Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

9/27/2010
11:08 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Five Main Causes Of SMB Security Incidents

Like you, I have read many articles covering small business security, the authors of which have made up various lists of "top X threats" or "this year's biggest vulnerabilities," etc. So I thought it would be interesting to dig into a sampling of the data breach reports and collect some real data on causes of breaches and other security incidents in SMBs.

Like you, I have read many articles covering small business security, the authors of which have made up various lists of "top X threats" or "this year's biggest vulnerabilities," etc. So I thought it would be interesting to dig into a sampling of the data breach reports and collect some real data on causes of breaches and other security incidents in SMBs.Here are the five primary causes that were repeated in the vast majority of reports from small businesses (in order of most offenses to fewest):

1. Improper destruction of confidential data. Small and large organizations alike are subject to employees dumping files that should have been shredded. Report after report demonstrated specific cases of confidential data -- customer records, bank account info, medical records, and employee files -- being disposed improperly. As small businesses cleaned out files, changed personnel, moved offices, or went out of business, employees routinely dumped sensitive papers in public trash and recycling bins. In many cases, the boxes of juicy data were simply left out near a dumpster or back door, making them an easy target.

Many employees felt the information on the papers was dated and of no use, so therefore it didn't need to be shredded. Others simply weren't aware of the need for proper disposal. The takeaway for SMBs: Have a detailed policy in place for data and record destruction and make sure EVERY employee is made aware of the policy and reminded of it constantly. You should also be aware of the breach laws in your area and understand the consequences and fines associated with every compromised record. The fines incurred for even a small stack of papers could be enough to put you out of business.

2. Database attacks on Web transactions. The majority of businesses these days conduct transactions online in one form or another, and SMBs are certainly no exception. I was surprised, though, to see the volume of incident reports that detailed cases of attackers collecting billing and customer information from online servers. In some instances, the attack was on the actual transaction component, and in others they stole static data from servers often inside the organization.

Many SMBs feel they're too small to be targeted, but the type of automated attacks these guys can launch is scary. They may not be after you specifically, but if you're vulnerable and you're on the Internet, they'll still find you. The takeaway here for SMBs: Put the same effort in protecting your digital assets as you would your physical ones. If you don't have the staff in-house to maintain, patch, and secure public-facing servers, then outsource to transfer risk.

3. Data theft from insider attacks. I giggled as I read the numerous stories of clerks, cashiers, and wait staff who compromised volumes of customer credit cards using skimmers, small physical devices that capture the card data for malicious intent. In each case, the culprit inside either used the card numbers for their own direct gain or sold the data to others.

Other insider attacks of similar nature included theft and sale of customer data or company records in digital form. It's pretty easy for an employee to save, export, and transport via email or removable media these types of files. I hate to use the phrase "data leak prevention," but often that's what's missing in smaller environments where employees usually are more familiar with one another and more trusted by the management. The takeaway for insider threat prevention: It's a tough fight to win, but a good start would be basic access protection around key resources, explicit policies, and employee awareness so they understand the consequences of malicious activity. We always say not to use FUD tactics in security, but when dealing with employees, I say "FUD away!"

4. Credit card transaction slips. If you're like me, you pay attention to your credit card slip and make sure they haven't printed the entire card number. I sure do. In fact, I scribble those things so hard with the pen I usually chew right through the paper. Yeah, no one's going to read THAT later. For everyone who defends, "Oh, PCI says you can't do that," well guess what -- they do. And apparently enough merchants are printing card numbers that even in the past year we can attribute a number of SMB security incidents to physical attacks on businesses in which the cash drawer and credit card receipts were taken.

The takeaway here is easy. If you're still printing full card numbers, then call your merchant services number and have them reprogram your credit card machines. If you're not printing full card numbers, but you have account numbers printed elsewhere (physically) in the organization, then make sure they are secured in a way that makes them a difficult target during a break-in at any location.

5. Malware on endpoints. Ah, the one that never goes away. That nasty malware thing rounds out my top five. The effects of malware in your small business can be multifaceted. Many of them turn your systems to zombies in the background, draining processing and resources. Others do silly things like send out emails and attach random files. I've seen this firsthand numerous times and my most recent research shows malware is still no stranger on the incident reports. The takeaways: Be sure you're using an enterprise-class endpoint security solution. This is usually your antivirus with some steroids and a nice central management system you can use to push out updates, monitor activity, and ensure compliance. The second take-away often gets overlooked -- what I call the dirty dishrags of the networks -- laptops, remote and mobile devices that don't live in the office, or are employee-owned and not considered managed endpoints. Make sure there's a policy in place for these and some means of enforcing protection or watching for malicious activity.

Jennifer Jabbusch is a CISO and infrastructure security specialist at Carolina Advanced Digital. By day she architects enterprise security solutions and by night, well, she does the same thing. For Dark Reading, she melds her enterprise experience and intimate knowledge of small business operations to deliver relevant security guidance for SMBs everywhere. Jennifer Minella is VP of Engineering and consulting CISO at Carolina Advanced Digital, and an author, speaker and consultant for infrastructure security for government, education and Fortune 100 and 500 corporations. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-33033
PUBLISHED: 2021-05-14
The Linux kernel before 5.11.14 has a use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c because the CIPSO and CALIPSO refcounting for the DOI definitions is mishandled, aka CID-ad5d07f4a9cd. This leads to writing an arbitrary value.
CVE-2021-33034
PUBLISHED: 2021-05-14
In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value.
CVE-2019-25044
PUBLISHED: 2021-05-14
The block subsystem in the Linux kernel before 5.2 has a use-after-free that can lead to arbitrary code execution in the kernel context and privilege escalation, aka CID-c3e2219216c9. This is related to blk_mq_free_rqs and blk_cleanup_queue.
CVE-2020-24119
PUBLISHED: 2021-05-14
A heap buffer overflow read was discovered in upx 4.0.0, because the check in p_lx_elf.cpp is not perfect.
CVE-2020-27833
PUBLISHED: 2021-05-14
A Zip Slip vulnerability was found in the oc binary in openshift-clients where an arbitrary file write is achieved by using a specially crafted raw container image (.tar file) which contains symbolic links. The vulnerability is limited to the command `oc image extract`. If a symbolic link is first c...