If you think that because you’re a small business, hackers won’t seek your data, consider this: a hacker can steal bank account and/or credit card information from your computer, package it with similar information from a hundred or more other small businesses and sell it on the black market for big bucks.
So says the fifth annual Verizon 2012 Data Breach Investigations Report, authored by Verizon Risk Team leader Christopher Porter. The report was produced in conjunction with the U.S. Secret Service and similar agencies from Australia to the Netherlands. Porter recently told PC World magazine: "Small businesses don't know how defenseless they've become, especially to automated and industrialized attack methodologies by organized crime."
According to security software maker Symantec, the percentage of targeted attacks on small businesses doubled in the first six months of this year. The company says it blocked an average of 58 attacks per day aimed at small businesses. Daily attacks on all businesses averaged 154, up 24 percent. Doing the math, it’s apparent hackers are dedicating more resources to what they see as vulnerable targets.
The attacks are not random, they’re targeted. It means an attack is tailored for a specific business. Hackers use publicly available information or even information stolen from another company such as a supplier. Basically, the attackers create emails with malicious attachments they believe will trick employees into opening. It’s been dubbed “social engineering” and it’s sophisticated. So just warning employees about opening emails with attachments isn’t likely to be much protection anymore.
It’s notable that of all the attacks the report studied, it found that 96 percent were easy for the hacker to achieve. What’s more, 97 percent could have been foiled without the need for difficult or expensive countermeasures. Therefore, the Verizon report offers some simple recommendations:
• Use a firewall on Internet-facing services. Hackers can’t steal what they can’t reach.
• Change default credentials on any point of sale and other systems that come with preset credentials. This could prevent unauthorized access.
• Monitor third-party vendors if they manage your firewalls or point-of-purchase systems to be sure they have implemented proper security.
• Educate your staff, particularly about social phishing. Establish policies and make sure they’re being followed.
• Follow through on any security technology you purchase to be sure you have configured it properly. Do not ignore reports.
• Think often about security. Check logs of your Windows OS system, point-of-purchase system and security software or have a professional do it for you.
Finally, Porter indicated that in most cases, attacks were mostly opportunistic. When a small business follows simple procedures, it is less likely to become a target. Cyber criminals look for the easy marks.