Cisco Blogs

Hacking Small Businesses

September 1, 2009 - 0 Comments

I’ve talked to many small business owners about security over the last several years, first as a professional serving that segment and later in casual conversation with friends and business owners in my local community. One question that comes up time and again is “Why would someone hack our computers? Who would even know we exist?” That question has had different answers over the years, and varies depending on the likelihood of targeted attacks versus untargeted ones. Some businesses get by just fine with automatic software updates, strong passwords, and a firewall. Others need more control over their environments, but the attackers have never lost sight of their goal. For the intruders, it’s all about getting what they want and finding out who they can get it from as easily as possible. And these days, they may be taking aim at small business.As the Financial Services Information Sharing and Analysis Center (FS – ISAC) recently warned financial institutions, there has been a significant increase in fraud targeting small and medium-sized businesses. For businesses of this size, it is relatively easy to operate online securely with a modest investment of time and resources. Many attacks are not targeted, which means that a general increase in awareness and a light application of policy and technology can stop most of the attacks from causing trouble. But because human resources are generally limited overall in smaller companies, if a dedicated IT staff exists, it is more likely to be comprised of generalists, or even specialists closely tied to business needs. Security experts, if present at all, are likely flying solo.It is for this reason that services targeted to this segment and industry groups like the FS-ISAC are so important. Small businesses need options for amplifying their capabilities, either those that they pay for from consulting companies or other segment service providers, or those that are available to an entire industry. Another key example of this working extremely well comes from the NCUA, the National Credit Union Association.A credit union was recently sent some malicious software on CD-ROM, as well as a letter purporting to be from the NCUA. Staff at the credit union used normal incident response procedures and reported the malicious mailing to the NCUA. In turn, the NCUA issued a fraud alert to its members, to make them aware of the situation should any more such CDs be sent to other credit unions. Shortly thereafter, this became a national news story on several technology blogs and online publications. But at its core, this was part of a penetration test set up by the credit union and a contractor, Microsolved, Inc. Microsolved has since worked with the parties involved to correct misperceptions and dampen media response, but otherwise considers the test a success.This blogger agrees, wholeheartedly. Small credit unions gain additional security through membership in the NCUA. As a part of sharing resources and falling under common regulation, the NCUA can provide for its members a central clearinghouse and source for information of this type. And in this case, when a penetration test occurred, the response procedures were followed and that central resource was notified and utilized. Had this not been a drill, it could have raised awareness and prevented wide-scale intrusion at several member credit unions.As the CRR article mentioned, some criminal groups are taking advantage of the larger bank accounts and looser protections afforded to small businesses. And as the credit union penetration test shows, coordinated response and awareness can quickly spread the word of new attacks targeted to a particular segment. Some small companies may be primarily attacked as targets of opportunity, randomly selected from a large population of vulnerable organizations. But in case they are targeted for either obvious reasons, or for reasons that are not obvious to many besides the attackers themselves, the targeted businesses may need more protection than they can afford to provide strictly on their own.

In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.