Small firms with lax security targeted by hackers

The Wall Street Journal reported last Thursday that while the media focuses on hacking attacks at major firms like Sony, in actuality the majority of cybercrimes happen at firms with less than 100 employees.*

Most intriguing was the story of a magazine shop in which cyber crooks planted a software program on the cash register that sent customer credit-card numbers to Russia. It was illustrative of the situation facing many small firms that are computerizing  and digitizing records. With limited budgets and no technical staff they are extremely vulnerable to hackers.

The Journal  says Visa estimates about 95% of the credit card breaches it discovers are on its smallest business customers. And the situation will get worse because of lax security at many if not most of these firms. The Journal states that smaller companies are less likely to grasp the security threat and this was confirmed by a 2010 survey by the National Retail Federation and First Media Corp.

The survey found that 64% of small to medium sized retailers believed their businesses were not vulnerable to card data theft and only 49% had assessed their security safeguards. These folks were just ignorant of the impending danger in cyber space.

Reviewing the hack at the magazine shop, we find the following problems with this small business:

  • Allowed remote Internet access (program called Remote Desktop) to computers that processed credit card point of sale transactions
  • Remote access program had a weak username and password (“POS”)
  • Hacker used same program, Remote Desktop, to gain access to point of sale computers (hacked password).
  • Hacker installed software that captured credit card information, before it was sent to the credit card processor.
  • Hacker software was detected and removed more than a year after it first gained access to business’ computers

“Hacking at small businesses is  a prolific problem…It’s going to get much worse before it gets better.” Dean Kinsman, FBI, cyber division

So what can small businesses do to protect themselves?  First off we find small businesses neglect basic security measures such as changing default passwords. Their employees need to be trained about criminal tactics from phone calls to social media sites which aim to trick people in disclosing password access information. However, the fact there are many forms of security threats and the evolving nature of cyber crime makes it difficult to have a single list of dos and don’ts.

Which is why a holistic, continuous approach to assessment, people, policy, detection, deterrent, remediation and prosecution is the only way to go.

* Verizon/U.S. Secret Service study indicates in 2010 63% of cyber attacks at businesses with 100 or fewer employees.