Like you, I have read many articles covering small business security, the authors of which have made up various lists of "top X threats" or "this year's biggest vulnerabilities," etc. So I thought it would be interesting to dig into a sampling of the data breach reports and collect some real data on causes of breaches and other security incidents in SMBs.

Jennifer Jabbusch, VP of Engineering and consulting CISO at Carolina Advanced Digital

September 27, 2010

5 Min Read

Like you, I have read many articles covering small business security, the authors of which have made up various lists of "top X threats" or "this year's biggest vulnerabilities," etc. So I thought it would be interesting to dig into a sampling of the data breach reports and collect some real data on causes of breaches and other security incidents in SMBs.Here are the five primary causes that were repeated in the vast majority of reports from small businesses (in order of most offenses to fewest):

1. Improper destruction of confidential data. Small and large organizations alike are subject to employees dumping files that should have been shredded. Report after report demonstrated specific cases of confidential data -- customer records, bank account info, medical records, and employee files -- being disposed improperly. As small businesses cleaned out files, changed personnel, moved offices, or went out of business, employees routinely dumped sensitive papers in public trash and recycling bins. In many cases, the boxes of juicy data were simply left out near a dumpster or back door, making them an easy target.

Many employees felt the information on the papers was dated and of no use, so therefore it didn't need to be shredded. Others simply weren't aware of the need for proper disposal. The takeaway for SMBs: Have a detailed policy in place for data and record destruction and make sure EVERY employee is made aware of the policy and reminded of it constantly. You should also be aware of the breach laws in your area and understand the consequences and fines associated with every compromised record. The fines incurred for even a small stack of papers could be enough to put you out of business.

2. Database attacks on Web transactions. The majority of businesses these days conduct transactions online in one form or another, and SMBs are certainly no exception. I was surprised, though, to see the volume of incident reports that detailed cases of attackers collecting billing and customer information from online servers. In some instances, the attack was on the actual transaction component, and in others they stole static data from servers often inside the organization.

Many SMBs feel they're too small to be targeted, but the type of automated attacks these guys can launch is scary. They may not be after you specifically, but if you're vulnerable and you're on the Internet, they'll still find you. The takeaway here for SMBs: Put the same effort in protecting your digital assets as you would your physical ones. If you don't have the staff in-house to maintain, patch, and secure public-facing servers, then outsource to transfer risk.

3. Data theft from insider attacks. I giggled as I read the numerous stories of clerks, cashiers, and wait staff who compromised volumes of customer credit cards using skimmers, small physical devices that capture the card data for malicious intent. In each case, the culprit inside either used the card numbers for their own direct gain or sold the data to others.

Other insider attacks of similar nature included theft and sale of customer data or company records in digital form. It's pretty easy for an employee to save, export, and transport via email or removable media these types of files. I hate to use the phrase "data leak prevention," but often that's what's missing in smaller environments where employees usually are more familiar with one another and more trusted by the management. The takeaway for insider threat prevention: It's a tough fight to win, but a good start would be basic access protection around key resources, explicit policies, and employee awareness so they understand the consequences of malicious activity. We always say not to use FUD tactics in security, but when dealing with employees, I say "FUD away!"

4. Credit card transaction slips. If you're like me, you pay attention to your credit card slip and make sure they haven't printed the entire card number. I sure do. In fact, I scribble those things so hard with the pen I usually chew right through the paper. Yeah, no one's going to read THAT later. For everyone who defends, "Oh, PCI says you can't do that," well guess what -- they do. And apparently enough merchants are printing card numbers that even in the past year we can attribute a number of SMB security incidents to physical attacks on businesses in which the cash drawer and credit card receipts were taken.

The takeaway here is easy. If you're still printing full card numbers, then call your merchant services number and have them reprogram your credit card machines. If you're not printing full card numbers, but you have account numbers printed elsewhere (physically) in the organization, then make sure they are secured in a way that makes them a difficult target during a break-in at any location.

5. Malware on endpoints. Ah, the one that never goes away. That nasty malware thing rounds out my top five. The effects of malware in your small business can be multifaceted. Many of them turn your systems to zombies in the background, draining processing and resources. Others do silly things like send out emails and attach random files. I've seen this firsthand numerous times and my most recent research shows malware is still no stranger on the incident reports. The takeaways: Be sure you're using an enterprise-class endpoint security solution. This is usually your antivirus with some steroids and a nice central management system you can use to push out updates, monitor activity, and ensure compliance. The second take-away often gets overlooked -- what I call the dirty dishrags of the networks -- laptops, remote and mobile devices that don't live in the office, or are employee-owned and not considered managed endpoints. Make sure there's a policy in place for these and some means of enforcing protection or watching for malicious activity.

Jennifer Jabbusch is a CISO and infrastructure security specialist at Carolina Advanced Digital. By day she architects enterprise security solutions and by night, well, she does the same thing. For Dark Reading, she melds her enterprise experience and intimate knowledge of small business operations to deliver relevant security guidance for SMBs everywhere.

About the Author(s)

Jennifer Jabbusch

VP of Engineering and consulting CISO at Carolina Advanced Digital

Jennifer Minella is VP of Engineering and consulting CISO at Carolina Advanced Digital, and an author, speaker and consultant for infrastructure security for government, education and Fortune 100 and 500 corporations.

Vincent Liu (CISSP) is a Partner at Bishop Fox, a cyber security consulting firm providing services to the Fortune 500, global financial institutions, and high-tech startups. In this role, he oversees firm management, client matters, and strategy consulting.

Vincent is a recognized expert, having presented at Black Hat and Microsoft BlueHat. He is regularly cited by the press, and has been interviewed by media outlets like Al Jazeera and NPR. Vincent has also co authored seven books including several industry best-sellers, such as: Hacking Exposed Wireless 1st and 2nd Edition; Hacking Exposed Web Applications 3rd Edition, and most recently Web Application Security: A Beginner's Guide. He serves as returning faculty at the Practicising Law Institute, and sits on the advisory boards for the University of Advancing Technology and the cyber security accelerator, Mod N Labs.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights