Cyber-attacks make headlines on a daily basis. The news media commands attention by publicizing high profile cases - well-known companies, enormous losses, and serious consequences. With all the focus on the big guys, it’s easy to overlook the fact that no business demographic is immune from cyber-attacks. In fact, recent reports estimate that small companies, those with fewer than 500 employees, may be experiencing as many as half of all targeted cyber-attacks. Half!
Who is attacking the small business and why?
The threat to the small business is the same as any business. The adversary is after company information and customer data, and since small businesses don’t have multi-million dollar security budgets they can be a much easier target.
The growing trend is for competitors to steal corporate information as an easy way to level the playing field. Not only does this put your new highly innovative product or idea at risk while your Intellectual property sits "safely" within your own network, but this also means that all your vendors will be targets too. As corporations increase their cyber security protection (spend more $), attackers will look for new routes to target their most prized Intellectual Property (IP). For example, think of the treasure trove of corporate secrets that your legal firm has in their possession at any given time.
Another major issue for small businesses is theft of personal information. Why should cyber criminals target fortune 1,000 companies when there are thousands of small businesses that are far easier to penetrate?
"I recently had a client who owns a restaurant where credit card information got released to the public," said Scott Hauge whom is the president of the Small Business California, a small-business advocacy group." As a result, MasterCard is looking to collect $200,000 in fines and he is also looking at numerous credit card holders bringing action against him. Visa recently stated that 95% of credit card thefts originate at small businesses", Hauge said.
This quote demonstrates a small businesses worst fear - hundreds of thousands of dollars, potentially more, in unexpected fines disrupting their business. Most small businesses cannot survive such a situation.
Small businesses are susceptible to sophisticated attacks too.
If we consider law firms, they offer the cyber adversary valuable information on international mergers/acquisitions and trade, public policy, and export controlled technology as examples. On two separate occasions, Cyber Squared’s investigations have identified sophisticated threats targeting international law firms. In the first case, the law firm under attack advises on public policy and regulatory issues. The second victim was a very large international law firm representing global 1,000 and Fortune 500 companies on high tech issues and emerging growth areas.
A well-executed cyber-attack can effectively put a small business out of business. While cyber insurance may help offset costs associated with the loss itself and contain the damage and litigation, it won’t cover the loss of reputation. Customers have little tolerance for having their sensitive data stolen. Most states have enacted breach laws, so customers must be notified.
How does a small business protect itself?
FEMA, under the Department of Homeland Security, has released a “Common Sense Guide to Cyber Security for Small Businesses”. This is a 12-step good practices list that includes case study examples of what goes wrong when these practices are not applied. (Notice that Case #12 includes two law firm examples.)
Are good practices enough?
While applying good practices in a consistent timely approach reduces risk, they don’t offer adequate protection against a sophisticated adversary.
As enterprise corporations continue to increase spend on cyber security protection, many companies in the “protection” business focus primarily on solutions for these enterprise customers. In many cases, their solution is incident response based, which doesn’t necessarily help the small business, where the first incident can put the small business out of business.
Cyber Squared believes that everyone deserves affordable protection. This is especially important for small businesses' that don't have large budgets for cyber defense. With our understanding of how sophisticated cyber threats exploit gaps in network defense and security policies, we identify risks to your organization's business process and tailor our response based on timeline, acceptable cost, requirement from legal authorities, and acceptance of risk. Doing this upfront allows our customers to feel comforted that they are prepared when, not if, the sophisticated threat comes knocking. This also minimizes costly response efforts, or losses resulting from a successful breach of your business.