The Public Eye with Eric Chabrow

SMBs Need to 'Feel' Cyberthreat to Act Small Enterprises Don't Perceive They'll be Attacked
SMBs Need to 'Feel' Cyberthreat to Act

Read the headlines about data breaches and cyberattacks, and the victims seem to be big banks, big government and big business. No wonder the perception exists among many operators of small- and midsize enterprises that attackers don't prey on the little guy.

See Also: Vulnerability Management with Analytics and Intelligence

A just-issued survey from the National Cybersecurity Alliance and IT security provider Symantec shows that two-thirds of operators of SMBs don't fret about cyberthreats, either from hackers or their own employees or contractors.

"They presume, why would someone hack me? Who would want anything that I have?" 

But these perceptions are false. As the annual Verizon Business breach reports have shown in the past couple of years, small and midsize business represent a large number of breach victims. "We still saw a continued trend from last year of industrialized-style attacks against small businesses," says Chris Porter, a member of Verizon's RISK Team [see Basic Threat Defenses Are Often Overlooked].

And, Symantec says nearly 40 percent of 1 billion-plus cyberattacks the security company claims it prevented in the first quarter of 2012 targeted companies with fewer than 500 employees. Symantec Vice President Brian Burch characterizes SMB's notion toward cybersecurity as "terrifying."

Why the misconception?

"You read about cyber breaches and virtually all that you know about are big Fortune 50, Fortune 100 companies, and government contractors, folks that the typical company or the typical person who owns the company can't relate to," says Richard Bortnick, a lawyer who specializes in cyber risk at the law firm Cozen O'Connor. "They presume, why would someone hack me? Who would want anything that I have?"

The answer: Cybercriminals, including many from Eastern Europe, who see data residing in computers at small enterprises as the low-hanging fruit they can easily pick and monetize.

Just ask the managers of Choice Escrow, a Springfield, Mo., escrow company with sales the business research firm Hoovers pegs at $380,000 a year. Choice Escrow contends hackers infected one of its computers over the Internet with a variant of the Zeus malware, which logged keystrokes typed by a company employee, revealing the name and password to the escrow company's bank account. Using the pilfered authentication credentials (see chart below), Choice Escrow says cybercriminals logged into its BankcorpSouth account and stole $440,000; that's $60,000 more than it generates in annual revenues. The digital theft has resulted in a lawsuit and countersuit between the small escrow company and the bank [see Bank Sues Customer over ACH/Wire Fraud].

Why do smaller companies fall victims? The relative simplicity of many SMBs' IT systems, as compared with those of larger businesses and governments. is one reason. Here's how Christine Marciano, owner of an independent insurance agency Cyber Data Risk Managers, puts it: Large systems' operators understand firewalls and other technologies to protect their computers aren't enough; they need to secure the data. That kind of mindset is missing among many small business operators. They feel the steps they've taken to protect their IT are enough. "That's where the disconnect exists," Marciano says.

Not only are most SMB operators not overly concerned about cyberthreats, nearly six out of 10 of them don't have a contingency plan outlining procedures for responding and reporting data breach losses, the survey reveals.

That cavalier attitude among many SMBs concerns Michael Kaiser, executive director of the National Cybersecurity Alliance, an industry-government-academic not for profit that promotes Internet security. "A data breach or hacking incident can really harm SMBs and unfortunately lead to a lack of trust from consumers, partners and suppliers," Kaiser says in a statement accompanying release of the survey of 1,015 U.S. small businesses with fewer than 250 employees. "Small businesses must make plans to protect their businesses from cyberthreats and help employees stay safe online."

But that may not take place until the operators of small and midsize enterprises feel the threat, not in their head, but in their gut.



About the Author

Eric Chabrow

Eric Chabrow

Executive Editor, GovInfoSecurity & InfoRiskToday

Chabrow, who oversees ISMG's GovInfoSecurity and InfoRiskToday, is a veteran multimedia journalist who has covered information technology, government and business. He's the former top editor at the award-winning business journal CIO Insight and a long-time editor and writer at InformationWeek.




Around the Network