Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics

6/30/2010
01:27 PM
50%
50%

Lack Of Security Focus Puts SMBs In Harm's Way

Small and midsize businesses can be easier to secure than larger enterprises, but few have traditionally made the effort

Demolition firm Ferma nearly failed because its employees lacked a proper security policy.

In mid-2009, an employee at the California firm clicked on a link in an e-mail message and ended up at a malicious website. The site, run by online thieves, used a vulnerability in Internet Explorer to load a Trojan horse on the employee's system. With control of the machine, which was used for much of the firm's accounting, the thieves gathered data on the firm and its finances. A few days later, the thieves used 27 transactions to transfer $447,000 from Ferma's accounts, distributing the money to accounts worldwide.

"They were able to ascertain how much they could draw, so they drew the limit," said Ferma president Roy Ferrari in an interview at the time.

Ferma did not go out of business, but many small companies have as a result of a hack. The consequences of an attack should make small and midsize businesses (SMBs) sit up and notice, says Bernard Laroche, senior director of SMB product marketing for security giant Symantec.

"If a small business gets their data stolen, whether customer credit cards or their patient records, then they might ... have to close, where a large enterprise could move on," he says.

While the prognosis seems grim, security experts agree that SMBs can be much more secure than large enterprises if they focus resources on security.

"Small businesses have the opportunity to be a lot more protected," says Robert Richardson, director of the Computer Security Institute, "because they have an opportunity to be a lot more uniform in how they implement policy."

For companies ready for the next step, security experts recommend four broad initiatives: define information-security policies and educate users, protect critical and sensitive data, lock down infrastructure, such as e-mail servers and networks, and manage systems on a regular basis.

"The opportunity to do a better job is there for small businesses," Richardson says. "For a large organization, it takes a much bigger step to get a handle on their cyber assets and lock down their systems."

However, SMB have historically not given security much thought. Staples office supply chain's SMB services group, for example, has never run into an employee dedicated -- or even primarily focused -- on security, says Jim Lippie, vice president of Staples Network Services, which focuses on companies with between 10 and 250 employees.

"Everyone talks about the need for security, but no one really dedicates a lot of resources to it," Lippie says.

SMBs fail to tackle their information security problems for three main reasons, he says: Employees do not have the necessary skills, company managers are focused on day-to-day operations, and they fail to budget enough for information security. A survey sponsored by McAfee, for example, found that three-quarters of SMBs spend five or fewer hours per week on security, and one-quarter of SMBs spend an hour or less.

With budgets so slim, organizing security in an SMB is difficult, says Eugene Schultz, CTO of consultancy Emagine Security.

"I was a CIO for a software company with 45 people, and I did not have a budget for security," he says. "Every bit of money for security, I had to fight for."

For Ferma, a security policy that forbid surfing on computers used for accounting or resulted in stronger security for such computers would likely have stopped the attack cold.

Despite that, many SMBs believe they would not be attacked. Slightly more than half of all companies surveyed in the McAfee report did not think they were "well known" enough to be attacked. About 44 percent of all North American SMBs argued that cybercrime is more of an issue for large enterprises.

Yet even large enterprises are finding new threats tough to beat. While the majority of information-security staff thinks current policies are adequate to deal with targeted attacks, which focus on firms with valuable information, only about one-third state that their security technologies are adequate, and one-quarter believe their security personnel are up to the task of dealing with advanced threats, according to a study released this week by the Ponemon Institute and security firm NetWitness.

Perhaps the businesses most at risk are those that bridge the gap: the SMBs that supply technologies or services to large companies. Cybercriminals tend to look at such companies as a back door into the network of the large corporations they have targeted.

"For the attackers, the suppliers tend to be much softer targets," says Gunter Ollmann, vice president of research for security firm Damballa.

The good news is that most SMBs understand the damage an online attacker could do to their businesses. More than one out of every five SMBs thought an attack could put them out of business, according to McAfee's survey. Midsize businesses -- up to 1,000 employees -- were even more pessimistic about their chances: Nearly 29 percent agreed that an attack could put them out of business.

"Their awareness is up, that's clear, but the number of threats are up as well," says Alex Thurber, senior vice president of worldwide channels and midmarket for McAfee. "I wouldn't in any way declare a victory yet, but I think we are definitely getting there on awareness."

The cost of an attack typically varies by the size of the company. Downtime for small companies due to security incidents costs more than $30,000, or about 0.4 percent of revenue per year, according to a report released by Infonetics Research in 2008. Midsize companies faced $225,000 in downtime costs, while large enterprises' losses surpassed $30 million annually, on average.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Can Your Patching Strategy Keep Up with the Demands of Open Source?
Tim Mackey, Principal Security Strategist, CyRC, at Synopsys,  6/18/2019
Florida Town Pays $600K to Ransomware Operators
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12936
PUBLISHED: 2019-06-23
BlueStacks App Player 2, 3, and 4 before 4.90 allows DNS Rebinding for attacks on exposed IPC functions.
CVE-2019-12937
PUBLISHED: 2019-06-23
apps/gsudo.c in gsudo in ToaruOS through 1.10.9 has a buffer overflow allowing local privilege escalation to the root user via the DISPLAY environment variable.
CVE-2019-12935
PUBLISHED: 2019-06-23
Shopware before 5.5.8 has XSS via the Query String to the backend/Login or backend/Login/load/ URI.
CVE-2019-12933
PUBLISHED: 2019-06-22
An XSS issue on the PIX-Link Repeater/Router LV-WR09 with firmware v28K.MiniRouter.20180616 allows attackers to steal credentials without being connected to the network. The attack vector is a crafted ESSID.
CVE-2019-10028
PUBLISHED: 2019-06-21
Denial of Service (DOS) in Dial Reference Source Code Used before June 18th, 2019.