Tactical Advice

SMBs Are Easy Targets for Cyber Criminals

Businesses that practice good cyber hygiene can avoid becoming cautionary tales about the dangers of malware.
SMBs Are Easy Targets for Cyber Criminals
Credit: iStock/ThinkStockPhotos

Just because a business is small doesn't mean it's invisible to hackers or immune to attacks. All it takes is for a cybercriminal to exploit a single point of weakness, or an employee to make a mistake, and an SMB could be on the hook for thousands of dollars, or worse.

A few years ago, most attacks were random and indiscriminate, with no purpose other than to cause damage. Today's attacks are typically targeted at particular organizations, with equally specific motives — to extract as much money or data as possible — and small businesses are increasingly in the crosshairs.

Picking Low Hanging Fruit

Nearly a third of all malware attacks targeted businesses with 250 employees or less in 2012, according to Symantec's 2013 Internet Threat Report. Damage can be substantial.

Last winter, a small family-owned chain of electronics stores in the Northeast was attacked by a gang of Eastern European cybercriminals who installed a piece of malware on the chain’s network to harvest customers' credit card numbers.

After quietly collecting data for six months, the crooks charged nearly $3 million worth of fraudulent credit card transactions before the malware was detected, says Aaron Messing, an attorney with Olender Feldman LLP , who is representing the chain.

The chain requested its name not be used in this story, lest it once again become a target for attackers. While its credit card issuer absorbed the losses stemming from the bogus charges, it also levied a penalty of more than $100,000 on the chain for allegedly violating security agreements. The fine is currently under appeal.

“One of the biggest misconceptions SMBs have is that they're too small to be noticed by cybercriminals,” says Messing. “That's simply not the case. Because they handle sensitive information like credit card data, they're always going to be a target.”

In fact, crooks prefer to attack SMBs; in part, because most lack the enterprise-level security required to repel attacks, says Brian Burch, vice president of SMB marketing for Symantec. Thanks to the Internet, criminals can target thousands of individual businesses at a time. With the ability to extract a few hundred dollars from each, there’s little incentive to put in the effort or risk of going after that one big score.

There are dozens of ways attackers can profit from infecting an SMB. With access to a firm's accounting systems, they can pay themselves for fictional products or cut paychecks for phantom employees. They can lock SMBs out of their own computers and demand ransom in return for the passwords, or steal employees' personal information (or the company's intellectual property) and sell it on the black market. They can infect every computer on a business's network and rent them out as part of a botnet for other attackers. With access privileges, they can attack larger enterprises the SMB does business with.

“No company is too small to attract the attention of cybercriminals,” notes Burch. “No crook in his right mind would accept the risk of robbing a bank for just $200, but he'd happily attack thousands of businesses for that amount, hoping that 500 of them prove vulnerable. And the only way you'd know you've been attacked is when the money starts disappearing.”

Getting Serious About Security

Usually it takes some kind of disaster for an SMB to focus on cybersecurity. That was the case at Jones & Wenner, a regional insurance firm in Fairlawn, Ohio, with a dozen employees. About seven years ago, J&W found itself on the wrong end of the Anna Kournikova virus, says Vice President of Administration Joyce Sigler.

“It went wild and shut us down for a couple of days,” she says. “These things usually strike quick and hard, and it's tough to get your hands around them all at once. Afterward, we said we never wanted that to happen to us again.”

Shortly thereafter, J&W contracted with AppRiver, a cloud-based security provider, to handle all of its web hosting, email and Internet traffic. Since then the firm has been malware free, Sigler says.

Ironically, one type of insurance J&W specializes in is cyber insurance against losses from hack attacks and other data spills.

Every employee needs to practice good cyber hygiene, says Monica Hamilton, an SMB product and solutions marketing director for McAfee. That means securing every device that must access the company network, enforcing strict password management policies and assessing vulnerabilities — including how to deploy effective counter measures.

But the biggest hurdle may be getting over the notion that being small brings immunity to attack. It doesn't.

Sign up for our e-newsletter

About the Author

Dan Tynan

Dan Tynan is a freelance writer based out of Wilmington, N.C. He has won numerous journalism awards and his work has appeared in more than 70 publications, several of them not yet dead. Follow him on Twitter @tynanwrites and Google+.


Heartbleed: What Should Your... |
One of the biggest security vulnerabilities has almost every user and every industry...
Why Businesses Need a Next-G... |
Devices investigate patterns that could indicate malicious activity.
Review: HP TippingPoint S105... |
Next-generation firewall can easily replace a stand-alone intrusion prevention system....


The New Backup Utility Proce... |
Just getting used to the Windows 8 workflow? Prepare for a change.
How to Perform Traditional W... |
With previous versions going unused, Microsoft radically reimagined the backup utility in...
5 Easy Ways to Build a Bette... |
While large enterprises have the resources of an entire IT department behind them, these...

Infrastructure Optimization

Businesses Must Step Careful... |
Slow and steady wins the race as businesses migrate IT operations to service providers,...
Why Cloud Security Is More E... |
Cloud protection services enable companies to keep up with security threats while...
Ensure Uptime Is in Your Dat... |
Power and cooling solutions support disaster recovery and create cost savings and...


Securing the Internet of Thi... |
As excitement around the connected-device future grows, technology vendors seek ways to...
How to Maximize WAN Bandwidt... |
Understand six common problems that plague wide area networks — and how to address them.
Linksys Makes a Comeback in... |
The networking vendor introduced several new Smart Switch products at Interop this week.

Mobile & Wireless

Mobility: A Foundational Pie... |
Other technologies rely on mobile computing, which has the power to change lives, Lextech...
Now that Office for iPad Is... |
After waiting awhile for Microsoft’s productivity suite to arrive, professionals who use...
Visualization Can Help Busin... |
Companies need to put their data in formats that make it consumable anytime, anywhere.

Hardware & Software

Review: HP TippingPoint S105... |
Next-generation firewall can easily replace a stand-alone intrusion prevention system....
New Challenges in Software M... |
IT trends such as cloud, virtualization and BYOD pose serious hurdles for software...
Visualization Can Help Busin... |
Companies need to put their data in formats that make it consumable anytime, anywhere.