The following is an excerpt from Cybercrime and Business: Strategies for Global Corporate Security by author Sanford L. Moskowitz and published by Syngress. This section from chapter three explores cybercrime in small- to medium-sized businesses.
The SME is especially susceptible to cyberattacks for many reasons. But, as Symantec's executive Vice President Brian Burch tells us, possibly the most important of these is that they are very young and relatively poor -- they have not had the chance to build up cash reserves to purchase the defense needed to ward off the more persistent and clever hackers.
We can certainly identify certain ways in which large firms have the advantage over SMEs. Most importantly, they generally have the resources to put into place a security system that is comprehensive and centralized. They often integrate network devices and equipment into one coherent system that makes it possible to rapidly identify and act upon immediate and unanticipated attacks. In contrast, SMEs, without the same level of resources at their disposal, cannot imbed this level of comprehensiveness into their network security. The prevalence of employees who work from home, which tends to be more of an issue with SMEs than with the more tightly structured larger corporation, exacerbates the problem by creating far-flung work centers that are more difficult to link into a tight, unified system. These semi-independent centers are even less secured than the computers that are on the SME's physical site and so offer cybercriminals even more points of entry into the company's network. These electronic devices used freely by employees are linked in numerous ways with the company's computer system, which greatly adds to the danger that a cybercriminal could find his or her way into a company's most sensitive records and accounts from the most innocent of entry points. In one recent case, employees in the back office of a small firm downloaded a pirated video game that happened to have malware attached to it. Since they were using an office computer as the video game console, the malware entered into the business's most vital records, wreaking havoc on the company's accounts and on its long-term reputation with clients. In a similar way, in small companies, the Point of Sale (POS) system is often run on the same computer that is used to check company email. In such situations, employees clicking a malicious link or opening an infected attachment on that computer can give the hacker access to all customer information stored on that POS.
But restricted cash supply and an informal and decentralized organizational structure are just the tip of the iceberg of potential troubles facing the unsuspecting SME. Many of these firms specialize in one product or service and have a limited pool of clients. They do not have the luxury of multiple revenue streams from different businesses. If a cyberattack destroys -- or temporarily cripples -- their one source of revenue, they face the unhappy prospect of having to shut down their entire operation. In these cases, SMEs conduct business "on a knife edge" and without the comfort of a safety net to cushion the fall.
The SME not only contends with more sophisticated hackers but also with a digital world that is more difficult to manage. Since 2000, the amount of data that flows over the Internet has grown at a staggeringly fast rate. The rapid transition from a cash to a "cashless" society is, by some accounts, one of the major reasons for the flood of data that has plagues businesses. The SME simply cannot upgrade its computer capability to keep up with a world increasingly awash in digital information, and so it struggles to find ways to keep this data out of the hands of cyber thieves. As SMEs are slow to adapt to the this [sic] new reality and have gaping holes throughout their systems, hackers find them easy prey.
Of course, the very fragility of SMEs makes them extremely tempting target sites. Since larger companies are increasingly "upping their ante against cybercrime" and spending their money on the best security they can get their hands on, this leaves SMEs that much more exposed. With the big organizations now less attractive due to their heightened defenses, cybercriminals have often had no choice but to go after the smaller fish, hoping to obtain useful data that might have strategic value or that they could sell on the black market.
Cybercrime and Business: Strategies for Global Corporate Security
Author: Sanford L. Moskowitz
Learn more about Cybercrime and Business from publisher Syngress
At checkout, use discount code PBTY25 for 25% off this and other Elsevier titles
Another dangerous situation that makes the SME the likely victim of hackers is the increasingly automated nature of cyberattacks. The weak defenses put up by SMEs makes the mass-attack model practiced by hackers that much more devastating. They can attempt to infiltrate a large number of SMEs in a relatively short time. Hackers may not then actually be targeting any one firm in particular, but "trying the locks" of many businesses to see which ones they can easily penetrate. Since the more secure defenses of a larger company will deter would-be hackers, they then opt for the far more vulnerable -- and less troublesome -- SMEs.
It is not difficult to imagine how vulnerable such SMEs are in the face of large-scale hacking attacks which, rather than target a specific company, scan a wide range of firms with the aim of locating and going after any vulnerable spots they can find, and siphoning off as much information as possible. No SME, with their many vulnerabilities, is safe under such indiscriminate assaults. And the greater speeds of computers -- as microchips become smaller and more powerful -- means that hackers can easily make many more hacking attempts in any day than they could just a few years ago. Not only can cybercriminals make assaults on many more targets than before but, once they do locate a victim, they find their way into its system and extract what they need much faster than ever before and often even before the SME, with its slower response time, even knows that it has been infiltrated.
Resource troubles, digital overload, narrow product range, computer speeds, and technical limitations are not the only causes of problems for SMEs. The simple fact that many of these firms are less well known compared to the bigger companies also works against them. Because so many of these enterprises are unpromoted to the point of near anonymity, hackers can attack without significant publicity -- certainly less than if they were to directly hit a much larger corporation. This secrecy has its own rewards for the cybercriminal mind, not least of which is the ability of the perpetrator to hack into the firm's computers without being detected for long periods of time, all the while collecting and siphoning off economically useful data and information. In addition, since so many of these smaller companies are vendors to larger corporations (as will be discussed further in the next chapter), attacking them offers the enticing prospect for hackers to find their way past the forbidding fortifications put up by corporate IT by penetrating into the vendors' networks and, from there, moving surreptitiously into the larger corporate computer system. The logic here of course "…is that often, when going after manufacturing companies in the supply chain, hackers gain access to sensitive information of much larger companies".
It is not a little ironic that the one attribute the SME appears to have that makes it highly competitive is also the one that attracts cybercriminals and thus exposes the SME to serious danger. The high degree of innovativeness enjoyed by this sector is the very same factor that entices hackers to go after these firms. A recent case shows how years of investment in proprietary research can be destroyed as a foreign competitor obtains the essential information by stealth. The company in question is a relatively small outfit that made an important component for an environmentally friendly product manufactured by a larger original equipment manufacturer. The criminals, who "maintained a close year-long presence in the company," were able to steal "every engineering diagram, every piece of test data, even the marketing material for the product." As a result of their successful efforts, the attackers were able to recreate the component and nudge the SME, which had spent its own resources on R&D, out of the market. A few weeks later, the same assailants hit another SME that made the other component for that same green product.
Finally, we cannot underestimate the problems that a firm's own employees can cause because of their ignorance of how hackers work or simply not thinking before responding to electronic messages and prompts of various kinds. One of the main problems faced by SMEs is not spending time and money to vet potential employees -- who might skim credit cards, for example, or simply do something wrong unknowingly. This means that SMEs are particularly susceptible to social engineering scams, such as fooling employees with seemingly legitimate emails that instruct them to transfer money from the business to the hackers' account.
Read an excerpt
Download the PDF of chapter three in full to learn more!
In going after SMEs, hackers secure specific and very effective tools to infiltrate the smaller companies. The so-called "ransomware" schemes lock computers and then email a demand for a ransom fee that needs to be paid before the attackers will release the computer system. The average SME, being a one-trick pony with all its revenue coming from one type of product or service, is particularly vulnerable to this type of attack; if the firm does not surrender to the terms of the hacker, the entire company's ability to function is severely jeopardized. In addition to ransomware, "malicious software" also effectively achieves its goal of stealing information from mobile devices operated by SME employees. The smaller operation is at a greater disadvantage than is the larger company for two reasons: the pervasiveness in the use of mobile technology, and the lack of resources and time to closely monitor and secure these devices from outside attack.
3.2.1 Indirect Costs to SMEs
The direct cost of a cyberattack against any firm, SME or otherwise, is usually easy to pinpoint, namely the loss of cash, computer downtime, and tarnishing of reputation. But there are indirect consequences as well and these may exceed -- and significantly so -- even the initial and more obvious initial damages. The SME faces its own particular and often highly damaging set of indirect costs. There are a number of less obvious consequences of cybercrime that seriously threaten SMEs' ability to compete. One of the most important is their increasing caution about trading online. While their reticence is understandable, avoiding the Internet means that they miss out on an extremely important source of revenue and so lose a great deal of business over the long term. In such cases, the SME is not the only victim. SMEs' fear of engaging in cyber business also damages the economy overall, given the very large role that such companies play in the commercial life of the nation.
Potentially even more harmful is the exposure that SMEs face when their data and information are compromised by cyberattacks. In a type of "blame-the-victim" scenario, SMEs compromised by clever hackers face legal and regulatory punishment for being targets, especially when it comes to the invasion of financial accounts. Simply put, the laws that protect commercial banks are not as rigorous as those that exist for personal accounts. This means that banks are not always obligated to reimburse businesses when hackers successfully siphon off money from SMEs' bank accounts. This is especially true when the bank can show that its security systems accord with federal guidelines while those of the victimized business did not. In 2009, for example, hackers stole nearly $600,000 from the bank account of Patco Construction, a small firm located in Sanford, Maine. Not having a particularly sophisticated cybersecurity system in place, the company could not initially convince the bank to cover the loss. (Patco eventually did get its money back from the bank, but only after spending much time and money going after it in court.) There are also additional and burdensome costs associated with money that has to be paid outright by victim SMEs to federal and state agencies. For example, the Federal Trade Commission (FTC) investigates and brings enforcement actions against companies it believes have ineffective security practices dealing with customer information. Significant costs come into play in defending such investigations. At the state level, the victimized SME is responsible for the cost in notifying customers who, in turn, can assert their own civil claims against the SME. Companies, for example, not compliant with Payment Card Industry (PCI) standards can be liable to substantial penalties and fines in case of credit card breach, and card associations could ban a company altogether from accepting cards -- clearly a very severe blow to a retail SME.
About the author:
Sanford Moskowitz is Chair of the Global Business Leadership Department at St. John’s University/College of St. Benedict in Minnesota. He is also the author of The Advanced Materials Revolution: Technology and Economic Growth in the Age of Globalization, and The Digital Revolution: An Encyclopedia of the People, Organizations, Places, and Issues Behind the Great Technological Innovations of the Information Age. Dr. Moskowitz serves as an Expert Witness in corporate digital security cases involving Intellectual property theft and copyright piracy.