Make no mistake the cyber threat to small and mid-sized businesses (SMBs) is real. According to cyber insurance provider Travelers, the threat to smaller organizations continues to grow. Sixty percent of all online attacks in 2014 targeted SMBs. Given their reputation as an easy target, these SMBs are now feeling the impact of an insidious form of cybercrime that is gaining traction with the potential to pose an even bigger danger.
Cyber criminals based in China are using smaller businesses as “human shields” to attack much larger target enterprises, which have much more to lose. Reportedly, hackers based in China have been targeting small businesses in the U.S., ranging from restaurants to schools to health clinics, but not for the reasons you’d expect. Chinese cyber gangs take over the computer systems of low-profile businesses and use these machines to fish for their real targets.
SMB’s don’t have the resources/expertise to manage all of today’s complex security requirements. They typically depend on an outside IT consultant for much of their IT needs. Make sure that your IT consultant uses and recommends easy to use/implement security solutions for each of your internet accessing devices, including company laptops that get taken home by employees. If it’s a company laptop, company security policies should be enforced whether that laptop is inside or outside the corporate network.
Savvy cyber thieves know that most small businesses aren’t as well protected with up-to-date antivirus software and multilayered security protection, so they hijack their computers and networks to steal company and customer data from larger enterprises. In this way, hackers are not only masking their attacks, but are also able to cleverly misdirect security officials investigating a large company hack, to the wrong people. And since small businesses are less likely to keep track of and log all their Internet traffic, officials then find it difficult to determine the exact origin of the attack.
One of the earliest reported cases took place in California in 2010. During the FBI investigation on a cyber attack, authorities were able to trace the source to an IP address that belonged to a mental health clinic. The clinic’s computers were being used by hackers to carry out the attacks. Clinic management was oblivious to the underlying motives of the attack until the FBI investigation revealed the clinic’s computers were being used to breach the network of a major U.S. defense contractor.
Cyber thieves are very aware that smaller organizations are less secure compared to the bigger enterprises and the Fortune 500 companies that have more resources to invest into building and maintaining a solid IT security information infrastructure. The bottom line is that no organization, big or small, is safe from being hacked because thieves do not discriminate.
Five common sense ways that companies can protect themselves and provide an extra layer of protection from being used as a shield to attack other organizations are:
- Prevent human error from being the weak link – Human error accounts for the majority of data breaches that occur in any organization. The primary objective of any cyber security plan should begin with educating employees. Helping them understand the importance of using strong passwords, being aware of phishing scams, protecting the company’s sensitive data, etc., can go a long way into cutting the risk of data breaches.
- Create and execute a security strategy – The U.S. Small Business Administration (sba.gov) recommends the Small Biz Cyber Planner for small enterprises. This planner is a good resource for businesses seeking an economical way to develop a security strategy.
- Secure all access points – Smaller organizations generally don’t have the resources and expertise needed to manage today’s highly complex security infrastructure so tend to depend on outside consultants for their IT needs, including security. Insist that your consultant deploys easy-to-use and simple to implement security solutions for each of your internet access points, including company laptops and mobile devices that may be used offsite by employees.
- Schedule regular backups – This is common knowledge, but for some companies, it is not yet commonplace. Data loss due to a breach can be devastating. The best method to contain or recover from this unfortunate situation is conducting regular backups of all corporate data.
- Keep tabs on access – It’s not only the internet that cyber crooks may use to target a small business. Infecting company computing assets may be as simple as placing malware on the system through a compromised external drive.
Today, the internet reaches into every corner of our lives, while providing a never-ending list of lucrative opportunities to hackers and cyber thieves. Just as technology is used every day to help us connect on a global scale and work smarter and more efficiently, it can also be manipulated by criminals to be used against us. This double-edged sword has made it necessary for us to create fortress walls to protect company and personal data, increasing the layers of protection to stop hackers from using small businesses to attack larger targets.