Make no mistake: big things come in small packages. That’s no secret to cyber thieves. They often take the path of least resistance and see small and medium-sized businesses as easy prey since they don’t often have sufficient layers of protection around their systems.
In a Verizon 2013 Data Breach Investigations Report survey, nearly half of all breaches occurred at companies with fewer than 1,000 employees. Those organizations that were hit with the most number of breaches had fewer than 100 employees. In a study by the National Small Business Association 2013 Small Business Technology Survey, nearly half of small businesses reported having been the victim of a cyber-attack, and 25 percent of small businesses said they have “little to no understanding of cybersecurity.”
Hackers often target smaller organizations to obtain customer credit card data, private information on the business and its customers, and money from a small business’s bank account. Security industry analyst Gartner estimates that more than 10 percent of small businesses have had funds stolen from their bank accounts — losses totaling more than $2 billion—according to the New York Times.
There are many ways attackers target smaller businesses, one of which is the “corporate account takeover.” That’s when hackers infect one computer with malware that tracks usernames and passwords. The thieves use those credentials to make financial transactions from the small business’s financial accounts. Unlike personal accounts that banks usually protect from being responsible for fraudulent money transfers, businesses themselves are normally held responsible for online fraud that affects their accounts.
Small businesses often tell me, “We’re too small to matter” and “We don’t store valuable data.” Because small businesses usually have less funds than larger companies to secure their systems, and small businesses usually don’t monitor their networks 24/7, it’s easy for cyber thieves to get in and out of their networks sight unseen. Even if you don’t store valuable data—most likely you do—hackers may use your computers to set up websites such as porn sites, conduct Distributed Denial of Service (DDoS) attacks and to spam other users.
If you are outsourcing your website or other parts of your business that connect to your network, you are at risk for being compromised. A 2013 Ponemon Institute survey found that 55 percent of small businesses had a data breach and that sensitive information is more likely to be compromised when the data has been outsourced.
There is neither any one device you can buy nor any one thing you can do to ensure the security of your corporate environment. You must do various things to ensure your security. I often talk about the 50/30/20 rule:
- We find firewalls notify you of about 50 percent of the security events that occur on your network.
- About 30 percent of notifications come from another security layer, the Intrusion Detection/Protection System (IDS/IPS), which is a good risk mitigation and a regulatory compliance demand.
- And about 20 percent of your security event notifications come from servers, routers and switches that securely direct or receive your traffic.
However, not all small businesses can afford these protections. That’s why it’s best to meet with a third-party consultant who sells no products to help you analyze where your systems are most at risk and what type of security measures would best suit your organization.
Dell SecureWorks can help you with security services to fit your budget so that your IT team can focus on supporting other business initiatives without stopping to try to take care of security problems. It is more cost effective and is easier to keep intruders out rather than to get them out. Having intruders in your network is one small package no one wants to open.