Why small business are an easy target to hack

Abstract

Technology is rapidly evolving in a world driven by social networks, online transactions, cloud computing, and automated processes. But with the technological evolution comes the progress of cybercrime, which continually develops new attack types, tools and techniques that allow attackers to penetrate more complex or well-controlled environments, and produce increased damage and even remain untraceable.

New technology allows small businesses to use many of the same information systems employed by large enterprises. In doing so small businesses open themselves up to many threats that were traditionally associated with large corporations. It is imperative to their continued success that they recognize these pitfalls and take steps to address this issue.  This paper examines some of those threats and offers some solutions for the problems.

Small and mid-sized businesses are hit by 62 percent of all cyber-attacks, about 4,000 per day, according to IBM. Cybercriminals target small businesses because they are an easy, soft target to penetrate. They steal information to rob bank accounts via wire transfers; steal customers’ personal identity information; file for fraudulent tax refunds; and, commit health insurance or Medicare fraud.

 

 

 

Introduction

Many of the small businees owner thinks that they are are small business that’s why they don’t need to worry about the cyberattack. According to theri views they are not an attraction for hackers because they will not give them benefit as compared to big business organization and company.The reason is that they have systems with less security which can’t save big or complex attacsk to the system and don’t have enough power to detetct a malware and suspicios action which will let his way clear to a big lose. Most of the big companies don’t provide security to the small buisnesses, It’s that because they can’t afford the expenses what they charge for providing services.

Smaller companies are attractive because they tend to have weaker online security. They’re also doing more business than ever online via cloud services that don’t use strong encryption technology. To a hacker, that translates into reams of sensitive data behind a door with an easy lock to pick. If you have any Fortune 500 companies as customers, you’re an even more enticing target–you’re an entry point.

Remember, most cyber breaches happen because an employee does something that they aren’t supposed to do. Basic training can stop a majority of low-level threats. But, coaching your employees on data protection is not enough. Business owners must establish data security protocols, policies, practices and procedure that every employee takes seriously.

According to Ridley, firms can follow several simple steps to reduce cyber-risks. He suggests using secure passwords such as three random words, installing antivirus and malware software on all company devices, instigating regular software updates that contain vital security upgrades and educating staff on cyber-risks. Another way of helping to improve security is to subscribe to the government-backed Cyber Essentials scheme.

According to the Cyber Streetwise campaign, a cross-government initiative run by the Home Office, major cyber threats to SMEs include:

  • Ransomware – where a piece of malicious software, typically received via a phishing email, encrypts all of the data on the company’s network, with the perpetrators requesting a ransom (typically £500–£1,000) in order to provide the decryption key.
  • Hack attack – where a hacker manages to gain access to the company’s network, typically by exploiting an unpatched vulnerability within the software, allowing them access to the company data. The target will generally be personally identifiable information (PII) on a company’s customers, especially credit card information
  • Denial of Service attack – when a company’s website is overwhelmed by a volume of data pushed to its servers in a malicious manner. These attacks are increasingly easy and cheap to carry out, with some online tools costing as little as £25 per hour.
  • Human error – people are generally the weakest link in any security chain, and a vast number of data breaches are the result of information being lost, or distributed to the wrong person. Even the seemingly mundane can have far reaching consequences, particularly where sensitive PII is involved.
  • CEO fraud – where a criminal poses as a senior person within the firm, either by hacking or “spoofing” their email account, and convinces someone with financial authority to make a payment

 

 

 

Literature Review

Cyber-attacks become more and more of a daily reality for both companies of all sizes as well as single individuals, yet little is universally known about cyber-crime. M. Uma and G. Padmavathi (2013) outline that there is a generally lack of understanding of the different types of attacks, characteristics and possible results, which may pose an obstacle in trying to defend the information security.

Several definitions of the terms cyber-attack, cyber-crime, etc. can be found among the international literature, all having in common the aim to compromise the confidentiality, integrity and availability of data. The technological evolution also brings along the progress of cyber-crime, thus new ways to perform attacks, reach to even harder to penetrate targets and remain untracked are developed continuously. However, traditional cyber threats remain as the source of the most common attacks. Various types of attacks have been defined and studied among the international literature:

  • Man in the middle attack occurs when the attacker interferes between the two communication ends, thus every message sent from source A to source B reaches the attacker before reaching its destination. The risks further posed by this type of attack comprise of unauthorised access to sensitive information or possibilities to alter the information/message that reaches the destination by the attacker;
  • Brute force attack comprises of repeated attempts to gain access to protected information (e.g. passwords, encryption, etc.) until the correct key is found, and information can thus be reached;
  • x DDoS (Distributed Denial of Service) is a type of attack that compromises the availability of data, in the way that the attacker floods the victim (e.g. server) with commands, thus becoming inoperable;
  • Malware is a generic term describing types of malicious software, used by the attacker to compromise the confidentiality, availability and integrity of data. Most common types of malware are: viruses, worms, trojans, spyware, ransomware, adware and scareware/rogware;
  • Phishing is a technique aiming to steal private information from users through masquerading as a trustful source (e.g. website);
  • Social engineering is the general term that describes techniques used to gain unauthorized access to information through human interaction.

 

 

 

Discussion

The question explored by this study was whether SMEs were taking the cyber threat seriously. Certainly we confirmed that a significant percentage were not doing so. Only 15% of the participants had anything close to an accurate perception of their vulnerability to attack. Moreover, this study checked whether participants were implementing a small subset of the available security measures, whether they were concerned about their information and whether they understood the dangers of public WiFi. Only 14% of participants covered all of these. The rest implemented only some of the measures or were not very concerned. One possible contributor both to poor risk perception and poor risk management is that the message about the magnitude of the cyber threat risk was not being communicate defectively to SMEs. If they do not understand, or are able to rationalize the fear away, they will not accept the seriousness of the risk. We also noticed that even those who had a realistic idea of the risk did not reliably implement all the required measures. A contributing factor here could be the fact that the available advice is often overly technical, complex and overwhelming. In terms of reaching SMEs, some viable (inexpensive) options emerged from the analysis. One source of advice: Provide a security advice website, with one set of SME-targeted advice agreed upon by all stakeholders. Ensure that it appears on page 1 of Google. Structure the advice to answer the main questions to keep things very simple (details can be linked to for those who are interested):

What extra measures could I take to be even more secure? What are the advantages of outsourcing to an IT service provider? Where can I get funding? What do I do if I have been hacked?

 1) Why bother? (Risk Message “with tears”)

  1. a) What is the risk of being hacked as an SME?

2) What should I do and how? (Security Management)

  1. a) What basic security measures must I take?
  2. b) What extra security measures would make me even more secure?
  3. c) What are the advantages of outsourcing to an IT service provider?
  4. d) Where can I get funding to help me with security?

3) What do I do if I have been hacked? What actions should I take? (Incident Response)

Engage Locally with SMEs: Arrange SME-specific events, dealing with something they care about, like business continuity, specifically not advertised as security events. When people attend these, tell them about cyber security. Find away to inject emotion, but be careful of overhyping and always ensure that they know where to get advice. Provide inexpensive reminders of the advice website on something they use in their everyday lives (keyring, stickers). Provide a newsletter they can sign up to that provides up to date advice at regular intervals, so that they are apprised of new risks, and measures they ought to take to mitigate them. Empower IT Service Providers: Local IT companies have an important role to play. We should focus on improving their security knowledge and directly supporting them.

Conclusions

There is a great room for improvement in the world’s fight against cyber-crime. M. Uma and G. Padmavathi (2013) state that there is a generally lack of understanding attacks (types, characteristics and potential impact), thus the world is facing a huge problem in ensuring proper security of information. The authors believe that the first thing to do in order to handle the problem of increasing cyber-crime is a world-wide awareness, from an individual level to company perspective, of what lays in the cyber world. One other main obstacle is probably the legal perspective, in the sense that even though each state or region has its own set of laws and regulation governing the invasion of data privacy and theft, the internet is an international tool for attackers, thus the only way to defeat the cyber-crime is for authorities to think and act at a global level, thus supporting the rights and safety of citizens of the entire world. Last but not least, it is the responsibility of each individual, company or authority to ensure a certain level of security, personally assessed and developed, in order to support the information security and data privacy, as it is the right of every individual, company or authority to decide what and how they retain, manage and share their data. Further directions of the study will comprise of closely following the evolution and trends of cyber-crime, as well as of countermeasures, especially focusing on the universal awareness regarding cyber-crime and regulatory decisions and facts meant to support the cyber-security.

 

Reference

[1] 2015 Data Breach Investigations Report (DBIR). (2015). Retrieved September 2, 2015, from

http://www.verizonenterprise.com/DBIR/2015/ 

[2] 5 Reasons Why Small Businesses Lose Critical Data. (2012). Retrieved September 16, 2015,

from http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white

papers/sb_5-reasons-why-small-business-lose-critical-data.pdf 

[3] About CVE. (2015, January 21). Retrieved September 24, 2015, from

https://cve.mitre.org/about/index.html

Anatomy of a Cyber Attack (APTs). (n.d.). Retrieved September 28, 2015, from

https://www.fireeye.com/current-threats/anatomy-of-a-cyber-attack.html 

[4] Andress, J. (2015, May 1). Working With Indicators of Compromise. Retrieved September 28,

2015, from

https://c.ymcdn.com/sites/www.issa.org/resource/resmgr/journalpdfs/feature0515.pdf 

[5] Armerding, T. (2015, January 12). Why criminals pick on small business. Retrieved September

4, 2015 from http://www.csoonline.com/article/2866911/cyber-attacks-espionage/why

criminals-pick-on-small-business.html

[6] Barr, J. (2014, October). Practical Security Measures for Small Businesses. Retrieved September

4, 2015, from

http://www.faulkner.com.ezproxy.utica.edu/products/securitymgt/docs/practicalsecuritym

easuresforsmallbusinesses1014.htm

[7] M. Smith, “Huge rise in hack attacks as cyber-criminals target small businesses,” 2016. [Online]. Available: http://www.theguardian.com/

[8] C.Rhodes,“Businessstatistics,”2015,7December.HouseofCommons Library.

[9] FireEye, “Why SMBs are a Prime Target for Cyber Attacks,” 2015, 7. [Online]. Available: https://www2.fireeye.com/ WEB-WP-Not-Too-Small-To-Matter LP.html

[10] S. Donnelly, “41% of all ransomware attacks aimed at small businesses,” 2016, march 16. [Online]. Available: http://is4profit.com/ 41-of-all-ransomware-attacks-aimed-at-small-businesses/

 [11] K. Palmer, “Businesses keep quiet over cyber attacks, as EU cracks down on underreporting,” 2016, 3 March

Leave a Reply

Your email address will not be published. Required fields are marked *