Small Businesses Hammered By Cybercrime

Saturday, August 14, 2010

Theresa Payton

D13f77e036666dbd8f93bf5895f47703

Article by Ashesh Mamidi

Small businesses today have shifted from paper records to electronically stored information.  This so-called digitalization process has helped small businesses attain a dramatically more efficient way of doing business.

On the other hand, this has also opened new doors for cyber criminals to penetrate a small businesses' data system.  This trend could result in massive financial and retail security fraud and breaches over the next decade.

Criminals will find new avenues to get malicious software onto a small business' computer systems.  There will be attempts to embed malicious software into the downloads of software from reputable vendors. 

If software isn't authenticated, then attempts will be made to intercept software being downloaded and replace it with malicious versions. 

This is a wake-up call for small businesses because security issues with the Internet will cause dramatic loss of revenue for these entrepreneurial enterprises in the years ahead.

These small businesses are the easy targets for the cybercriminals and more than money, the criminals are interested in the intellectual property which they can use elsewhere to gain financially.

KEY FINDINGS:

Criminals are targeting companies that have PII and company bank accounts. The breakdown of identity theft cases is as follows (2009):

  • 26% credit card fraud, 18% utilities fraud, 17% bank fraud, 12% employment fraud, 5% loan fraud, 9% government fraud, 13% other.

Criminals target other information:

  • Data about them or their customers such as Credit card, Social Security and bank account numbers.
  • Loss of intellectual and financial property – It is estimated that losses can range from $20 to $90 billion annually to upwards of $240 billion a year.

See statistics at: http://www.ojp.usdoj.gov/ovc/ncvrw/2005/pg5i.html

METHODS DEPLOYED TO BREAK THE “LOCKS”:

Viruses - Studies in December 2007 have shown that the effectiveness of antivirus software has decreased in recent years, particularly against unknown or zero day attacks. The German computer magazine c’t found that detection rates for these threats had dropped from 40-50% in 2006 to 20-30% in 2007. In general antivirus software removes only one-third of all the viruses.

Malicious software – It gives partial to full control of the computer to do whatever the malware creator wants. The damage done can vary from something slight as changing the author’s name on a document to full control of the machine without our ability to easily find out. Malicious software lurks behind emails, links on social networking sites, and in legitimate downloads.

RECOMMENDATIONS:

Software Protection: Consider Anti-virus software like Shield Deluxe-Antivirus Protection, Trend Micro Antivirus Internet Security 2010, Norton Antivirus 2010and anti-malware software like Avira, Threatfire, Combofix etc.

Discuss Implementation of Several Packages: Combining Anti-Virus, with Anti-Spyware, Intrusion Prevention Service, and Application intelligence can deliver stronger network security protection against a comprehensive array of dynamic threats. The combination helps combat viruses, spyware, worms, Trojans and software vulnerabilities such as buffer overflows, as well as backdoor exploits and other malicious code. This provides application layer attack protection not only against external threats, but also against those originating inside the network. The lower layer technologies like SSL/TLS, firewall and IPSec support application layer security.

CLOUD or SaaS: In-the-Cloud security services may offer an easy and affordable solution for small businesses, especially for those that cannot afford an extensive, dedicated IT staff. Some cloud computing services offer better business continuity options and more sophisticated technology than small business do-it-yourself teams can do.

INTERNET USE POLICY - An internet acceptable use policy clearly defines how employees should and should not use the internet at work. For example:

  • Instructions on what to do before downloading material, checking the size of the file and its source.
  • A warning to abide by any copyright and licensing restrictions on internet-sourced material.

CONTENT FILTER - Content filtering is the technique whereby content is blocked or allowed based on analysis of its content, rather than its source or other criteria. It is most widely used on the internet to filter email and web access; basically used to filter spam.

SEPARATE COMPUTERS: Keep business and home computing separate.

EMPLOYEE AWARENESS – Phishing, a method of capturing confidential information over the internet, mainly takes place by using emails which appear to be coming from a trusted website source. Things to do for employee awareness and email protection:

  • Ignoring suspicious mail which ask for personal information
  • We should never try to give credit or debit card information in response to emails
  • Change the password regularly
  • Use strong passwords

SAFE INTERNET CONNECTIONS: Wi-fi safety such as using secure sites (a site whose web address starts with https instead of http is always secure), making sure that no one is watching you when you enter personal information or when entering PIN code at an ATM, being careful while sending sensitive data when using a public wi-fi hotspot.

Small businesses are a target now more than ever before. Malicious security threats—particularly those executed via the Web—are abundant as an unprecedented number of botnets, Trojan horses and self-replicating worms, created and executed by organized criminal networks, are unleashed on networks to steal personal and financial information. 

In 1999, it is estimated that Fortune 1,000 companies sustained losses of more than $45 billion from theft of proprietary information, with insiders to the organization being seen as a higher than average threat. Borrowing software from work for personal use accounts for some of the $12 billion lost to software piracy worldwide.

A lagging economy has caused many companies to rein in their IT budgets, opening small businesses up to attacks simply because they lack the money and staffing for proper security infrastructure.

The lack of resources paired with a lack of awareness about security issues create gaps in small businesses security policies regarding behavior and best practices.

ANALYSIS:

DATA BREACHES: 47% of Small Businesses have lost confidential data in the past and huge percentage of loss came from deliberate theft (52%) as opposed to accidental data loss. Of this figure, 24% was attributed to people outside the organization, and insiders were found to account for 16% of illegal data loss, with loss through partners at 15%. 30% of firms who don't password protect their laptops, are running the very real risk of harming their businesses and reputations through losing confidential data by accident.

Statistics referred from: http://www.newstatesman.com/technology/2010/06/cyber-attacks-businesses-risk

LACK OF PROTECTION: Nearly one-fifth of small businesses don't even use antivirus software. Sixty percent don't use any encryption on their wireless links, and two-thirds of small businesses don't have a security plan in place. The majority of small businesses and even some medium size businesses do not have the dedicated IT support needed to monitor their computer networks and protect themselves from attack. Finally, many small business owners understandably lack the expertise to deploy the software or hardware solutions available to address ever-changing security challenges.

BUSINESS BANK ACCOUNTS HACKED: Vulnerable businesses, have sustained tens and even hundreds of thousands of dollars in losses, with little hope of recovering the money. Some have filed lawsuits against banks, charging that they failed to detect and stop transactions that were patently fraudulent. For example, Hillary Machinery Inc. filed a lawsuit against its bank, PlainsCapital, after online crooks used stolen credentials to transfer more than $800,000 from its account last year. The bank later recovered about $600,000 of the stolen funds but has so far refused to compensate the Plano, Texas-based manufacturing firm for the remainder.

Statistics referred from: http://www.computerworld.com/s/article/print/9168458/Cyberattacks_raise_e_banking_security_fears?taxonomyName=Security&taxonomyId=17

IMPLICATIONS:

Businesses of every size rely on the Internet. Innovative use of the Internet can confer a competitive advantage on small and medium sized businesses. That edge can be dulled or even eliminated by cybercriminals and other threats.

A single breach in which a business owner or their customer’s data is stolen could literally destroy a small business. Less dramatically, but perhaps as importantly, common Internet risks like spyware and malware can damage computer software and wreak havoc on productivity.

So can employee access to non-work related web sites. Blocking certain websites in a work environment is easy to do and greatly reduces risk.

Such cyber thefts have led multiple businesses to file lawsuits against their banks and prompted government regulators to call on financial institutions to improve their security systems.

RECOMMENDATIONS:

There is no one size fits all approach and every business will have its own risk exposures. If you are a business owner, consider having your business evaluated for risks of cyber attack or data loss. Business owners need to stay on top of the threat by implementing a sound data loss and privacy plan.

SOURCES:

1) "Small Business IT Channel News for VARs and Technology Integrators--ChannelWeb." Channel News, Technology News and Reviews for VARs and Technology Integrators--ChannelWeb. Web. 19 July 2010. .

2) Statesman, New. "New Statesman - Cyber Attacks Cost Small and Medium Businesses £200,000 Annually." New Statesman - Britain's Current Affairs & Politics Magazine. Web. 19 July 2010. .

3) "U.S. Small Businesses Vulnerable to Cyber Attacks, Says VirnetX Research Director -- SCOTTS VALLEY, Calif., Feb. 10 /PRNewswire-FirstCall/." PR Newswire: Press Release Distribution, Targeting, Monitoring and Marketing. Web. 19 July 2010. .

4) Parental Controls, Internet Filter, Online Safety Software and Services | CyberPatrol. Web. 19 July 2010. .

5) Vijayan, Jaikumar. "Cyberattacks Raise E-banking Security Fears - Computerworld." Computerworld - IT News, Features, Blogs, Tech Reviews, Career Advice. Web. 19 July 2010. .

6) 23, Folino |  Nov. "Is Your Small Business Cyber-Secure?" Small Business and Small Business Information for the Entrepreneur. 23 Nov. 2009. Web. 19 July 2010. .

7) Goldman, David. "What Cybercriminals Do with Your Information - Sep. 16, 2009." Business, Financial, Personal Finance News - CNNMoney.com. 16 Sept. 2009. Web. 19 July 2010. .

8) "Cyber Liability : Connecticut Business Litigation Blog." Connecticut Business Litigation Blog : Connecticut Business Lawyer & Attorney : N. Kane Bennett : Raymond & Bennett Law Firm : Hartford, Middletown, Glastonbury. Web. 19 July 2010. .

9) Thompson, Steve. "FBI Warns Small Businesses about Rising Cybercrime Dangers." Merchant Account & Credit Card Processing Guide - MerchantAccountGuide.com. Web. 19 July 2010. .

10) "Create an Internet Usage Policy | Business Link." Business Support, Information and Advice | Business Link. Web. 19 July 2010. .

11) "Content Filtering." Wikipedia, the Free Encyclopedia. Web. 19 July 2010. .

12) "Network Security, Firewall & Wireless - Gateway AV, SPY & Intrusion Prevention Service - SonicWALL, Inc." SonicWALL - Select Your Region or Country. Web. 19 July 2010..

13) http://ezinearticles.com/?What-is-Phishing---Email-Phishing-Protection-Tips&id=4213593

The author, Ashesh Mamidi, is an Intern at Fortalice working under the tutilage of Theresa Payton.

Possibly Related Articles:
9703
Enterprise Security
Small Business Cyber Crime
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.