Organizations have felt the effects of cybercrime’s expansion and maturation for a number of years, but conventional wisdom often assumes these risks are mostly the concern of large corporations and governments. A recent InformationWeek report argued, however, that small businesses display a distinct set of weaknesses that make them particularly attractive to opportunistic hackers.
Small businesses, which are more likely to rely on third-party cloud computing services and BYOD (Bring your own Device) policies than large enterprises, are also less likely than larger companies to have detailed security policies in place. This factor only increases the odds of success for social engineering and other advanced attacks that prey on employee negligence.
Choosing easy targets
Large companies may offer a bigger payoff to a successful hacker, but their security measures are larger and better-funded too, according to InformationWeek columnist Tim Wilson. Small businesses, by contrast, offer a more attractive target, Wilson said, since their defenses are less sophisticated. Similarly, lower-level employees, not just CEOs, can often provide cybercriminals with all the access they need to cash in on a business’ restricted data.
“Cybercriminals are looking for low-hanging fruit,” Wilson wrote. “Their targets are companies with poor defenses, a lack of security skills, and vulnerable end users. They're looking for unlocked doors and open windows. The path of least resistance will always be the one most beaten down by bad guys.”
Identifying common vulnerabilities
InformationWeek’s report identified 10 specific cybersecurity threats facing small businesses. Common themes across multiple attack vectors included negligent employees and failure to patch software.
Unpatched browser plugins or rarely used network utilities like videoconferencing systems are common targets. Neglecting to install software updates can also allow malware to infect small business websites and turn them into malware hubs, which can hurt a business’ reputation. InformationWeek pointed out a Symantec study which showed that more than 60 percent of malicious websites are legitimate sites that have been compromised.
Employee behavior is another common vulnerability, according to InformationWeek. Workers can leak important information such as website or banking passwords, on purpose or inadvertently. Targeted attacks by criminals can trick employees into giving up information, while the threat of disgruntled employees attacking the company also exists. A common data security risk in small businesses is using just one or two shared passwords across all databases and applications, InformationWeek said.
The fact that many small businesses have employees who work remotely also poses a problem, as few small businesses invest in mobile device management solutions and remote workers often access work applications via unsecure networks in places such as coffee shops.
A January 2012 Ponemon Institute survey of IT professionals found that employee negligence was the overwhelming root cause of data security risks across all sizes of business. Nearly 80 percent of respondents said that negligent or malicious employee actions had been responsible for a data breach in their organization over the previous two years.
Cloud security is an additional point of concern for small businesses, who are more likely to rely on third-party services than on-site systems.
Preventing small business attacks
Small businesses may not have the same resources at their disposal as a large enterprise, but they can still take advantage of cloud security software services, InformationWeek said. The site also recommended working with a security specialist to draft a company plan.
In order to protect against breaches in third-party systems, InformationWeek noted that experts suggest implementing two layers of authentication, particularly for online banking services.
Mashable, meanwhile, offered the straightforward tips of using complex passwords and taking advantage of mobile device management tools. Both practices are actually easier in small businesses, where there are fewer employees to educate, the site said.
Security News from SimplySecurity.com by Trend Micro