Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


01:27 PM

Lack Of Security Focus Puts SMBs In Harm's Way

Small and midsize businesses can be easier to secure than larger enterprises, but few have traditionally made the effort

Demolition firm Ferma nearly failed because its employees lacked a proper security policy.

In mid-2009, an employee at the California firm clicked on a link in an e-mail message and ended up at a malicious website. The site, run by online thieves, used a vulnerability in Internet Explorer to load a Trojan horse on the employee's system. With control of the machine, which was used for much of the firm's accounting, the thieves gathered data on the firm and its finances. A few days later, the thieves used 27 transactions to transfer $447,000 from Ferma's accounts, distributing the money to accounts worldwide.

"They were able to ascertain how much they could draw, so they drew the limit," said Ferma president Roy Ferrari in an interview at the time.

Ferma did not go out of business, but many small companies have as a result of a hack. The consequences of an attack should make small and midsize businesses (SMBs) sit up and notice, says Bernard Laroche, senior director of SMB product marketing for security giant Symantec.

"If a small business gets their data stolen, whether customer credit cards or their patient records, then they might ... have to close, where a large enterprise could move on," he says.

While the prognosis seems grim, security experts agree that SMBs can be much more secure than large enterprises if they focus resources on security.

"Small businesses have the opportunity to be a lot more protected," says Robert Richardson, director of the Computer Security Institute, "because they have an opportunity to be a lot more uniform in how they implement policy."

For companies ready for the next step, security experts recommend four broad initiatives: define information-security policies and educate users, protect critical and sensitive data, lock down infrastructure, such as e-mail servers and networks, and manage systems on a regular basis.

"The opportunity to do a better job is there for small businesses," Richardson says. "For a large organization, it takes a much bigger step to get a handle on their cyber assets and lock down their systems."

However, SMB have historically not given security much thought. Staples office supply chain's SMB services group, for example, has never run into an employee dedicated -- or even primarily focused -- on security, says Jim Lippie, vice president of Staples Network Services, which focuses on companies with between 10 and 250 employees.

"Everyone talks about the need for security, but no one really dedicates a lot of resources to it," Lippie says.

SMBs fail to tackle their information security problems for three main reasons, he says: Employees do not have the necessary skills, company managers are focused on day-to-day operations, and they fail to budget enough for information security. A survey sponsored by McAfee, for example, found that three-quarters of SMBs spend five or fewer hours per week on security, and one-quarter of SMBs spend an hour or less.

With budgets so slim, organizing security in an SMB is difficult, says Eugene Schultz, CTO of consultancy Emagine Security.

"I was a CIO for a software company with 45 people, and I did not have a budget for security," he says. "Every bit of money for security, I had to fight for."

For Ferma, a security policy that forbid surfing on computers used for accounting or resulted in stronger security for such computers would likely have stopped the attack cold.

Despite that, many SMBs believe they would not be attacked. Slightly more than half of all companies surveyed in the McAfee report did not think they were "well known" enough to be attacked. About 44 percent of all North American SMBs argued that cybercrime is more of an issue for large enterprises.

Yet even large enterprises are finding new threats tough to beat. While the majority of information-security staff thinks current policies are adequate to deal with targeted attacks, which focus on firms with valuable information, only about one-third state that their security technologies are adequate, and one-quarter believe their security personnel are up to the task of dealing with advanced threats, according to a study released this week by the Ponemon Institute and security firm NetWitness.

Perhaps the businesses most at risk are those that bridge the gap: the SMBs that supply technologies or services to large companies. Cybercriminals tend to look at such companies as a back door into the network of the large corporations they have targeted.

"For the attackers, the suppliers tend to be much softer targets," says Gunter Ollmann, vice president of research for security firm Damballa.

The good news is that most SMBs understand the damage an online attacker could do to their businesses. More than one out of every five SMBs thought an attack could put them out of business, according to McAfee's survey. Midsize businesses -- up to 1,000 employees -- were even more pessimistic about their chances: Nearly 29 percent agreed that an attack could put them out of business.

"Their awareness is up, that's clear, but the number of threats are up as well," says Alex Thurber, senior vice president of worldwide channels and midmarket for McAfee. "I wouldn't in any way declare a victory yet, but I think we are definitely getting there on awareness."

The cost of an attack typically varies by the size of the company. Downtime for small companies due to security incidents costs more than $30,000, or about 0.4 percent of revenue per year, according to a report released by Infonetics Research in 2008. Midsize companies faced $225,000 in downtime costs, while large enterprises' losses surpassed $30 million annually, on average.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-15
Apache HTTP Server protocol handler for the HTTP/2 protocol checks received request headers against the size limitations as configured for the server and used for the HTTP/1 protocol as well. On violation of these restrictions and HTTP response is sent to the client with a status code indicating why...
PUBLISHED: 2021-06-14
A buffer overflow vulnerability in SonicOS allows a remote attacker to cause a Denial of Service (DoS) by sending a specially crafted request. This vulnerability affects SonicOS Gen5, Gen6, Gen7 platforms, and SonicOSv virtual firewalls.
PUBLISHED: 2021-06-14
magento-scripts contains scripts and configuration used by Create Magento App, a zero-configuration tool-chain which allows one to deploy Magento 2. In versions 1.5.1 and 1.5.2, after changing the function from synchronous to asynchronous there wasn't implemented handler in the start, stop, exec, an...
PUBLISHED: 2021-06-14
net/can/bcm.c in the Linux kernel through 5.12.10 allows local users to obtain sensitive information from kernel stack memory because parts of a data structure are uninitialized.
PUBLISHED: 2021-06-14
Cross-site Scripting (XSS) vulnerability in the main dashboard of Ellipse APM versions allows an authenticated user or integrated application to inject malicious data into the application that can then be executed in a victim’s browser. This issue affects: Hitachi ABB Power Grids ...