Dr. Chase Cunningham of Forrester Research recently spoke to a group of business leaders and IT professionals in Little Rock about cybersecurity. Although his previous work is with large enterprises such as the NSA, CIA and FBI, he contends that small- to mid-sized businesses are now the hot target for the "bad guys" because they are "easier ... low hanging fruit." The vulnerability of small- to mid-sized businesses (SMBs) is exacerbated by two common misconceptions:
(1) "I don't have anything worth stealing."
(2) "I'm too small for them to notice."
A closer look at each misconception belies the false sense of security we are depending upon.
"I don't have anything worth stealing."
Ransomware: The hackers may not be interested in stealing anything. They simply "brick" your computer and demand the ransom money in exchange for returning your computer to its normal, useable state. Until then, they've rendered your computer useless as a brick.
Fraud: If you have a computer and a bank account, you're a target. Essentially, you are tricked into paying money or divulging access to your bank account. Examples include social engineering, in which culprits are posing as someone you know and trust, asking for money. Or they may attempt con games in which they pose as a charitable organization or something similar.
Leveraging your data to get to the real target: Once hackers are in your computer, they can unlock your credentials to get into someone else's system. Or they will piggyback onto your system to get into another system. For example, the high profile Target breach was made possible by hacking the credentials of the local HVAC company that Target used, which opened the path to customer information.
Or who would have guessed that house cleaners would be targets? Yet they may have numbers for garage door openers and alarm codes, providing the keys to clients' houses.
Co-opting your resources for their use: This particular tactic is known as an Advanced Persistent Threat (APT). Bad actors establish a presence and hide out on any computerized device (traditional and IOT types) until they're ready to do what they want to do. They literally squat on computers to create a large network for their use, stealing your computer while you are looking at it. Some crypto miners who want to create bitcoin will use this method.
"I'm too small for them to notice"
This misconception is based on the notion that bad actors are being selective on the basis of predetermined traits and characteristics. Actually, they are looking for only one thing, unlocked doors, and are going door-to-door on the Internet to find them. Or they've gotten your name from another company they've hacked. Then they're doing mass mailings. You may not be the target. You are simply a target because your door is unlocked and/or you responded to junk mail.
WHAT CAN SMALL BUSINESS DO ABOUT IT?
• Get your head out of the sand and realize you are at risk for attack and real loss.
• Keep your software patched. Over a third of successful attacks leveraged unpatched software.
• Train yourself and employees how to recognize social engineering attacks. Individual users/employees are the top avenues for delivering malware.
• Whenever possible, use multi-factor authentication. Even if credentials get stolen, the ability of bad guys to use them is limited because they don't have access to the second factor.
President & Chief Security Officer
Mainstream Technologies, Inc.