Welcome Guest. | Log In | Register | Membership Benefits


Topics:   Security Views : SMB Security Tech Center

Five Main Causes Of SMB Security Incidents

Like you, I have read many articles covering small business security, the authors of which have made up various lists of "top X threats" or "this year's biggest vulnerabilities," etc. So I thought it would be interesting to dig into a sampling of the data breach reports and collect some real data on causes of breaches and other security incidents in SMBs.

Sep 27, 2010 | 11:08 AM | 

By Jennifer Jabbusch
Dark Reading

Like you, I have read many articles covering small business security, the authors of which have made up various lists of "top X threats" or "this year's biggest vulnerabilities," etc. So I thought it would be interesting to dig into a sampling of the data breach reports and collect some real data on causes of breaches and other security incidents in SMBs.Here are the five primary causes that were repeated in the vast majority of reports from small businesses (in order of most offenses to fewest):

1. Improper destruction of confidential data. Small and large organizations alike are subject to employees dumping files that should have been shredded. Report after report demonstrated specific cases of confidential data -- customer records, bank account info, medical records, and employee files -- being disposed improperly. As small businesses cleaned out files, changed personnel, moved offices, or went out of business, employees routinely dumped sensitive papers in public trash and recycling bins. In many cases, the boxes of juicy data were simply left out near a dumpster or back door, making them an easy target.

Many employees felt the information on the papers was dated and of no use, so therefore it didn't need to be shredded. Others simply weren't aware of the need for proper disposal. The takeaway for SMBs: Have a detailed policy in place for data and record destruction and make sure EVERY employee is made aware of the policy and reminded of it constantly. You should also be aware of the breach laws in your area and understand the consequences and fines associated with every compromised record. The fines incurred for even a small stack of papers could be enough to put you out of business.

2. Database attacks on Web transactions. The majority of businesses these days conduct transactions online in one form or another, and SMBs are certainly no exception. I was surprised, though, to see the volume of incident reports that detailed cases of attackers collecting billing and customer information from online servers. In some instances, the attack was on the actual transaction component, and in others they stole static data from servers often inside the organization.

Many SMBs feel they're too small to be targeted, but the type of automated attacks these guys can launch is scary. They may not be after you specifically, but if you're vulnerable and you're on the Internet, they'll still find you. The takeaway here for SMBs: Put the same effort in protecting your digital assets as you would your physical ones. If you don't have the staff in-house to maintain, patch, and secure public-facing servers, then outsource to transfer risk.

3. Data theft from insider attacks. I giggled as I read the numerous stories of clerks, cashiers, and wait staff who compromised volumes of customer credit cards using skimmers, small physical devices that capture the card data for malicious intent. In each case, the culprit inside either used the card numbers for their own direct gain or sold the data to others.

Other insider attacks of similar nature included theft and sale of customer data or company records in digital form. It's pretty easy for an employee to save, export, and transport via email or removable media these types of files. I hate to use the phrase "data leak prevention," but often that's what's missing in smaller environments where employees usually are more familiar with one another and more trusted by the management. The takeaway for insider threat prevention: It's a tough fight to win, but a good start would be basic access protection around key resources, explicit policies, and employee awareness so they understand the consequences of malicious activity. We always say not to use FUD tactics in security, but when dealing with employees, I say "FUD away!"

4. Credit card transaction slips. If you're like me, you pay attention to your credit card slip and make sure they haven't printed the entire card number. I sure do. In fact, I scribble those things so hard with the pen I usually chew right through the paper. Yeah, no one's going to read THAT later. For everyone who defends, "Oh, PCI says you can't do that," well guess what -- they do. And apparently enough merchants are printing card numbers that even in the past year we can attribute a number of SMB security incidents to physical attacks on businesses in which the cash drawer and credit card receipts were taken.

The takeaway here is easy. If you're still printing full card numbers, then call your merchant services number and have them reprogram your credit card machines. If you're not printing full card numbers, but you have account numbers printed elsewhere (physically) in the organization, then make sure they are secured in a way that makes them a difficult target during a break-in at any location.

5. Malware on endpoints. Ah, the one that never goes away. That nasty malware thing rounds out my top five. The effects of malware in your small business can be multifaceted. Many of them turn your systems to zombies in the background, draining processing and resources. Others do silly things like send out emails and attach random files. I've seen this firsthand numerous times and my most recent research shows malware is still no stranger on the incident reports. The takeaways: Be sure you're using an enterprise-class endpoint security solution. This is usually your antivirus with some steroids and a nice central management system you can use to push out updates, monitor activity, and ensure compliance. The second take-away often gets overlooked -- what I call the dirty dishrags of the networks -- laptops, remote and mobile devices that don't live in the office, or are employee-owned and not considered managed endpoints. Make sure there's a policy in place for these and some means of enforcing protection or watching for malicious activity.

Jennifer Jabbusch is a CISO and infrastructure security specialist at Carolina Advanced Digital. By day she architects enterprise security solutions and by night, well, she does the same thing. For Dark Reading, she melds her enterprise experience and intimate knowledge of small business operations to deliver relevant security guidance for SMBs everywhere.



Currently we allow the following HTML tags in comments:

Single tags

These tags can be used alone and don't need an ending tag.

<br> Defines a single line break

<hr> Defines a horizontal line

Matching tags

These require an ending tag - e.g. <i>italic text</i>

<a> Defines an anchor

<b> Defines bold text

<big> Defines big text

<blockquote> Defines a long quotation

<caption> Defines a table caption

<cite> Defines a citation

<code> Defines computer code text

<em> Defines emphasized text

<fieldset> Defines a border around elements in a form

<h1> This is heading 1

<h2> This is heading 2

<h3> This is heading 3

<h4> This is heading 4

<h5> This is heading 5

<h6> This is heading 6

<i> Defines italic text

<p> Defines a paragraph

<pre> Defines preformatted text

<q> Defines a short quotation

<samp> Defines sample computer code text

<small> Defines small text

<span> Defines a section in a document

<s> Defines strikethrough text

<strike> Defines strikethrough text

<strong> Defines strong text

<sub> Defines subscripted text

<sup> Defines superscripted text

<u> Defines underlined text

Dark Reading encourages readers to engage in spirited, healthy debate, including taking us to task. However, Dark Reading moderates all comments posted to our site, and reserves the right to modify or remove any content that it determines to be derogatory, offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing/SPAM. Dark Reading further reserves the right to disable the profile of any commenter participating in said activities.

Disqus Tips To upload an avatar photo, first complete your Disqus profile. | View the list of supported HTML tags you can use to style comments. | Please read our commenting policy.
Subscribe to RSS



SMB Security Reports

report Small Businesses, Big Losses: How SMBs Can Fight Cybercrime
Small and midsize businesses are falling prey to cyberattacks that cost them sensitive data, productivity and corporate accounts cleaned out by sophisticated banking Trojans. SMBs are typically on the hook for these losses and lack effective means to prevent them. In this report, we explain what makes these threats so menacing, and share best practices to defend against them.

report Five Security Flaws, Five Security Fixes For Small And Midsize Companies
Take a sneak peek at data from the Dark Reading/InformationWeek 2011 Strategic Security Survey, with a focus on the five biggest problems faced by small and midmarket companies. You?ll get a look at key security practices and processes for managing the complexity of security; enforcing policies; assessing risk; preventing data breaches; and managing scarce IT resources.

report SMBs in the Crosshairs: Understanding the Threats, Defending the Business
Cybercriminals are not only exploiting small and midsize businesses -- they're targeting them. While thefts of hundreds of thousands or even millions of credit card numbers and personal information records make headlines, many small companies' accounts have been cleaned out. In this Dark Reading Tech Center report, we identify how SMBs are exploited, where their security fails and how they can shore up their defenses.

Other reports from the SMB Security Tech Center:




Featured Webcasts
Featured Whitepapers
Featured Reports