The email came from "Ivan" in Russia: "After a few minutes I'll start a DDoS attack on your site, and it will cease to work," the message said. "If you don't want to lose any profit, you pay me only $3,500."
Endless Wardrobe, the Australian online clothing retailer under attack, refused to pay. As threatened, the site was flooded with bogus information requests, overwhelmed, and down for a week. Endless Wardrobe worked with its hosting provider to blunt the attack, but the defenses erected by the provider also blocked many legitimate customers.
The retailer, with three full-time employees and three part-timers, lost customers and at least a few thousand dollars in business, says general manager Andrew Burman.
"Before the attack I had no idea we would be a target," Burman says. "I had heard about cyber attacks before but never thought it could happen to a small business. I thought they normally target large businesses, online gambling types, as they have the money to pay them off."
Most small and medium businesses don't believe online criminals will target them, and it's true that most never will be a victim of an extortion threat as Endless Wardrobe was. But they can't count on their smaller size keeping them out of harm's way. In 26,000 targeted attacks Symantec documented last year, half were on businesses with fewer than 2,500 employees and 18% on businesses with fewer than 250 employees. From denial-of-service attacks that take down websites to Trojans that empty bank accounts, there are a multitude of attacks that most SMBs don't know about and aren't prepared for.
It's not just the e-commerce giants like Amazon.com that are being attacked, but companies with a few hundred employees or less, says Matthew Prince, CEO of Web security firm CloudFlare. CloudFlare specializes in stopping attacks like the one on Endless Wardrobe, but it also became the target of a different type of attack in mid-May. Hackers gained access to the password-recovery mechanism for the 36-employee company's Google-hosted email, giving the criminals access to sensitive data about CloudFlare's systems and customers. The crooks' end goal: Use email access to gain control of customers accounts. The criminals nearly succeeded.
The attackers involved are "really good at taking over control of email," Prince says.
These attacks are part of the brave, new world of small business. The same technologies that let small businesses operate online efficiently and do more for less money also open them up to attacks.
Nearly 90% of small and midsize businesses bank online, making accounting and finance easier, but also opening their accounts to attack. And SMBs are increasingly letting employees bring their own mobile devices on to company networks. About 40% of managers worry about the risk that this practice creates for information security, according to the Sophos 2012 Network Security Survey of more than 570 global IT decision-makers.
"Small businesses are more prone to attack because they have less resources to maintain their defenses," says Gavin Struthers, senior VP of worldwide channel operations at security company McAfee. "Many of them are online and mobile-connected, and if they lose those benefits, then they lose their business."
With limited resources to deal with security, SMBs often ignore potential threats. The best defense is to be aware of the threats and create security policies to deal with them. Here are ways to defend against 10 of the most serious--but too often ignored--dangers.
Download the InformationWeek SMB September special issue on cybersecurity