The What, Why and How of Small Business Security Threats

You may remember the popular catch phrase that was bandied around after the 2008 financial meltdown: “too big to fail.” The implication was that certain financial institutions are so large and so interconnected that their failure would be disastrous to the economy.

While it can be argued this mindset is flawed and dangerous, companies at the opposite end of the spectrum can suffer from a similarly flawed belief, which can be paraphrased: “too small to be noticed.” What this refers to is the false notion that cybercriminals who make a living exploiting companies’ IT systems won’t waste their efforts with such small pickings.

Following are some facts that point to a very different reality about the security challenges SMBs are facing (the what), some insights into why this is happening, and concluding with some tips for how IT service providers can help.

What Security Challenges Are Small Businesses Facing?

The 2013 Verizon Data Breach Investigations Report, which corroborates the findings of 19 global organizations on studying and combating data breaches, identified 621 confirmed data breaches in 2012. Of that number, 193 (31 percent) were from businesses with 100 or fewer employees and another 9 percent were attributed to organizations with between 101 and 1,000 employees. The average cost of a data breach, according to a 2010 joint study conducted by Applied Research and commissioned by Symantec, is $188,242 per year. Most SMBs would struggle with that kind of financial hit – and a good number would experience layoffs or worse as a result.

Shedding additional light on the subject is The Symantec 2013 Internet Security Threat Report, which notes that the attacks to small businesses in 2012 (which the report defines as businesses with fewer than 250 employees) were up 18 percent over the previous year. Additionally, McAfee, in conjunction with Office Depot, conducted a survey of more than 1,000 SMBs and found some additional surprises:

• Only 9 percent of SMBs use endpoint/mobile device security despite the widespread use of employee-owned devices (i.e. BYOD)
• 45 percent of SMBs take no measures to secure company data on employees’ personal devices
• 80 percent of SMBs don’t use data protection in general
• Less than 50 percent use email security
• Only about 50 percent use Internet security technologies.

Rounding out the state of SMB security is research from PriceWaterhouseCoopers, which discovered that 96 percent of PCs are not adequately backed up. In other words, when malware, security breaches, and other security-related issues strike, the chance of data loss and downtime is high among SMBs.

Why do Cybercriminals Value Your SMB Customers’ Data so Much?

Now that we’ve established the fact that SMBs as a whole are in a pretty vulnerable state, the big question is why are cybercriminals starting to hone in on this group? One reason is that larger corporations are investing more heavily in sophisticated security strategies, which is forcing cybercriminals to seek lower hanging fruit. A recent presentation from IT security consulting firm Kalki Consulting, suggests cybercriminals have four primary motivations for targeting SMBs, including:

1. Extortion and/or Financial Gain. Ransomware malware such as CryptoLocker is becoming a big problem for unsuspecting SMBs. Ransomware attacks occur when criminals break into the victim’s computers and encrypt all data on the system, rendering it inaccessible unless a fee is paid (using a form of digital currency known as Bitcoins) in exchange for the decryption key. Without that key and without a valid backup, the victim is out of luck and unable to recover its data.
2. Identity Theft and Payment Fraud. In 2013, more than 11 million people within the U.S. alone were victims of identity theft with the damage reaching $21 billion. Once criminals steal someone’s personal information, they use it to commit payment fraud, including misuse of the victim’s existing credit cards (64 percent of fraud incidents), misuse of the victim’s existing bank account (35% of fraud incidents), and general misuse of the victim’s personal information (14 percent)  (Source: Statistic Brain).
3.  Medical Insurance Fraud. Cybercriminals use victim’s healthcare insurance to acquire prescription drugs that can be resold on the street as well as billing insurance companies for services not rendered in the hopes of a big payoff. The FBI estimates that healthcare fraud costs American taxpayers $80 billion a year.
4. Spreading Malware.  So why exactly do the bad guys want to infect corporate websites and IT networks?  The cybercrime economy is mature and complex, and malware distributors have multiple methods for monetizing their trade. Often, infecting networks/websites is the first step in this insidious process. Infected networks/websites can be configured to serve Trojans or spyware that, once installed, quietly logs the PC owner’s keystrokes and sends that information back to servers controlled by cybercriminals. When users log into banking or other websites, the malware steals their credentials and sends them to the criminals. The bad guys can then access bank accounts or sell those credentials on underground forums.

How You Can Protect Your SMB Clients

Although it’s sometimes tempting to take for granted that VARs and MSPs already understand the concepts being outlined in this article, our own research found that 44 percent of technology firms depend on their clients suffering data breaches or downtime before discussing security and backup. So, the first and most pressing piece of advice is this: start communicating with your clients about the threats that are out there and why they should care.

Something else to consider is making data security, backup and recovery mandatory practices for every customer. Think about it: Do you really want to do business with clients that don’t value their businesses and data enough to protect them? Most VARs and MSPs find that the few clients lost after several attempts to educate them about data protection become a “growth through attrition” experience in the long-term.

Another important point to keep in mind with security and backup is to automate as much as possible. And, this is where software as a service and the cloud come into play. Unlike traditional security software that is sold as a one- or two-year license, SaaS-based security is sold as a subscription that never needs to be renewed. Additionally, it’s a good idea to ensure the software can be automatically updated on a regular basis and you can remotely monitor it and receive alerts should something not work properly.

And, last but certainly not least, it is imperative to ensure your customers’ data is properly backed up using a reliable enterprise solution that supports local data backups for quick data restore and secure off-site backup for disaster protection. To learn additional best practices for implementing a solid security and backup solution be sure to check out: 4 Steps to a Fool-Proof Business Continuity Plan.

Neal Bradbury is co-founder and VP of Channel Development at Intronis.