Hello! I’m talking to you! Yes, you, the IT director or network manager at your average SMB. I have a message and hopefully you listen loud and clear: There are no weeds tall enough in which you can hide.
There it is; said it.
Your company’s relatively small size, which for so long led you to believe you A) were not in the crosshairs of hackers; and B) you processed and stored nothing of value that would interest a criminal operating on the Internet, is in fact just what the bad guys are pining for. They love small fish. They get a twinkle in their eye because they know you’re busy, under-staffed and barely have a network firewall configured properly, much less an incident response plan.
Now we’re not talking Mom and Pop stores here. We’re talking, for example, franchises in a large restaurant chain left on their own to manage IT. Care to guess where IT security falls on the list of priorities for those franchises? We’re talking about relatively small operations, Level 3 and 4 PCI merchants for example, processing credit card transactions on wonky point-of-sale systems. There’s also probably a vulnerable PC connected to the Internet running server software somewhere on-premises. And there’s probably some RealVNC or other remote access management interface on that vulnerable PC that some consultant or centralized techie can use to check in every six months to make sure things are running A-OK.
So many points of entry, and so much free time for online criminals to sit there, watch and collect the goods. SMBs are a huge sitting duck for cybercrooks, and I think the lack of SMB security has been the dirty secret of the information security industry for a long time. We’re just as guilty of focusing on splashy attacks such as RSA, HB Gary, the VA, Heartland, TJX and others of its ilk. And for good reason; there are lessons to be learned from each of these incidents against huge enterprises, some with boundless resources. They make simple mistakes we can all learn from. These incidents also cast a bright light on the importance of data security and do a neat job of grabbing the attention of law enforcement and legislators.
But while we’ll get an RSA-style attack or two a year, there are thousands of low-volume attacks against SMBs every year. And most of these go unnoticed, unreported and untamed. That’s too bad.
The most recent edition of the Verizon Data Breach Investigations Report (DBIR), however, does a good job of starting to reverse that trend. The report’s biggest takeaway: cybercriminals prefer smaller, easier targets. For a lot of reasonable reasons too; smaller organizations have few, if any, dedicated information security resources. Investments in security technology are minimal and awareness may be relatively low. IT, and especially IT security, is not the core competency of your local favorite watering hole; selling beer is their job.
The Verizon DBIR looks at 2010 breaches handled by Verizon’s investigators. They conclude that while the number of breaches is way up, the number of records stolen in those breaches is way down. Why? There are a host of theories, starting with some high-profile arrests that may have taken down some of the top underground operators leading to a slowdown in activity. Also, there have been hundreds of millions of credit card number s compromised in the last half-decade, which has certainly devalued this data underground; cybercriminals could be looking for new revenue streams (intellectual property, anyone?). Also, as likely is the preference to hit smaller, softer targets. The report says these targets “provide them with a lesser yet steady stream of compromised data.” The industries hardest hit are retail and hospitality.
From the report: “Criminals may be making a classic risk vs. reward decision and opting to ‘play it safe’ in light of recent arrests and prosecutions following large-scale intrusions into financial services firms. Numerous smaller strikes on hotels, restaurants and retailers represent a lower-risk alternative, and cybercriminals may be taking greater advantage of that option.”
Online crooks have a soft spot for you SMBs, they really do. You’re just as likely to fall victim to custom malware as a Fortune 1000 (the DBIR theorizes that malware customization costs/services are likely to be low). You also take a long time to discover and remediate breaches. You mistakenly assume your POS vendor, for example, would take action in a breach, and by the time you realize it’s all on you, the horse—and all your credit card data—has left the barn. Take the time to read the DBIR. And then take the time to come out from hiding in those weeds.
Michael S. Mimoso is editorial director of the Security Media Group at TechTarget. Send comments on this column to firstname.lastname@example.org.