fraud protections on the accounts, but once hackers find a set of credentials and log on to the bank website, they are still able to push that activity through."
Many of the malware threats circulating the Internet are designed to collect user names and passwords from victims' computers, says Kevin Haley, director of Symantec Security Response, the security research arm of Symantec Corp., based in Mountain View, Calif.
Seven Technologies That Will Make Your Business Safer
1. Hosted e-mail security: Platform delivered through the cloud vs. an expensive on-site appliance.
2. Web/URL filtering: Blocks users from visiting malware-infected sites.
3. Reputation-based antivirus: Relies more on where malware comes from than on traditional signatures that flag already-known threats.
4. Patch and configuration management: Automates the updating of software to fill in security vulnerabilities that can be abused by attackers.
5. Web application vulnerability scanning: Looks through the web applications on a business site to find weaknesses through which the site can be infected.
6. Whole disk encryption: Protects lost laptops and devices from prying eyes, preventing costly data-breach notification procedures.
7. Web application firewalls: Filter out common attacks on an organization's vulnerable web applications. --E.C.
Malware has gotten so automated that all a bad seed needs is to figure out how to get an infection onto machines to open up a world of possibilities.
"I can do that by sending it in e-mail as an attachment, by putting it into peer-to-peer networks and making it look like the latest Taylor Swift MP3, or by breaking into a website and putting it in the code so that when somebody goes there and clicks on it, that website automatically downloads [malware] on their machine," Haley says.
Once malware takes root, the hacker controls the computer. A lot of the kits wait for the user to visit a banking or financial site and then automatically capture log-in information and send it back to the criminal, who can then use those credentials to wipe out an account.
An infected computer is also used for its computing power. The machine is often added to a vast network of remotely controlled robot machines--called a botnet--that can be used to send out even more bogus e-mails to infect and steal.
The real danger for small businesses attacked by hackers is that banks do not give them the same protections that they do for consumers.
"If you're a home user and you lose your bank account information, you're going to get a certain amount of coverage from the bank for your losses," Haley says. "But for small businesses, banks are not as generous. If a cybercriminal is able to get ahold of your bank account and empty it out, you are on the hook for all of that loss. And as a small business, if you have your bank account wiped out, more than likely your business is gone."
Small Businesses Floundering
Even though the losses can be fatal, many small businesses fail to do even the minimum to protect their livelihoods.
"What's alarming is how little recognition small businesses have that these are issues and that they need to do things to protect themselves," Haley says.
In a poll conducted among roughly 1,500 small businesses by Applied Research on behalf of Symantec, a full one-third of small businesses reported that they didn't even have antivirus software installed on their computers.
Even those that do tend to rely only on antivirus software, and perhaps basic network firewalls, to ward off the evils of the Internet. They're not enough.
"Adversaries have gotten smart enough to work around antivirus," says John Pironti, a security specialist active with ISACA, formerly the Information Systems Audit and Control Association, and president of IP Architects, a firm in Rowley, Mass. "They don't look at antivirus as something they can't defeat anymore. It's actually par for the course--every attack that's out there has a way of defeating antivirus."
Security experts agree that antivirus is a good tool to help root out well-known viruses and block known attacks, but they say businesses need other protections to block the countless new attacks that criminals hatch every day.
Similarly, firewalls are increasingly ineffective when used alone. Part of the difficulty is that so many organizations conduct business out of Starbuckses, hotel rooms and home offices that their computers operate more often outside the firewall than they do within.
Clearly, small businesses need to break their mind-sets about what security should look like. Security experts say smaller organizations need to protect themselves better where they are most vulnerable.
"SMBs today are mostly exposed to two primary attack vectors," says Gerhard Eschelbeck, chief technology officer at Boulder, Colo.-based Webroot. "One of them is around the web--the web is probably the biggest security challenge for SMBs today--and, two, companies are exposed to e-mail threats."
Most small businesses are hit when employees visit a compromised website, either on their own or from a link served up by a phony e-mail offer.
"The most successful attacks I see aren't the ones with the most elegant, really super-cool Mission Impossible-type technology," Pironti says. "It's usually just someone sending a fake e-mail that says, 'Click here to win some cash.'"
According to Eschelbeck, statisticians have figured out that roughly 1 percent of users who receive these e-mails will click on them.
"They're sent to a site that either has malware that compromises the computer or the browser," he says. "From that point, that infected computer can be used as a way to attack more computers within the company network, steal information and essentially take control over a whole company's computers."
Jimmy Fuller can attest to the damage that malicious e-mail can wreak upon a small organization. When he took over as IT manager for Virginia Community Bank three years ago, the 100-person financial institution was rife with viruses and security problems.
"The tellers and the CSRs and managers pretty much had free rein to go wherever they wanted to online," he says. "It was a big problem."
Fuller has worked hard to get the issues in check, but it's a constant battle--considering he is the entire IT department and attackers usually barrage the institution with about 1,000 e-mails per day.
"Most of it is spam and spoof e-mails," he says. "We have spoof e-mails coming from other banks to our employees asking for account numbers to accounts that don't exist," Fuller says. "They're getting worse and worse all the time--and trickier, too."
Turning the Tables
So what's a small-business owner to do? IT security should start with the least technical step: a risk assessment.
"There are some basic things you should be asking yourself," says Haley of Symantec. "'How many people have access to the online banking? Are they doing other things on their computers? How am I protecting those machines? Do I store credit cards as a part of my business? If I am, then how am I protecting those?'"
You also need to figure out what's at stake. Beyond the all-important bank log-in information, determine what data are most important to your business and would hurt you most if stolen. Customer information and intellectual property typically top this list.
"The first thing to do is understand that not all data is created equally," Pironti says. "Don't try to apply security the same way everywhere and don't make huge, random investments and hope you'll make it better. Look at things based on the data value. Where there's more value in the data, take more precaution."
After assessing the value of its digital assets and the risks they face, a small organization can then start to take a programmatic approach to deciding on technology and developing security.
From a technological perspective, because most of the risk comes via web- and e-mail-based attacks, small organizations should focus on protecting those channels. That means employing e-mail filtering and web-filtering technology, says Mogull of Securosis.
Fuller says that he's been able to get a handle on his security woes by instituting e-mail and web-filtering technologies from Webroot.
"We're locked down pretty tight," he says, explaining that employees are no longer exploring the web as freely.
Another way to break the infection chain is to make sure systems are patched and configured correctly--a must in Mogull's book. When big companies such as Microsoft find vulnerabilities in their software, they usually send out updates to patch those security holes. Much of the malware takes advantage of these weaknesses to control your systems, so if you install the patches, you'll limit the effectiveness of the malware.
Mogull also recommends that small businesses be discerning about the type of antivirus they use. It may be worth the extra investment to buy business-class vs. consumer-class software, he says.
There are more advanced technologies that have been added to some of the antivirus solutions, but they're not in the consumer versions--they're in the business versions," Mogull says.
Small businesses also should make sure their websites aren't responsible for other businesses' security woes. Many hackers search for vulnerable web applications that will allow them to break into sites and install hidden pieces of code that allow drive-by downloads--fast-acting infection mechanisms that automatically load malware onto unsuspecting visitors' computers.
For this reason, organizations need to be more mindful of how secure the applications are that they use to offer online services. That may mean employing technologies such as web application firewalls and web application vulnerability scanning.
"The problem for anybody using the web to offer services is that if you get attacked, you cannot just shut down your attack and say, 'We'll just go down for two hours and fix the security issue and then go back up,'" says Hashemi of Support.com. His company uses application vulnerability scanning technology from Santa Clara, Calif.-based Cenzic, which allows his organization to look for security holes without shutting down its site.
If it all seems overwhelming, don't throw your hands up in the air. Even though cybercrooks have become more sophisticated, the way security is delivered to small businesses also has improved. Security services are more affordable and could be just the ticket if your organization is too small to do it all in-house.
"I think it's just increasingly difficult for a company to try to do it all on their own. Our advice is to consult a managed service provider or consult a security expert to help you," says Todd Thibodeaux, president and chief executive officer of the Computing Technology Industry Association. "As we've seen a growth in security in the last 18 months to two years, we've seen a growing number of qualified people moving into the space, so the costs have dropped. I would encourage people to take a second look at that if they've been price shy in the past."
Security companies also have changed how they deliver their products. Rather than rolling out more and more expensive appliances and on-premises hardware and software, many companies are offering security in the same software-as-a-service (SaaS) model that has taken other tech realms by storm. Security companies are leveraging a cloud-based infrastructure to host the security apparatus on their own hardware and allowing small businesses to buy into a service that gives them access to that cloud.
"Many companies that move to SaaS do so because it provides them access to better technology than they could purchase in product form," says Jeff Wilson, principal analyst, security, of Infonetics Research. "In addition, going with a service model ensures their technology stays updated. This leads to stronger security deployments overall."
And finally, small businesses can dramatically reduce their risks by remembering that IT security isn't just about technology--it's also about people. Training staffers about the dangers lurking online can pay off tremendously, as can the development of acceptable-use policies and standard security practices.
"A lot of the major problems with security and malware and viruses start at the keyboard," Fuller says. "Keeping the acceptable-use policies up to date and educating our users on what they can and cannot do has been a big deal for us."
As critical as it may be to some businesses, social media creates new risks
Many small businesses depend on social media sites to help them reach out to new customers, make important business contacts and communicate their brand. But the likes of Facebook and Twitter also introduce a new level of risk to small-business computers.
"We've found that--especially in the last year--the attacks via social media have become more and more sophisticated and more and more difficult to detect," says Brent Altomare, executive producer of Groovy Like a Movie, a San Diego company that specializes in producing commercial videos.
Some of the larger enterprises could consider simply blocking social media sites, but many small businesses like Altomare's wouldn't dare. As a result, small businesses need to find ways to protect themselves from social media and Web 2.0 risks without cutting off a vital business tool.
"The small business is on the forefront of technology advancement and security redesign for what is the new era of technology, which is the web-ified enterprise," says Dave Meizlik, director of product marketing for Websense, which produces software-as-a-service web-filtering technology that Groovy Like a Movie uses.
"Until I got a chance to work with Websense, my only defense against something like that was my and my staff's eyeballs and their common sense not to click on malicious links," Altomare says. "But with social media so integrated in all of our lives and all of the threats that are possible through it, it is something I knew we'd better take seriously."