Small businesses are under attack. That's the clear takeaway from the 2013 Symantec Internet Security Threat Report.
Released this week, the report offers analysis on the past year of Internet information security threats, and is based on data captured from more than 69 million attack sensors stationed in 157 countries.
Symantec identified a significant shift in attackers' tactics: Thirty-one percent of targeted attacks were aimed at businesses with fewer than 250 employees. This represents a threefold increase from Symantec Corp.'s 2012 report, and is the latest sign that attackers are broadening their search for susceptible targets.
"Small businesses may believe they are immune to attacks targeted at them," said Kevin Haley, director of product management for Symantec Security Response. "These corporations believe hackers are only interested in big scores, which has been true historically. Recently, the bad guys have come to realize that money and customer information stolen from a small business is as valuable as data taken from [a] big business – and [is] more easily gathered."
"Small businesses typically lack the staff and the expertise to adequately protect confidential information," stated Rick Holland, senior analyst at Cambridge, Mass.-based Forrester Research Inc. Sometimes one person is the IT department and in turn is responsible for safeguarding all of the company's computer systems; in other instances, he said, these duties fall under the aegis of the chief financial officer. Since small companies are less focused on constructing their cyber-defenses, Holland added, their networks offer hackers a path of least resistance.
Small- and medium-sized businesses (SMBs) can be treasure troves for data-hungry attackers. Bad guys can profit significantly by stealing company accounts, customer billing information and intellectual property, even if the organization doesn't rank in the Fortune 500.
"Startup businesses begin as SMBs and could have intellectual property that hackers find to be quite valuable," Holland noted.
Attacks on small enterprises have a ripple effect on larger corporations. Once criminals breach the defenses of a small business, according to Cupertino, Calif.-based Symantec, they may also gain entry ways to larger targets because small businesses often partner with bigger firms.
In addition, Symantec reported that the number of Web-based attacks increased by one-third in 2012. Many of these attacks originated from the compromised websites of small businesses.
Supplementing their phishing attacks, cyber-espionage gangs now hijack these websites, lie in wait for their targets to visit, and then infect the systems. This types of incidents, called watering hole attacks, occur when the attacker compromises a website -- such as a blog or small business website -- which is known to be frequently visited. As victims visit a compromised website, a targeted attack payload is stealthily installed on their computers.
This class of attack – pioneered by The Elderwood Gang -- is quite effective. In 2012, the reputed cybercrime group successfully infected 500 organizations in a single day, according to Symantec.
So, what should a small business do to protect itself? "First, these companies need to assume they're a target," noted Symantec's Haley. If small businesses become more aware of the potential problem, then they may take more steps to protect their data.
"SMBs are [a] good fit for cloud or managed network security services," said Forrester Research's Holland. Here they hand over the responsibility of safeguarding their data to experts, who ideally provide a higher level of protection than they could.
Hackers have recognized the vulnerabilities present in SMB computer systems and are moving to exploit them. These businesses need to defend themselves or else they may soon find their systems compromised.
About the author:
Paul Korzeniowski is a freelance writer specializing in technology issues. He is based in Sudbury, Mass., and can be reached at firstname.lastname@example.org.