Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Small Business: Hackers' Low-Hanging Fruit

With few IT resources and even fewer security skills, mom-and-pop shops increasingly look like juicy targets for the bad guys

If you're an armed robber, which do you target: a major national bank, or your local liquor store? True, the rewards at the bank are potentially much greater -- but so are the risks. In the end, most robbers choose the local store, where they know the defenses are weakest.

In the world of cybercrime, a similar weighing of risks and benefits is also taking place, experts say. And, according to a study published yesterday, many online attackers -- like their armed counterparts -- are increasingly liking the low barriers presented by the mom-and-pop shops.

In a report published yesterday by Webroot software, the vast majority of small businesses believe that online threats have become more serious in the past year. Yet more than 75 percent of companies with fewer than 1,000 computers have an IT staff of less than 10, and 61 percent say they have never sought information about how to protect employee or customer data.

"There's a lot of talk about initiatives like SOX and PCI in large companies and government organizations, but the reality is that a lot of small retailers still don't even know they are supposed to comply with PCI, much less how to do anything about it," says Mike Irwin, chief operating officer at Webroot. "The small business is a completely different environment than the Fortune 2000, which is where you see a lot of these security initiatives and products that are in the news."

Other researchers have also found that small businesses are absorbing an increasingly larger portion of the cybercrime pie. In April, MessageLabs reported that small and medium-sized companies were suffering a disproportionate volume of spam. A study of small retailers conducted last year by Visa USA revealed that many small retailers have a false sense of security while engaging in a number of questionable security practices. (See Spam Soars in 1Q, Small Businesses Under Fire and Small Businesses: Overconfident on Security.)

It's a simple question of resources, according to the Webroot study. Without IT skills and technology in place, many small businesses have taken wrong turns down the security path, leaving themselves open to attack. For example, although 96 percent of the survey respondents have an antivirus solution in place, more than 60 percent reported experiencing virus problems in the last year -- probably because the companies were not aware of the more leading-edge methods for conveying them, Webroot says.

Similarly, in all six countries surveyed, SMBs reported viruses and worms as more of a threat than spyware. Yet many research statistics show that spyware threats increased last year, while viruses were on the decline.

And although most small businesses are aware of the growing insider threat, about half of them lack a policy to restrict or monitor employees' personal use of work computers, the study says.

The problem likely will not be resolved by education or increased staffing, Irwin says. "Your local dry cleaning store is not going to hire an IT security staffer," he states. "What's more likely is that a lot of these companies will begin to turn to third parties to give them the help and expertise they need."

IT service organizations such as Geek Squad, for example, are becoming "the de facto systems integrators for small businesses," Irwin observes. In other cases, SMBs are looking at multi-function software packages or managed security services to help close the gaps in their security knowledge, he notes.

Until then, it's likely that cyber criminals will find small businesses to be an increasingly attractive stomping ground, experts say. "There's a lot of upside in writing custom malware or distributing keyloggers to small, targeted sites that have almost no defenses," Irwin says. "Small businesses have customer information, employee information, pricing information -- and it's all valuable."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
News
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
News
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-28026
PUBLISHED: 2021-03-05
jpeg-xl v0.3.2 is affected by a heap buffer overflow in /lib/jxl/coeff_order.cc ReadPermutation. When decoding a malicous jxl file using djxl, an attacker can trigger arbitrary code execution or a denial of service.
CVE-2021-27907
PUBLISHED: 2021-03-05
Apache Superset up to and including 0.38.0 allowed the creation of a Markdown component on a Dashboard page for describing chart's related information. Abusing this functionality, a malicious user could inject javascript code executing unwanted action in the context of the user's browser. The javasc...
CVE-2021-20663
PUBLISHED: 2021-03-05
Cross-site scripting vulnerability in in Role authority setting screen of Movable Type 7 r.4705 and earlier (Movable Type 7 Series), Movable Type Advanced 7 r.4705 and earlier (Movable Type Advanced 7 Series), Movable Type 6.7.5 and earlier (Movable Type 6.7 Series), Movable Type Premium 1.39 and ea...
CVE-2021-20664
PUBLISHED: 2021-03-05
Cross-site scripting vulnerability in in Asset registration screen of Movable Type 7 r.4705 and earlier (Movable Type 7 Series), Movable Type Advanced 7 r.4705 and earlier (Movable Type Advanced 7 Series), Movable Type 6.7.5 and earlier (Movable Type 6.7 Series), Movable Type Premium 1.39 and earlie...
CVE-2021-20665
PUBLISHED: 2021-03-05
Cross-site scripting vulnerability in in Add asset screen of Contents field of Movable Type 7 r.4705 and earlier (Movable Type 7 Series), Movable Type Advanced 7 r.4705 and earlier (Movable Type Advanced 7 Series), Movable Type Premium 1.39 and earlier, and Movable Type Premium Advanced 1.39 and ear...