SMBs need to work on fundamental security errors to reduce risk of costly incidents

Dark Reading Staff, Dark Reading

December 1, 2011

9 Min Read

With hackers turning up the heat in 2011 and security breaches increasingly costing businesses more money in clean-up costs, notification resources, and compliance fines, the stakes are high for SMBs to improve their security processes.

"An attack that costs $20,000 might not make the headlines like a Fortune 100 losing $1 million, but to the SMB, proportionally it could be just as devastating," says Brian Contos, director of global security strategy at McAfee.

That's why it is so important for small businesses to start thinking seriously about addressing the following key mistakes commonly made within small companies.

Next page: Never too small.

1. Thinking They're Too Small
A lot of the cascading technical and process deficiencies at SMBs stem from the fundamental belief that security doesn't matter because their firms are too small to worry about it.

"That's one of the biggest mistakes we see out there, thinking that small means that security doesn't apply to you," says Doug Landoll, solutions architect for Accuvant. "If someone is still in that mindset, they need to get out of that."

First of all, on the compliance front, SMBs are not likely to get a pass from regulators because their organizations only have 10 employees.

"It doesn't matter how large a transaction is -- it doesn't matter how many pieces of data you have. Just the fact that you have that sensitive information is all that matters," Landoll says. "Regulations don't change according to size."

More important, though, SMBs need to understand that just because they are small doesn't mean they aren't targets for hackers, says Kevin Haley, director of Symantec Security Response.

"According to Symantec’s SMB Threat Awareness Poll released in October, 85 percent of SMBs believe their company is safe from hackers, viruses, malware, or a cybersecurity breach, yet research shows SMBs are quickly becoming the largest targeted group for attackers," Haley says. "Forty percent of targeted attacks are aimed at SMBs whereas only 28 percent are aimed at large enterprises. Clearly there is a strong disconnect between perceptions and reality for small business owners when it comes to their cyber security posture, and it shows in their lack of sufficient security policies and training."

Next page: Open to attack. 2. Leaving Websites Open To SQL Injection
According to Contos, SQL injection is one of the most common attack vectors against all organizations, SMBs in particular. Contos says that even though many small businesses depend on their websites and web applications to drive a significant portion of their revenues, they don't proportionally invest to ensure that these income generators are safe from attacks like SQL injection, cross-site scripting, cross-site forgery requests, and cookie poisoning.

"One of the big things SMBs should really focus on is to say, 'Look, this is going to be a big part of our business -- we're going to be deriving a lot of revenue through this infrastructure. Llet's ensure that security is built in early on,'" Contos says. "One of the things I would suggest is if you don't have security people on your team that can't do that, that's fine, this is a great time to leverage a professional services team. They don't have to be on your site for years and years. They're just looking for basic things that can be mitigated if they have some visibility into these exploits."

Next page: Patching priorities. 3. Failing To Patch Or Securely Configure Systems
Poorly patched and configured systems continue to be the Achilles heel within SMBs, says Marcus Carey, security researcher at Rapid7.

"Attackers really don't need to create zero-day attacks to perpetrate data breaches when there are so many ready-to-use exploits available for unpatched vulnerabilities that are over a year old," he says.

One of the best means of greatly improving the security posture at a small company is to simply ensure that everything is properly patched and configured. This can go a great way toward mitigating risk of the most common attacks, Haley says.

"Three types of attacks that can have a devastating effect for small businesses include banking Trojans that steal all of the money in an SMB’s bank account, data breaches that threaten intellectual property and customer information, and brand reputation issues that drive your customers away," he says. "These attacks can be easily thwarted with up-to-date and properly configured security systems. And just to show how far SMBs still have to go, the SMB Threat Awareness Poll also showed 63 percent of SMBs don’t lock down machines used for online banking and 9 percent don’t take any special precautions at all."

Next page: Lapsing licenses. 4. Letting Software Licenses Lapse
Often the reason why patch management is so abysmal at SMBs is that the software in question isn't even properly licensed. That's step one in the patch process, Carey says. This goes for all systems, including security software, which essentially becomes useless when the licensing lapses.

"Many SMBs have patch management issues because they allow software licenses to lapse. This results in the organization having software and systems that are not supported," he says. "Many security and network appliances become vulnerable to attack with out-of-date software. In these cases, the products that were initially purchased to provide confidentiality, integrity, and availability become liabilities to the organization. This represents a further danger as many organizations have a false sense of security thinking these devices will protect them for life.

Next page: Passwords as the weak link. 5. Weak Passwords
Not only do small organizations fail to patch or securely configure their systems, but they further open the door to attack by utilizing poor passwords.

"Passwords are often the only obstacle for hackers to overcome before they can access sensitive data, and if SMBs have weak passwords like most do, the codes are easy to crack," Haley says. "What’s worse, according to the National Cyber Security Alliance, the majority of SMBs do not use multifactor authentication [more than a password and logon] to access their networks. That means hackers have only one hurdle to jump before running off with proprietary information."

Next page: The threat from inside. 6. Letting Employees Browse The Web Unchecked
According to Symantec's SMB Threat Awareness Poll, 67 percent of organizations don't use Web-based security services. With so many malware threats spread around through malicious sites and computers so easily infected simply through clicking crafty malicious links, Web security policies and technology have grown in importance. Fred Touchette, senior security analyst for AppRiver, warns that organizations need to consider filtering Web traffic to reduce the risk of infection.

"Allowing employees full Internet access can lead to poor browsing habits, which in turn could make the entire company’s network vulnerable to infection," he says. "In addition, it is entirely possible that an otherwise innocuous site can become infected and will serve up malware in a drive-by fashion; this is where filtering really comes in handy."

Next page: E-mail insecurity.

7. Using Insecure Email
According to Touchette, SMBs really need to look out for the use of insecure email channels as a way to send sensitive information. It is a common mistake that could easily burn a company and its reputation. This means putting policies in place and using technology that can enforce it.

"People are prone to believe that since they addressed an email to an individual, that that is the only person who can access it. Email is sent in plain text, so anyone that gets a hold of it along the way can read it by default," he says. "Encrypting sensitive information in email can protect it from possible prying eyes."

Next page: Mobile as the perimeter. 8. Ignoring Mobile Security
More agile than their larger counterparts, SMBs are more likely than larger organizations to embrace new smartphones, tablets, and other consumer devices that employees are clamoring to bring to work. That's fine, but they would do well to pay attention to how sensitive information is being used on these devices, says Contos.

"Mobile security has to be top-of-mind because that's sort of the new perimeter -- people are the new perimeter," he says. "If they're allowing employees to bring in devices, that's great but at the same time they need to leverage tools that allows them to say 'You have to safely access my network and safely access my data.' These things can be achieved within SMBs."

Next page: Employee preparation. 9. Failing To Train Employees
According to Touchette, perhaps one of the biggest security mistakes SMBs make is failing to properly inform employees about IT risks.

"Employees need to be fully aware and on guard about threats that can make them and their companies big targets," he says. "Employees should know of and know how to avoid phishing attacks and social-engineering attacks. They should also be able to recognize emails that may contain viruses and avoid clicking links."

In order to properly spot those threats, formalized security awareness training is key.

"Many businesses don't provide their employees with the knowledge to win when it comes to security. All employees, from IT staff to interns, should be trained on physical and information security," says Carey. "We should practice security incidents like fire drills; everyone should know what do when a security incident occurs."

Next page: Outsourcing and its limitations. 10. Assuming They Can Outsource Security Responsibility
Often times SMBs rely on outsourced IT providers to take care of all of their technical concerns. But Landoll says that smaller businesses need to understand that while you can outsource the IT duties around securing data, they can't abrogate the responsibility of protecting that data.

"You're still responsible when things go wrong," he says. "It is an important thing for small companies to think about because many of them have been using a small-town IT provider that may not have knowledge in their industry or of the regulations those businesses are under. You've got to find someone who is right for your business. Start asking more questions of them. If you ask them how they would secure a firewall that is PCI-compliant and they don't have a quick answer, it is time to make more calls. There still are people in your area who have that expertise -- you just have to look for them and reward that knowledge with your business."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights