Coconut Water Empire to Bust: A Data-Breach Case Study
It’s a good time to be a small- or medium-sized business (SMB) in this country. According to the Small Business Administration, small business openings in 2014 exceeded those of closings for the first time in years. SMBs also generated 1.4 million new jobs in the first three quarters of 2014.
But as good as those numbers sound, there is an adverse side effect from such growth: Cyber thieves are starting to target SMBs with more regularity. We found this out by experimenting with, of all things, coconut water.
We weren't alone in our concern about cyber thievery. This year’s Symantec Internet Security Threat Report estimated that 34 percent of small businesses have faced targeted attacks. Similarly, recent numbers from the UK estimated that 74 percent of SMBs there had suffered an information security breach.
To take a closer look at these issues, our identity and fraud protection company, CSID, recently conducted an experiment. We wanted to see how quickly a cyber criminal could take down a small business. That's how we came to create Jomoco, a fake coconut water start-up, complete with two fictional employees: Richard and Rachel.
We created a virtual presence for Jomoco, which included a website, web server, a business credit card and employee business email accounts. We also created personal profiles for our two "employees": an online gaming account with a $15 credit for Rachel, and a Facebook account for Richard, along with personal email accounts for both. The idea was to mimic the online footprints of an actual SMB its employees.
Our experiment further ensured that Jomoco’s fictional employees made common mistakes when protecting their professional and personal data online, including sharing sensitive information via email and reusing passwords across multiple sites. Then we sat back and let the real cyber criminals take it from there.
We didn't wait long. Within an hour, and armed only with a personal email and login, hackers completely shut down Jomoco, with the following actions:
- Hackers accessed "Rachel’s" personal email address by cracking her easy-to-guess password. Rachel made the mistake of reusing passwords across multiple sites, so cyber criminals were also able to break into her online gaming account, stealing her profile and $15 credit.
- Hackers used the same credentials to access Rachel’s business email account. In this account they found Richard’s email address, and an email communication between Richard and Rachel with Jomoco’s web server IP and login.
- Using the web server details, hackers defaced the Jomoco website, locked out the business email accounts and cut off access to the web server.
- Since "Richard" reused passwords across his personal and professional accounts, hackers were able to access his personal email and Facebook accounts, where they proceeded to change the passwords and cut off Richard’s access.
- The hackers also found information about the company credit card in Richard’s emails. They were able to make one purchase, which was flagged by the credit card company as fraudulent. The business credit card account was quickly frozen.
Among small business owners prevails the unfortunate misconception that hackers are interested only in attacking large enterprises. The fact is, hackers love SMBs. These smaller businesses tend to focus less on security and don’t have the IT security budgets large enterprises have.
According to research conducted by CSID in 2014, only 2 in 5 SMBs had a social media policy in place, and only 2 in 10 SMBs planned to increase security spending. For these reasons, SMBs are easier to breach, making them a prime target.
As our Jomoco case study implied, an SMB can be quickly brought down, and with minimal information. It is imperative that SMBs start paying attention to security, assessing risks and vulnerabilities and training employees on cyber security best practices.
There are plenty of resources available to assist with managing this risk. The FCC has great tips for companies just getting started. My hope is that the future will continue to hold growing revenues for small businesses, and shrinking numbers of small business security incidents.