Dr. Chase Cunningham of Forrester Research recently spoke to a group of business leaders and IT professionals in Little Rock about cyber security. Although his previous work is with large enterprises such as the NSA, CIA, and FBI, he contends that small-to mid-sized businesses are now the hot target for the “bad guys” because they are “easier…low hanging fruit.”
The vulnerability of small-to-mid-sized businesses (SMBs) is exacerbated by two common misconceptions:
(1) “I don’t have anything worth stealing.”
(2) “I’m too small for them to notice.”
A closer look at each misconception belies the false sense of security we are depending upon.
“I don’t have anything worth stealing.”
Ransom ware: The hackers may not be interested in stealing anything. They simply “brick” your computer and demand the ransom money in exchange for returning your computer back to its normal, usable state. Until then, they’ve rendered your computer useless as a brick.
Fraud: If you have a computer and a bank account, you’re a target. Essentially, you are tricked into paying them money or divulging access into your bank account. Examples include social engineering where they are posing as someone you know and trust, asking for money. Or con games where they pose as a charitable organization, etc.
Leveraging your data to get to the REAL target: Once they’re in your computer, they can unlock your credentials to get into someone else’s system. Or they will piggyback onto your system to get into someone else’s system. For example, the high profile Target breach was possible by hacking the credentials of the local HVAC company that Target used which opened the path to customer information. Or who would have guessed that house cleaners would be targets? Yet they may have numbers for garage door openers and alarm codes providing the keys to clients’ houses. “No such thing as too small to be a target”
“I don’t have anything worth stealing.”
Co-opting your resources for their use: This particular tactic is known as an Advanced Persistent Threat (APT). Bad actors establish a presence and hide out on any computerized device (traditional and IOT types) until they’re ready to do what they want to do. They literally squat on computers to create a large network for their use, stealing your computer while you are looking at it. Some crypto miners who want to create bit coin will use this method.
“I’m too small for them to notice”
This misconception is based on the notion that bad actors are being selective on the basis of pre-determined traits/characteristics. Actually, they are looking for only one thing — unlocked doors — and are going door-to-door on the Internet to find them. Or they’ve gotten your name from some other company they’ve hacked. And then they’re doing mass mailings. You may not be THE target. You are simply A target because your door is unlocked and/or you responded to junk mail.
WHAT CAN SMALL BUSINESS DO ABOUT IT?
• Get your head out of the sand and realize you are at risk for attack and real loss.
• Keep your software patched. Over a third of successful attacks leveraged unpatched software.
• Train yourself and employees how to recognize social engineering attacks. Individual users/employees are the top avenues for delivering malware.
• Whenever possible, use multi-factor authentication. Even if credentials get stolen, the ability of bad guys to use them is limited because they don’t have access to the second factor.
John Burgess
Mainstream Technologies, Inc.
President
Chief Security Officer
