Rorschach Electronics never had a clue.
For months, its customers' credit card data was quietly being harvested by cyber criminals in Eastern Europe. It wasn't until the store's payment processing company linked a series of fraudulent charges back to the family-owned business that Rorschach realized it had been hacked.
By then, the attackers had racked up nearly $3 million in bogus charges, according to the store's credit card issuer, which fined the store $100,000 for the security breach.
Rorschach is not the store's real name; the company insisted on anonymity for this story, lest the publicity make them a target for future attacks. The company is now attempting to appeal that fine – a process its attorney, Aaron Messing, describes as “Kafkaesque.”
The Rorschach story is not at all unique, says Messing, who specializes in data security and privacy issues for OlenderFeldman LLP in Union, New Jersey.
“One of the biggest fallacies about small-to-medium businesses is that they're too small to be noticed by hackers,” he says. “That's simply not the case.”
In fact, for SMBs the opposite is true. Because they handle a lot of sensitive information, like credit card numbers, small businesses are enticing targets. And because they lack the resources of large enterprises, their security is often paper thin – making them easy pickings for organized gangs of cyber crooks.
It CAN happen to you
While attacks on large enterprises have declined slightly over the last year, threats to SMBs have risen sharply. Cyber attacks targeting businesses with 250 employees or less doubled in the first six months of last year, according to Symantec. The average loss per attack: more than $188,000.
Even mom-and-pop businesses are at risk from ransom-ware schemes, where access to their computers or data is blocked by attackers until they fork over money, says Brian Burch, vice president of SMB marketing for Symantec. It's safer and more profitable for organized crime gangs to target thousands of businesses remotely than risk life and limb robbing banks, he adds.
“It's much easier for criminals to extract cash from thousands of miles away where there are no bullets flying or people trying to snap cuffs on you,” says Burch. “They now have the ability to attack thousands of businesses at a time and pick off the most vulnerable ones.”
And yet most small businesses are unaware of the risks. Two thirds of SMBs surveyed by Symantec say they're not concerned about cyber threats, and more than 80 percent have no formal cyber security plan.
“SMBs suffer from 'It can't happen to us' syndrome,” notes Robert Siciliano, security expert for McAfee. “They also typically don't have the resources to secure their networks to the degree a large enterprise would. But the information on their networks – and access to their bank accounts – still makes them a big target.”
Follow the money
How do cyber criminals find victims from thousands of miles away? Largely via phishing attacks and other forms of social engineering, notes Stu Sjouwerman, founder of KnowBe4, a security training firm that teaches clients how to recognize and avoid phishing attacks.
Attackers may send spam that looks like it came from corporate HR, luring employees to a fake site where they are asked to give up their network log-in credentials. Or the site might perform a “drive by download,” infecting their systems with malware. Or an infected attachment may install software that captures every keystroke or opens a backdoor into the corporate network.
Attackers will often target a specific person in an organization, usually a CEO or CFO, and craft a fake email designed to fool them into clicking a link or opening a document, says Sjouwerman.
“C-level executives are the biggest targets and the easiest to socially engineer,” he says. “Attackers will even target their home networks. The next time the CFO logs into work from home – bingo, they're in.”
Once infected, the malware can sit dormant for months, waiting for the right moment to strike. Rorschach was infected at least six months before a single credit card number was stolen, notes Messing.
From there, attackers can create phony invoices for supplies that were never ordered or paychecks for employees who don't exist, says Stephen Cobb, security evangelist for anti-virus vendor ESET. They can siphon money directly from company coffers via wire transfers. They can steal credit card information or intellectual property and sell it on the Internet's black markets. Or they use the stolen log-in credentials to gain access to the networks of larger companies with whom the SMB does business.
“If an attacker can get into your machine, they can probably get money out of it one way or the other,” Cobb says. “If not, they can get information about people they can sell.”
How do you know you've been hacked? “When money starts disappearing,” says Burch.
Protecting your business against random attacks from thousands of miles away isn't easy. It means following many of the same steps taken by Fortune 1000 organizations – only on a much smaller scale. Fortunately, major security vendors like Symantec and McAfee have begun offering cloud-based security services for SMBs starting around $20 per user annually.
But that's not enough. You'll also need to start practicing good “cyber hygiene,” says Monica Hamilton, an SMB product and solutions marketing director for McAfee. That means securing all devices that access the company network, including those users bring from home, and using only secure VPNs for remote access. It also means enforcing tough policies for password management, adopting a security mindset – including understanding threats, assessing vulnerabilities and taking counter measures against them, and training employees on how not to be the weakest link in the chain.
“It’s not glamorous, nor fun,” she writes. “You don’t win any prizes, you don’t set any records, you don’t get famous – but you could very well save your business.”
SMB Security Checklist
- Lockdown your endpoints. That means securing every desktop, laptop, smart phone, or tablet that accesses your network. If they contain company data, that data needs to be encrypted – no exceptions.
- Secure every connection. Remote access is the primary way attackers get into your network, so you need to closely monitor every log-in to make sure it's legit.
- Check for compliance. If your business accepts credit cards, you'll need to follow the PCI-DSS standards or face the consequences. Even if you're in an unregulated industry, you may sell to a larger company that has strict security rules you must follow.
- Hire a hacker. A white-hat hacker can perform penetration tests on your network and identify your weak spots.
- Consider cyber insurance. If you are hacked, cyber liability insurance may cover most of the costs of data recovery, as well as any litigation that arises from a breach.
- Train your employees. All of the above will be useless if your employees are duped into opening the door for cyber crooks. “You cannot count on endpoint protection to catch everything,” says KnowBe4's Sjouwerman. “You need a human firewall as well.” – D. T.
Award-winning journalist Dan Tynan has been writing about Internet privacy and security for more than a decade. Read his privacy blog, Thank You For Not Sharing, or follow him on Twitter: @tynanwrites.