Home / Uncategorized / IT Security Threats to Small Business

IT Security Threats to Small Business

| June 18, 2010

No business is too small to be a target of cyber crime.

The Internet and Information Technology have changed the way people, business and the government communicates. Even the smallest of businesses now depend on the Internet to operate and communicate with customers and have access to automated tools and technology that were previously only feasible for large organisations.

Unfortunately, with the upside comes a downside: IT security threats.
 
IT security threats are especially challenging for small businesses that do not have a dedicated IT team. Many small business owners make the mistake of thinking “it won’t happen to me” or “why would anyone be interested in attacking my business?” While it is true that large businesses are heavily targeted by criminals, small businesses and individuals are attacked because the attacks are easier and cheaper to conduct, and often successful.
 
Attackers who execute fraudulent activity on small businesses generally have the same goal in mind: to compromise and/or exploit. Both can have serious consequences to a small business. In these instances, the general method of attack is to get a piece of malicious software (malware) installed on a computer. This can happen in an automated fashion by exploiting vulnerabilities on a computer (i.e.: leaving an unprotected computer connected to the Internet) or by social engineering whereby a user is tricked into opening a file, email or visiting a malicious website.
 
In the first case, the malware joins what is known as a botnet. A botnet is a network of compromised computers, known as zombies that are under the control of an attacker. Once a computer is on a botnet, the attacker can use it to launch large distributed attacks on their primary targets, which tend to be large organisations with heavy Internet dependence. Botnets can also be used to send large amounts of spam, host illegal files and distribute even more malware. The success of botnets has led to a marketplace where botnet operators lease out the resources of their botnets to other malicious persons for their attacks.
 
All of this happens without any user notification as the botnet malware runs in the background and can participate in attacks even while the computer is in use. If a computer is part of a botnet, the malware can 1) consume its bandwidth, leading to increased charges from the ISP, 2) crash the computer repeatedly, and 3) cause loss of files and data. For a small business, this can be detrimental.
 
In the second case, a malicious attacker compromises a computer in order to use it and the information on it against the user. The primary threat is identity theft, which happens when an attacker obtains enough information about someone, their business or their customers to perform a scam for financial gain. This can be as simple as stealing banking login details and emptying bank accounts, or as sophisticated as manipulating and stealing data, placing false orders, stealing the identities of staff or customers.
 
For example, an attacker might use a computer to order goods from a supplier and have the goods delivered to an alternate address or change payment details on the invoice. The attacker may be able to obtain enough information to open bank accounts, credit cards or obtain loans in the victim’s name. Such attacks can take a very long time to be detected (if at all). One of the problems in detecting these attacks is that an attacker may obtain all of this information but not use it themselves, instead selling to others to use.
 
Small businesses and their staff can take a few simple steps to help mitigate against these threats:
  • Use a firewall on your Internet gateway. A firewall configured to allow only web and email traffic outbound (and not unrelated traffic inbound) will assist in protecting your network.
  • Ensure automatic updates are turned on for all your computers’ operating systems and applications that support them. Software may have vulnerabilities that can be corrected by the vendor via a patch or software update.
  • Ensure both anti-virus and anti-malware/anti-spyware are on computers and that automatic updates are enabled. This allows detection of known threats on machines.
  • Back up files regularly. Use external disks or tapes to back data.
  • Test backups. A back up is of no use if it cannot be restored. Test it regularly to ensure recovery from data loss.
  • Use caution when opening email attachments from unknown or new sources as these are  an easy way to distribute malware. Malware that is new may not be detected and one’s best judgment is the last line of defence. Even email from familiar contacts may be infected with malware. Read the content, and if it is generic or out of character for the sender, do not open the attachment.
  • Do not follow links in emails from unknown or new sources. Links are often to sites that are crafted to install malware on computers. The email might appear to be from familiar contacts or commonly-used vendors or services. Read the content and if it is generic or out of character for the sender, do not open the attachment.
  • Take advantage of features offered by banks and other online services such as One-Time-Password (OTP) technology, which is a second-factor authentication system (also known as strong  authentication). Strong authentication technology combines something a user has—such as a dynamic numeric code generated by a physical device – with something the user knows—such as a User ID and a password. The dynamic numeric code that is generated by an OTP device is valid for a fixed amount of time (normally about 30 seconds).
  • When using sites, look for visual cues to check a website is authentic. Check if the site has a green address bar (Extended Validation SSL), which signifies that a site has undergone extensive identity authentication. Look for the ‘padlock’ symbol on the address bar to verify if the website is secure and click on it to review the website identification. Check if all the words in the website’s address are spelt correctly – most often, a misplaced letter or incorrect spelling is a strong indicator of a fraudulent site.
  • Run awareness training for all staff. It takes only one person in the organisation to be unaware of the threats and how to protect themselves to allow malware into your business. Make sure everyone understands what is at stake.
Following and staying aware of these steps will help small businesses and its customers stay safer online.
 
 
For more information on identity theft please read Nick’s recent article in Computerworld “Identity Theft: More than your credit card”. Nick Savvides is a the Security and Business Operations Manager for VeriSign Australia.
SHARE WITH:

0 Comments

  1. foggy

    July 1, 2010 at 8:42 am

    IT literate

    though the article is about IT security i am digressing from the issue.out of curiosity i would like to know how many folk of various professions have also specialised in the IT field?if not out of love for computers then the urge to mind their own business security?