03:00 PM

10 Cyber Threats Small Businesses Can't Ignore

SMBs must be serious about cybersecurity now that they're targets, too.

InformationWeek Green - Sept. 17, 2012
InformationWeek Green
Download the InformationWeek SMB September special issue on cybersecurity, distributed in an all-digital format as part of our Green Initiative
(Registration required.)

10 Cyber Threats You Can't Ignore

The email came from "Ivan" in Russia: "After a few minutes I'll start a DDoS attack on your site, and it will cease to work," the message said. "If you don't want to lose any profit, you pay me only $3,500."

Endless Wardrobe, the Australian online clothing retailer under attack, refused to pay. As threatened, the site was flooded with bogus information requests, overwhelmed, and down for a week. Endless Wardrobe worked with its hosting provider to blunt the attack, but the defenses erected by the provider also blocked many legitimate customers.

The retailer, with three full-time employees and three part-timers, lost customers and at least a few thousand dollars in business, says general manager Andrew Burman.

"Before the attack I had no idea we would be a target," Burman says. "I had heard about cyber attacks before but never thought it could happen to a small business. I thought they normally target large businesses, online gambling types, as they have the money to pay them off."

Most small and medium businesses don't believe online criminals will target them, and it's true that most never will be a victim of an extortion threat as Endless Wardrobe was. But they can't count on their smaller size keeping them out of harm's way. In 26,000 targeted attacks Symantec documented last year, half were on businesses with fewer than 2,500 employees and 18% on businesses with fewer than 250 employees. From denial-of-service attacks that take down websites to Trojans that empty bank accounts, there are a multitude of attacks that most SMBs don't know about and aren't prepared for.

It's not just the e-commerce giants like Amazon.com that are being attacked, but companies with a few hundred employees or less, says Matthew Prince, CEO of Web security firm CloudFlare. CloudFlare specializes in stopping attacks like the one on Endless Wardrobe, but it also became the target of a different type of attack in mid-May. Hackers gained access to the password-recovery mechanism for the 36-employee company's Google-hosted email, giving the criminals access to sensitive data about CloudFlare's systems and customers. The crooks' end goal: Use email access to gain control of customers accounts. The criminals nearly succeeded.

The attackers involved are "really good at taking over control of email," Prince says.

These attacks are part of the brave, new world of small business. The same technologies that let small businesses operate online efficiently and do more for less money also open them up to attacks.

Nearly 90% of small and midsize businesses bank online, making accounting and finance easier, but also opening their accounts to attack. And SMBs are increasingly letting employees bring their own mobile devices on to company networks. About 40% of managers worry about the risk that this practice creates for information security, according to the Sophos 2012 Network Security Survey of more than 570 global IT decision-makers.

"Small businesses are more prone to attack because they have less resources to maintain their defenses," says Gavin Struthers, senior VP of worldwide channel operations at security company McAfee. "Many of them are online and mobile-connected, and if they lose those benefits, then they lose their business."

With limited resources to deal with security, SMBs often ignore potential threats. The best defense is to be aware of the threats and create security policies to deal with them. Here are ways to defend against 10 of the most serious--but too often ignored--dangers.

To read the rest of the article,
Download the InformationWeek SMB September special issue on cybersecurity

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
9/20/2012 | 8:32:04 PM
re: 10 Cyber Threats Small Businesses Can't Ignore
Another dimension to cybersecurity challenges facing SMBs is social spam. Social media and other online channels allow SMBs to engage customers, build business, and strengthen a brand. While increased user traffic should be good news for SMBs, the bad news is that spammers will follow wherever traffic goes and can wreak havoc on a company's good efforts with offensive comments, malicious links, or other abusive acts.

Fortunately, affordable security solutions for social spam are available. Real-time content protection is critical to defending one's brand online and efforts to reach consumers. This technology enables SMBs to employ the same defense systems as larger companies like Tumblr. For disclosure, my company - Impermium - provides social spam protection to Tumblr among other companies.
User Rank: Apprentice
9/19/2012 | 1:28:41 PM
re: 10 Cyber Threats Small Businesses Can't Ignore
Tried using CloiudFlar but quickly found better alternatives. Their DDoS plan is way to expensive and they got so many downtime that it was simply embarrassing apologizing for them all. The author is right, SMBs must start thinking about online security but Cloudflare is a bad choice for a security provider.
Register for Dark Reading Newsletters
White Papers
Current Issue
Dark Reading Tech Digest September 7, 2015
Some security flaws go beyond simple app vulnerabilities. Have you checked for these?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-09
The Telephony component in Apple OS X before 10.11, when the Continuity feature is enabled, allows local users to bypass intended telephone-call restrictions via unspecified vectors.

Published: 2015-10-09
The Safari Extensions implementation in Apple Safari before 9 does not require user confirmation before replacing an installed extension, which has unspecified impact and attack vectors.

Published: 2015-10-09
The API in the WebKit Plug-ins component in Apple Safari before 9 does not provide notification of an HTTP Redirection (aka 3xx) status code to a plugin, which allows remote attackers to bypass intended request restrictions via a crafted web site.

Published: 2015-10-09
The Intel Graphics Driver component in Apple OS X before 10.11 allows local users to gain privileges or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2015-5877.

Published: 2015-10-09
The Login Window component in Apple OS X before 10.11 does not ensure that the screen is locked at the intended time, which allows physically proximate attackers to obtain access by visiting an unattended workstation.

Dark Reading Radio
Archived Dark Reading Radio
What can the information security industry do to solve the IoT security problem? Learn more and join the conversation on the next episode of Dark Reading Radio.