When hackers breach the security of corporations it makes headlines. When they hit small to medium sized businesses (SMB's), you rarely hear about it. Very few people are aware that SMB's are targeted by cyber criminals. Here we cover the current threat landscape, and cyber crime prevention for small business budgets.
According to Verizon’s 2013 Data Breach Investigations Report, 71% of data breaches investigated by their forensic analysis unit targeted small businesses with fewer than 100 employees. Of that group, businesses with less than 10 employees were attacked the most.
In Canada, network breach reporting wasn't required until the Data Privacy Act was enforced as of Nov 1 2018. To date, reporting compliance is weak. What happens on main street, stays on main street.
Being compromised is costly.
When confidential data is exposed or lost in a cyber attack, both the people exposed and the business targeted are victimized.
For the victim, hackers pilfer personal information, bank account, credit card and social insurance numbers. The result is often financial loss or identity fraud. Untangling from the web of identity fraud is a long and stressful process.
For business, there are now data breach notification laws in place in Canada, and state by state laws in the United States. The cost of reporting a breach, and repairing a breach are high. If the right disaster recovery tools are in place in advance of the attack, recovery cost and time is greatly reduced. If not, the business could be non operational for days or weeks.
The loss of trust and reputation can have lasting affect on the business.
The Cost Of A Breach
The Ponemon Institute compiles research on cyber crime. In their 2nd Annual Cost of Cyber Crime Study, the reported average cost per breached record in the U.S. is between $150 to $200. This factors in:
- IT services to investigate the breach
- IT services to stop the attack
- IT services to fix the underlying security issues that led to the breach
- Possible damage control and litigation costs
- Lost business
If a ransomware attack encrypts 2000 files, the cost can be enormous to a small business.
In many cases, a damaged reputation may prove to be irreparable.
Symantec’s 2012 State Of Information Survey found that customers exposed by a breach are less forgiving of smaller firms, than large enterprises. It seems easier to blame the face of a small business than a behemoth corporation. Symantec reported that almost half of SMBs surveyed admitted to a data breach damaging their reputation with customers.
SMB's are not only contending with lost time and revenue associated with a breach, but also with lost trust with clients and vendors.
The consequences of a breach extend well past the critical event itself. Close to two-thirds of companies who suffer a major breach find themselves shuttered within six months.
For the victimized clients whose personal and sensitive information is leaked, it is often used to perpetrate identity fraud. Canadians lost $21.2 million related to identity theft in 2018. Losses have almost doubled from $11.7 million in 2017. 35% of Canadians know someone who has been a victim of identity fraud.
Small business owners are responsible for protecting the personal and sensitive information of employees and clients.
Investment in IT security is required to do so. Failing to implement security practices makes the business an easy target for cyber criminals.
Canadian Companies Are Facing Cyber Threats
In the 2019 Scalar Security Study titled The Cyber Resilience of Canadian Organizations, 100% of of the enterprise companies surveyed faced a cyber threat.
- 58.48% report having data exfiltrated
- 24.64% of which included sensitive but non-personally identifiable information (PII)
- 25.13% of which included PII customer or employee information
- 38.08% report being infiltrated
- 27.81% of which had sensitive but non-personally identifiable information (PII) involved
- 22.96% of which had PII customer or employee information/data involved
- 18.18% report having data subjected to ransomware demands
- 16.95% had their data encrypted
- 12.04% had data deleted
- 34.15% had a network failure due to a DoS attacks
On average, employees spent twenty days responding to and remediating damage.
It's critical that Canadian companies become aware of threats, and implement multiple network security tools and practices to mitigate the various types of risk.
Small businesses don’t have the financial resources that giants such as Citibank, Home Depot or Amazon have to weather an attack, or pay damages. Prevention is key.
Why Cyber Criminals Target Small Business
Large security conscious corporations have resources to invest in sophisticated security tools and teams. A typical enterprise will have over twenty IT employees ensure every device connected to the network is authenticated and fortified with layers of protection. By comparison, the average small business has no IT employee, no network perimeter defense, no user authentication tools, and free or inadequate antivirus. They are often unaware of blind spots and gaps in their security.
Twenty six percent of small businesses do not have a dedicated IT partner to turn to in the event of a crisis.
While very few SMBs have trained, in house IT staff, they may assign a team member to handle technology related issues in the office. This person is often not trained in IT. They usually have a non IT primary job role. They are usually bogged down by their primary job, and their lack of IT knowledge to properly address computer security.
In September 2013, McAfee and Office Depot conducted a survey of 1000 SMBs, and found many to be lacking basic data protection. Cyber criminals know this.
In conjunction with being known for lax security, small businesses also abound in number. This combination makes them an easy and inviting target for cyber criminals. There are roughly 23 million SMBs in the United States and 1.15 million in Canada. Those numbers are growing.
Small business is not too small to matter. They are heavily targeted. However the breaches have not been sensationalized in the media. There is no sense of urgency for small business owners to prepare for cyber attacks.
The local dentist, accountant, chiropractor, property management firm and specialty denim shop have been victims of ransomware and network breaches. Reporting was not required until recently. The public remained largely unaware.
The Big Heist Era Is Over - Multiple Smaller Targets Are Profitable To Cyber Criminals
Too many SMBs mistakenly view themselves as trivial to hackers. They feel global entities are more attractive targets. The goals and methods of cyber attackers are evolving and will continue to escalate. The era of one “big heist” for hackers has passed. Many cyber criminals today prefer to infiltrate many small businesses at once. They steal in tiny increments over time and do not set off immediate alarms.
Malware exploit kits are purchased on the dark web for as little as $1200. They can provide a return on investment of over one hundred percent for criminals. Such micro attack methods are especially targeted to SMB's with lax security. They will likely not even realize a security breach is in effect for days or weeks after it has begun.
Small Business Used As Trojan Horses To Access Larger Partner Vendors
Political “hactivists” have been behind high profile Denial-of-Service (DDoS) attacks against large corporations and government agencies. Their goal is cyber anarchy and to "stick it to the man". They aim to disrupt the status quo, often for infamy and "street cred" alone. When a group such as 4chan, Anonymous, LulzSec, and AntiSec attack a massive entity, the small business owner may disregard it as unrelated to their own need for IT security. After all, what interest would these groups have in a small business?
It is estimated that there are 1.29 DDoS attacks throughout the world every two minutes. The scope of these activities may be much broader than the press report on.
One reason small business are targeted is because they can serve as a stepping stone to larger targets. SMB's are often sub-contracted as a vendor, supplier, or service provider to larger, better protected organizations. The SMB can serve as attractive entry point for raiding the data of a larger company. Unbeknownst to them, they can become the Trojan horse used by hackers to gain backdoor access to a bigger company’s data. Malware specifically designed to use a SMBs website to crack the database of a larger business partner exists. Email and account hacking are used as well.
For this reason, large potential clients may require proof of data security before they will enter in to a business relationship with a smaller entity.
- ask for specifics on network setup
- require an independent security audit be conducted
- require the SMB to fill out a legally binding questionnaire on network security protocols and practices in place
- require specific security protocols be implemented to do business
The SMB that can not demonstrate proactive, sustained network security management will likely lose significant deals to competitors who can.
For the growing company, IT investment is an important part of business growth strategy.
Sample questions - vendor security screenings
- Please supply a network schema. (e.g. Firewalls, Network segmentation, Intrusion prevention, file integrity monitors)
- Is patch management performed on all computers?
- Are all email attachments entering your organization scanned and blocked if they contain malicious code or file types that are unnecessary to business function?
- Do you use network level authentication via 802.1x to control which devices can be connected to your network?
- Do you maintain a list of authorized software approved for use in your business?
Are there dedicated Information Security professionals that govern the Information Security function?
It Won't Happen To Me
- "We have antivirus so we don't need it."
- "We're in the cloud now, so we don't need any more security."
- "I'll just call if I have a problem."
Small business owners have justified lack of IT investment with these statements.
The "it won't happen to us" mentality is hurting small business (and their clients).
A false sense of security is not a defense. The McAfee/Office Depot survey which found nearly half of SMB's lax in security also found sixty six percent of those SMB's say they were "confident" in their data security, despite glaring gaps in tools and practices.
Data breaches aren’t always caused by hackers doing bad things. According to the June 2013 Symantec Global Cost of a Data Breach Study, there are three major causes of breaches. Only 37% are attributed to malicious attacks. 64% are human error and technology errors. A good employee can make a simple mistake that can cost a business thousands of dollars.
SMBs don’t need a large budget to adequately protect sensitive data. A reasonably secure environment is possible on a SMB budget. More control can be had with a Managed IT Services partner.
Here are a few network security measures you can begin to implement or improve now.
Improving Small Business Network Security
1. Have A Strong Password Policy
- Research and educate employees on the need for strong passwords.
- Use 10 character passwords. They are significantly harder to break than shorter passwords.
- Require employees not to re-use passwords across accounts.
- Define your password policies and use Active Directory to help enforce them. Have employees sign in agreement of compliance.
2. Know All Devices Connecting To Your Network
Keep an up to date list of every device that connects to your network. Check it weekly. This is especially important if you allow Bring Your Own Device (BYOD) in your workplace, where employee's can access your network using personal and often unsecured devices. Know these devices. Ensure they are all configured to optimize network security. Be sure every endpoint is secure. Re-affirm this regularly. Remove any unknown devices.
A Mobile Device Monitoring (MDM) tool can help automate this process, and make it cost effective. MDM tools will approve or quarantine any new device accessing the network, enforce encryption settings, and remotely locate, lock, and wipe company data from lost or stolen devices.
3. Have A Local Network Firewall
A firewall acts like a border security agent, inspecting the packets of information that attempt to enter or exit your network, searching for malicious threats. Bad files are blocked, reducing risk.
Firewalls were the highest prioritized IT security investment by IT professionals in 2016, 2017 and 2018 and beyond. Today, they are paired with zero trust security practices for multi layered security.
4. Have AntiVirus & AntiMalware On Every Device
Security is about layers. Where one fails, another protects. In addition to a firewall, every device should have the same business grade antivirus and antimalware software. Free products are inadequate. And remember, antivirus alone is not enough.
5. Audit Sensitive Business Information & Limit Access
Audit, edit and document where your most sensitive business information is stored, and who has access to it. Re-audit regularly.
6. Educate Employees
The human layer of network security is one of the most vulnerable.
Every employee should receive initial and ongoing general awareness security training. This will help reduce human error data breaches. This will also help keep employees alert to cyber crime attempts. Hackers commonly break into networks by taking advantage of employees. Phishing attacks are still very successful tools for hackers. The legitimate looking emails, crafted to trick recipients into clicking a malicious link and entering their username and password can be indistinguishable from the real thing.
If a company makes headlines for a data breach tied to phishing, be sure to discuss it at the office to raise awareness.
Use free online tools to test employees ability to spot a phishing email.
Be sure each employee has read security policies that outline best practices for working in the office, or remotely.
Be sure each employee understands the password policy.
Make IT security a regular part of your team and management meetings.
7. Use Two Factor Authentication
Two Factor Authentication (2FA) is a security option for many email and online accounts.
It is free to setup and use.
2FA is a random pin number generator app installed on your mobile phone that generates a new PIN every 60 seconds. To log in to your applications with 2FA enabled, you will need both your password and the current PIN. This additional layer of security helps protect your business from email and account hacking.
8. Use Cloud Services
The outdated notion that the cloud is unsafe is just that- outdated.
All IT systems carry risk. However, the small business using cloud services instead of self managed tools for email, document storage, backups and file sharing reduces risk and total cost of ownership.
Corporations such as Google or Microsoft specialize in building and managing these tools. They are experts over the average SMB owner. Many of 2013’s security breaches were the result of lost or stolen devices without MDM in place, misplaced printed documents, and employee errors - not cloud services.
9. Hire A Managed IT Services Provider
IT security and management requires specialized training and knowledge.
It takes time, attention and daily practice to stay current.
A Managed Service Provider (MSP) can create a secure network and assume responsibility for IT security management. They can configure and administer complex security devices and controls like servers, Active Directory, firewalls, patching, intrusion-detection and log analysis systems. IT Outsourcing via Managed IT Services is a cost effective business strategy to manage SMB security needs.
Putting It All Together
- Call for a team meeting to discuss this document.
- Consider hiring an outside third party to perform an in depth network security review to provide insight & clarity.
- Create a list of actions to be taken.
- Prioritize the actions according to security and budget.
- Schedule a recurring appointment for IT planning for the business.
Cyber criminals are counting on you to be lax with your security. Don’t be.