Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics

6/30/2010
01:27 PM
50%
50%

Lack Of Security Focus Puts SMBs In Harm's Way

Small and midsize businesses can be easier to secure than larger enterprises, but few have traditionally made the effort

Demolition firm Ferma nearly failed because its employees lacked a proper security policy.

In mid-2009, an employee at the California firm clicked on a link in an e-mail message and ended up at a malicious website. The site, run by online thieves, used a vulnerability in Internet Explorer to load a Trojan horse on the employee's system. With control of the machine, which was used for much of the firm's accounting, the thieves gathered data on the firm and its finances. A few days later, the thieves used 27 transactions to transfer $447,000 from Ferma's accounts, distributing the money to accounts worldwide.

"They were able to ascertain how much they could draw, so they drew the limit," said Ferma president Roy Ferrari in an interview at the time.

Ferma did not go out of business, but many small companies have as a result of a hack. The consequences of an attack should make small and midsize businesses (SMBs) sit up and notice, says Bernard Laroche, senior director of SMB product marketing for security giant Symantec.

"If a small business gets their data stolen, whether customer credit cards or their patient records, then they might ... have to close, where a large enterprise could move on," he says.

While the prognosis seems grim, security experts agree that SMBs can be much more secure than large enterprises if they focus resources on security.

"Small businesses have the opportunity to be a lot more protected," says Robert Richardson, director of the Computer Security Institute, "because they have an opportunity to be a lot more uniform in how they implement policy."

For companies ready for the next step, security experts recommend four broad initiatives: define information-security policies and educate users, protect critical and sensitive data, lock down infrastructure, such as e-mail servers and networks, and manage systems on a regular basis.

"The opportunity to do a better job is there for small businesses," Richardson says. "For a large organization, it takes a much bigger step to get a handle on their cyber assets and lock down their systems."

However, SMB have historically not given security much thought. Staples office supply chain's SMB services group, for example, has never run into an employee dedicated -- or even primarily focused -- on security, says Jim Lippie, vice president of Staples Network Services, which focuses on companies with between 10 and 250 employees.

"Everyone talks about the need for security, but no one really dedicates a lot of resources to it," Lippie says.

SMBs fail to tackle their information security problems for three main reasons, he says: Employees do not have the necessary skills, company managers are focused on day-to-day operations, and they fail to budget enough for information security. A survey sponsored by McAfee, for example, found that three-quarters of SMBs spend five or fewer hours per week on security, and one-quarter of SMBs spend an hour or less.

With budgets so slim, organizing security in an SMB is difficult, says Eugene Schultz, CTO of consultancy Emagine Security.

"I was a CIO for a software company with 45 people, and I did not have a budget for security," he says. "Every bit of money for security, I had to fight for."

For Ferma, a security policy that forbid surfing on computers used for accounting or resulted in stronger security for such computers would likely have stopped the attack cold.

Despite that, many SMBs believe they would not be attacked. Slightly more than half of all companies surveyed in the McAfee report did not think they were "well known" enough to be attacked. About 44 percent of all North American SMBs argued that cybercrime is more of an issue for large enterprises.

Yet even large enterprises are finding new threats tough to beat. While the majority of information-security staff thinks current policies are adequate to deal with targeted attacks, which focus on firms with valuable information, only about one-third state that their security technologies are adequate, and one-quarter believe their security personnel are up to the task of dealing with advanced threats, according to a study released this week by the Ponemon Institute and security firm NetWitness.

Perhaps the businesses most at risk are those that bridge the gap: the SMBs that supply technologies or services to large companies. Cybercriminals tend to look at such companies as a back door into the network of the large corporations they have targeted.

"For the attackers, the suppliers tend to be much softer targets," says Gunter Ollmann, vice president of research for security firm Damballa.

The good news is that most SMBs understand the damage an online attacker could do to their businesses. More than one out of every five SMBs thought an attack could put them out of business, according to McAfee's survey. Midsize businesses -- up to 1,000 employees -- were even more pessimistic about their chances: Nearly 29 percent agreed that an attack could put them out of business.

"Their awareness is up, that's clear, but the number of threats are up as well," says Alex Thurber, senior vice president of worldwide channels and midmarket for McAfee. "I wouldn't in any way declare a victory yet, but I think we are definitely getting there on awareness."

The cost of an attack typically varies by the size of the company. Downtime for small companies due to security incidents costs more than $30,000, or about 0.4 percent of revenue per year, according to a report released by Infonetics Research in 2008. Midsize companies faced $225,000 in downtime costs, while large enterprises' losses surpassed $30 million annually, on average.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
News
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
Slideshows
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
Commentary
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31755
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setmac allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31756
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /gofrom/setwanType allows attackers to execute arbitrary code on the system via a crafted post request. This occurs when input vector controlled by malicious attack get copie...
CVE-2021-31757
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setVLAN allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31758
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setportList allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31458
PUBLISHED: 2021-05-07
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 10.1.1.37576. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handlin...