In mid-2009, an employee at the California firm clicked on a link in an e-mail message and ended up at a malicious website. The site, run by online thieves, used a vulnerability in Internet Explorer to load a Trojan horse on the employee's system. With control of the machine, which was used for much of the firm's accounting, the thieves gathered data on the firm and its finances. A few days later, the thieves used 27 transactions to transfer $447,000 from Ferma's accounts, distributing the money to accounts worldwide.
"They were able to ascertain how much they could draw, so they drew the limit," said Ferma president Roy Ferrari in an interview at the time.
Ferma did not go out of business, but many small companies have as a result of a hack. The consequences of an attack should make small and midsize businesses (SMBs) sit up and notice, says Bernard Laroche, senior director of SMB product marketing for security giant Symantec.
"If a small business gets their data stolen, whether customer credit cards or their patient records, then they might ... have to close, where a large enterprise could move on," he says.
While the prognosis seems grim, security experts agree that SMBs can be much more secure than large enterprises if they focus resources on security.
"Small businesses have the opportunity to be a lot more protected," says Robert Richardson, director of the Computer Security Institute, "because they have an opportunity to be a lot more uniform in how they implement policy."
For companies ready for the next step, security experts recommend four broad initiatives: define information-security policies and educate users, protect critical and sensitive data, lock down infrastructure, such as e-mail servers and networks, and manage systems on a regular basis.
"The opportunity to do a better job is there for small businesses," Richardson says. "For a large organization, it takes a much bigger step to get a handle on their cyber assets and lock down their systems."
However, SMB have historically not given security much thought. Staples office supply chain's SMB services group, for example, has never run into an employee dedicated -- or even primarily focused -- on security, says Jim Lippie, vice president of Staples Network Services, which focuses on companies with between 10 and 250 employees.
"Everyone talks about the need for security, but no one really dedicates a lot of resources to it," Lippie says.
SMBs fail to tackle their information security problems for three main reasons, he says: Employees do not have the necessary skills, company managers are focused on day-to-day operations, and they fail to budget enough for information security. A survey sponsored by McAfee, for example, found that three-quarters of SMBs spend five or fewer hours per week on security, and one-quarter of SMBs spend an hour or less.
With budgets so slim, organizing security in an SMB is difficult, says Eugene Schultz, CTO of consultancy Emagine Security.
"I was a CIO for a software company with 45 people, and I did not have a budget for security," he says. "Every bit of money for security, I had to fight for."
For Ferma, a security policy that forbid surfing on computers used for accounting or resulted in stronger security for such computers would likely have stopped the attack cold.
Despite that, many SMBs believe they would not be attacked. Slightly more than half of all companies surveyed in the McAfee report did not think they were "well known" enough to be attacked. About 44 percent of all North American SMBs argued that cybercrime is more of an issue for large enterprises.
Yet even large enterprises are finding new threats tough to beat. While the majority of information-security staff thinks current policies are adequate to deal with targeted attacks, which focus on firms with valuable information, only about one-third state that their security technologies are adequate, and one-quarter believe their security personnel are up to the task of dealing with advanced threats, according to a study released this week by the Ponemon Institute and security firm NetWitness.
Perhaps the businesses most at risk are those that bridge the gap: the SMBs that supply technologies or services to large companies. Cybercriminals tend to look at such companies as a back door into the network of the large corporations they have targeted.
"For the attackers, the suppliers tend to be much softer targets," says Gunter Ollmann, vice president of research for security firm Damballa.
The good news is that most SMBs understand the damage an online attacker could do to their businesses. More than one out of every five SMBs thought an attack could put them out of business, according to McAfee's survey. Midsize businesses -- up to 1,000 employees -- were even more pessimistic about their chances: Nearly 29 percent agreed that an attack could put them out of business.
"Their awareness is up, that's clear, but the number of threats are up as well," says Alex Thurber, senior vice president of worldwide channels and midmarket for McAfee. "I wouldn't in any way declare a victory yet, but I think we are definitely getting there on awareness."
The cost of an attack typically varies by the size of the company. Downtime for small companies due to security incidents costs more than $30,000, or about 0.4 percent of revenue per year, according to a report released by Infonetics Research in 2008. Midsize companies faced $225,000 in downtime costs, while large enterprises' losses surpassed $30 million annually, on average.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.