Q&A: Why SMBs Are Targets For Cyber Crime

Ondrej Krehel is a computer forensics consultant. With more than a decade of experience in computer forensics, he has launched investigations internationally and domestically into a broad range of IT security matters. He is a member of the High Technology Crime Investigation Association (HTCIA), the Information Systems Security Certification Consortium (ISC) and the International Council of Electronic Commerce (EC Council). He also is a Certified Information Systems Security Professional (CISSP) and a Certified Ethical Hacker (CEH).

Q: One in five small businesses falls victim to cybercrime each year, according to the National Cyber Security Alliance. And of those, some 60 percent go out of business within six months after an attack. Why are hackers turning their attention to small businesses?

A: There are a few elements to consider: First, small to medium-size businesses (SMBs) generally do not have in place the same cyber security practices as larger enterprises. They lack the same type of staff measurement or caution about how to safeguard information. That information can be financial, customer data, personally identifiable information (PII), or data compliance-related. They may not recognize that the data they have in their systems are, essentially, assets. And if they lose those assets—that data—they will lose the business. Second, hackers are attracted to small businesses once they realize that there is nothing much that an SMB or law enforcement can do. Most cyber crime is done over Internet and in places where law enforcement has no jurisdiction. For example, there is no simple legal agreement between the United States and the European Union on cybercrime.

Q: When hackers shop for a small business to hack, what are they looking for—specific types of vulnerabilities?

A: Most of these businesses don’t understand the complexity of the data in their systems, and they process a significant number of transactions. They’re good targets. SMBs are red flags if they:

  • Export to and import from foreign countries. Thirty to 40 percent of SMBs engage in international transactions.
  • Wire money to and from foreign countries.
  • Conduct business and make payments through international vendors.

When SMBs exchange data with banks and third-party vendors over the Internet, hackers can gain access to a payroll system, generally just one PC, and lock down the company’s PC and bank accounts to do their own transfers. By the time company is aware of the problem, one-third of the financial transactions is in the hackers’ accounts, and corporate data is lost. For example, Hillary Machinery Inc., based in Plano, Texas, lost $800,000 in unauthorized transfers from its bank in a 48-hour period. The bank retrieved $600,000 but legal battles ensued over security practices. The transfers were initiative from several Eastern European nations.

Q: How do hackers determine that a SMB is vulnerable?

A: They profile SMBs and focus on two types of targets: The first are SMBs engaged in ecommerce and the second are SMBs that engage in international trade.

The ecommerce SMBs use pretty defined Content Management Systems online. These CMSs are often custom-made from online platforms such as Drupal, Mambo, and Joomla for anywhere from $4,000 to $50,000. But the custom-builders often don’t engage in safe coding practices. So the end result is a portal sitting on the Internet with no credentials, or weak credentials for administration. It’s a tool that the SMB uses, but it never really went through vigorous review. When we look at fraud overall, around 60 percent of it originates in ecommerce, according to Verizon’s 2012 Data Breach Investigations report.

International trade SMBs that import/export are generally registered with a state for Foreign Qualification status. And foreign companies conducting business with American ones on American soil also must register in with specific states as business entities in the U.S. So hackers get a list of these companies through public records, look around, and determine which company is the best target. Then the hackers go after companies that are sending wires.

Then the bad guys look at the company sites, their CMSs, and they see where the company is, who is behind it, and so on. These things are very opportunistic. They spend a few minutes on research, and then they say, “This is how I want to get in.” They send spear phishing email to various employees at the company. Once the employee opens it up, the system is compromised. And they go right after financial transaction PC from the compromised computer. Generally, it’s the attachment that an employee opens that gets them.

Q: The definition of a SMB varies, but often explained by the number of people employed and annual revenue.  Symantec Corp.’s 2013 Internet Security Threat Report focused on businesses with fewer than 2,500 employees. How do hackers size up SMBs?

A: One measurement hackers use to identify SMBs is their earning picture. They look at the earnings per employee for publicly traded companies. Hackers are not necessarily targeting the mom-and-pop pizza shop down the street where the earning picture may not be high. They target SMBs that are connected, that accept customer credit cards (PCI DSS Data) and use wires for payments. For example, hackers recently attacked an SMB that imports carpets from Eurasia. The SMB, based in New York, was very profitable. It had only two owners and two employees. Though the company had cyber liability coverage, it didn’t have enough. It was hit very hard. Also, think of suppliers for companies like Macy’s. The suppliers themselves may not import goods, but they serve as an umbrella for smaller boutique firms that import from overseas.

Q: How should SMBs take steps to protect themselves?

A: It’s very hard for SMBs to do this on their own. They may consider shifting their security environment into a cloud solution rather than trying to host it internally, because internally they most likely won’t be able to sustain the pressure. They have to look at other tools available. Maybe the state where they operate has cyber secure programs that they can utilize. For example, instead of using a payment system on their site, they can redirect payments to a third-party system using tools that the hackers can’t get to. The goal is for the SMBs to offset the liability. Sometimes the best option is to look at what you have, see who else can do it for you more securely, and then evaluate the cost.

Cyber attacks cause many SMBs to go out of business. The main reason is that almost none of them have sufficient cyber liability coverage. Another important step: SMBs should make sure they have data breach policy that covers them for the steep costs they may face to comply with state and federal data breach laws, as well as potential lawsuits from victims. SMBs should be sure to select a coverage that offers value-added benefits such as access to expert service providers that deliver data assessments proactively, to protect against a breach, as well as breach response solutions.

There are two basic types of policies: first-party coverage and third-party coverage, which is usually added on to the first-party policy. First-party coverage covers the hard costs a company faces when responding to a breach, such as letters notifying affected customers. Third-party coverage gives protection to companies responding to third-party liability claims, such as damages caused by a vendor. Coverage is key. Say a SMB was breached and 50,000 credit card numbers were exposed. It’s going to cost the business approximately $250,000 in remediation costs, and that doesn’t even include fines and penalties from regulators and the PCI DSS Council. That’s maybe what that owner is making a year. It may be too much for the SMB to swallow that cost.