When Pamela (not her real name) sat down at her desk one recent weekday morning, online security was the furthest thing from her mind. Sure, she had a basic knowledge of common-sense security practices. She wasn't the type to use insecure passwords or download dubious content from the Web. As chief financial officer for a small Chicago-based manufacturing company, she regarded her PC as a no-nonsense work tool. Still, somewhere along the way, a little snippet of malware slipped onto her PC, and it would soon threaten her company's survival.
According to Brian Yelm, CEO of Chicago tech services provider Technologyville, Pamela's malware did one nefariously simple thing: It caused her browser to redirect all bank URLs to a set of phony sites that looked just like their legitimate counterparts--a technique called phishing. When Pamela logged in to the look-alike site, a message prompted her to call customer service about a problem with her company's account. She dialed the number on the screen, and after a few simple questions from the agent on the line, every single penny in her company's account disappeared. More than $300,000, gone in minutes.
Pamela and the company were lucky. They immediately discovered the missing funds and pulled out all the stops to recover the money from their bank. And with Technologyville's help, they traced the IP addresses and phone calls back to a hacker group in Eastern Europe. Justice was served. The money was recovered. Pamela's company survived.
Not every company that gets hacked is so lucky. According to the National Cyber Security Alliance, one in five small businesses falls victim to cybercrime each year. And of those, some 60 percent go out of business within six months after an attack.
Now let's pause for a moment, and restate that another way: You've got a 20 percent chance of being hacked, and if it happens there's a good chance your business is finished.
Of course, not every small business is equally likely to fall prey to cybercrime. Attackers don't generally discriminate by company type, valuation, or any other characteristic of the business itself. Instead, they look for one thing: vulnerability.
"Most small business owners still don't get security, don't think it's an issue, and are pretty defenseless," says Neal O'Farrell of Think Security First, a security consultancy based in Walnut Creek, California. "They assume hackers would need to pick their business out of 27 million others, not realizing that the attacks are automated and focused on discovering vulnerabilities."
Smaller companies are increasingly attractive targets for attackers, too. Symantec's latest annual Internet Security Threat Report found that companies with fewer than 250 employees constituted a staggering 31 percent of targeted attacks in 2012--a massive jump from 18 percent the year before.
Why the huge increase? Smaller companies are simply easy pickings, and they don't fight back like bigger companies.
"Small businesses represent low risk and little chance of exposure for thieves," says O'Farrell. "They typically lack the monitoring, forensics, logs, audits, reviews, penetration testing, and other security defenses and warning systems that would alert them to a breach."
And just because a company is small, that doesn't mean it can't net huge payoffs for attackers. Often, a breach against a small fry can yield useful data for attackers seeking to target bigger fish. So a series of easy attacks against more-vulnerable small businesses can ultimately enable a hacker to orchestrate a much bigger attack elsewhere, while uncovering plenty of valuable spoils--ranging from employee data and cloud logins to customer data and banking credentials--from the smaller players along the way.
No experience required
Meanwhile, finding victims has gotten easier for criminals. "The tools used by hackers and cybercriminals have become cheap and easy to acquire," says JD Sherry, vice president of technology and solutions at security software maker Trend Micro.
Worse still, these hacking tools have become so easy to use that one need not necessarily be a bona-fide hacker to use them. Instead, with minimal input from the user, a hacking app can initiate a series of scripts to probe many thousands of IP addresses across the Web, seeking out open ports on endpoint PCs; planting spyware or Trojan horse software on websites using widespread weaknesses in technologies such as Java and Flash; or firing off thousands of phishing emails with the aim of getting a few people to click through and receive a small nugget of malware that will leave their PC vulnerable to further attacks.
Yelm concurs: "You don't have to be very smart to do this."
But small-business owners do need to be smart, and that starts with understanding that the security landscape has changed. Small companies can no longer rely on security through obscurity, because automated hacking tools from all over the world are constantly scouring the Internet for vulnerable machines. Meanwhile, every company of any size now has an overwhelming abundance of connected devices and cloud-based services that present a feast of opportunity for attackers.
Unsecured mobile devices--especially Android phones and tablets--used as BYOD (Bring Your Own Device) business equipment make it all too easy for a cybercriminal to slip malware onto a device and collect usernames and passwords for social networks, business networks, and even banking systems. Once a cybercriminal gets a single sales rep's CRM login, he can wreak havoc with customer accounts.
According to the Ponemon Institute, which tracks data surrounding digital privacy and security, recovering from an attack on a customer database can cost an average of $194 for every compromised customer record. Those are just remediation costs, and that number doesn't account for additional costs due to reputation damage, lawsuits, and lost business. No wonder so many small companies go bankrupt after an attack. If the hackers don't siphon hundreds of thousands from your account, you may have to pay it out anyway just to fix the problems they cause.
What you can do
Safeguarding your company against security threats doesn't necessarily mean hiring a full-time IT security pro for your small business. There are four simple steps any small company can take to protect against cyberattacks.
1. Use protection on every device: Regardless of the platform, use secure passwords and encryption on every device that touches your business, from phones and tablets to laptops and desktops. If the device supports third-party anti-malware apps like those from McAfee, Symantec, or Trend Micro, install one.
2. Run business-grade unified malware protection: Consumer antivirus apps aren't sufficient to secure a business's tech infrastructure. Business-class security suites offer multidevice protection that includes ensuring that all devices get regular updates and security patches. This is key, since 90 percent of attacks exploit outdated software bugs on unpatched computers.
3. Train your staff (and yourself) to practice good digital hygiene: Don't use the same password on multiple accounts. Don't follow links in email. Learn to spot phishing threats. Make sure everyone on your staff knows this stuff, and remind them often.
4. Get a security audit and heed its findings: One of Technologyville's clients learned this lesson the hard way last year when its financial services website fell prey to a teenage hacker who exploited open ports on the site's server to take control of the company's online presence. The security consultants had identified those threats in an audit for the company a year earlier, yet the company chose not to act until it was way too late.
The unfortunate truth about digital security is that protecting your business from online threats isn't a one-time expense or a set-it-and-forget-it solution. It's an ongoing process and a necessary part of running any business that relies on data and the Internet for its survival. Your website, your desktop and laptop computers, your mobile phones, and all the online services you use to manage every aspect of your business are all potential entry points for an attack. And if you don't protect them, or if you put security on the back burner as a future project, your company may not survive to get a second chance.