Thursday, July 22, 2010

Guest Post - Kevin Elrod - Small Business - The New Focus For Cybercriminals

We have a guest post from Summer Intern, Kevin Elrod.


RESEARCH OUTLINE:

Topic:  Cybercrime – Small Business Cases
Research by:  Kevin Elrod
Date: 07/22/2010

TEASER/TITLE:   Small Businesses – The New Focus for Cybercriminals

SUMMARY PARAGRAPH

For many small business owners, the recent economic downturn has brought a sea of economic challenges.  A new threat, however, has emerged which may be the nail in the coffin, and it has come in the form of cybercrime.  Hackers and computer criminals have lately been turning away from the impenetrable security systems of large corporations in order to reap the fruits of the vulnerable small business sector.   To the careless, or even prepared, entrepreneur this may spell bankruptcy, and the effects could trickle down causing further harm to local economies.  Action must be taken in order to insure financial security for small business owners, especially in our current economic climate.



KEY FINDINGS

Cybersecurity insurance is an effective and reasonable way of protecting a small company’s business assets, although according to cio.com only 25% of companies have it

After the development of anti-virus software, the main attack channel has switched from email to the web for many criminals targeting small businesses.

A hefty portion of small business owners have little to no cybersecurity at all.  According to a report by Tim Wilson for DarkReading.com, 1/5  of all small businesses don’t use anti-virus software, 60% have unencrypted wireless networks, and 2/3 do not have a proper security plan in place.



BACKGROUND

Since the beginnings of the internet, bad intentioned citizens and criminals have sought to manipulate it for their own personal gain.  Cybercrime has evolved tremendously over the past few decades, from the “Melissa” and “I Love You” viruses of the late 1990’s which jumpstarted the growth of anti-virus software to the more recent denial-of-service (DoS) attacks which freeze networks by overloading them with outside data.  Now, cybercrime is undergoing a new phase by switching its focus to the susceptible assets of small businesses.  According to a survey conducted by the Canadian Chamber of Commerce 85% of all business fraud occurs in small to medium-sized businesses.  These companies do not have the means to pay enough attention to these threats due to scarce resources and insufficient time.

After the popular growth of anti-virus software in the late 1990’s most of all cyber attacks have switched from emails to the World Wide Web.  Today, the most common threat faced by small businesses is web-based crime.  Small company owners must realize that security plans that commit solely to anti-virus software is no longer sufficient to keep themselves protected.



STRATEGIC PLANNING ASSUMPTIONS

Hackers are turning away from the hardened, secure networks of large corporations and turning towards small businesses
Web-based threats are emerging as the most common form of cybercrime.  According to the World Economic Forum total online theft for 2009 alone totaled over $1 trillion.

Small companies are becoming increasingly disintegrated and spread out as they begin to rely more heavily on outside consultants and expertise.  Mergers also divide the company trust by acquiring rival business staff.  These hazards increase the risk of untrustworthy employees who might use company knowledge to steal their electronic assets.


ANALYSIS

Keeping one’s business secure from cyber threats in today’s digital world is no longer as simple as it used to be.  Evolution has taken small businesses from cash and checks to regulating most of their finances on the web.  Not all small-sized businesses have safely adapted to this change, however.  According to David Hogan, senior vice president for the National Retail Federation, only 60% of Level 3 businesses (just one level above mom-and-pop shops) have complied with the Payment Card Industry’s Data and Security Standards (PCI DSS) which strive to protect credit card data.  Companies that put off essential security standards can suffer drastic consequences, as can be seen in a case of a California escrow firm.  Last March, computer bandits broke into the online banking network of Village View Escrow Inc., a company based out of Redondo Beach, stealing a total amount of $465,000.  The culprits then proceeded to make 26 wire transfers to 20 various individuals around the globe who have no relation to the company.  Unlike consumers, when businesses lose money online there really isn’t a sure way of retrieving it.  Since the incident, the owner of Village View Escrow has had to take out a $395,000 loan at 12% interest to get back on track, and it will surely be some time before that ever happens.

Another similar incident occurred last April at DKG Enterprises, an Oklahoma City party supplies firm.   David Green, a manager for DKG, usually only accessed the company’s bank account from a Mac computer in the office.  Last April, however, while he was sick and working from his home he found he needed to authorize a company transfer.  He decided to use his wife’s PC because he could not get to the office that day.  Of course, this was the same computer his children play on, and it had at that time contracted a password-stealing Trojan horse.  A few days later, computer hackers had stolen $100,000 from the company account using their stolen password.  As of yet, DKG has been able to recover only $22,000 of their losses.  Krebsonsecurity.com recommends using a Mac instead of a PC when handling online business accounts because many of the viruses aimed at stealing passwords simply do not work on Macs.  In any case, these cases stress the importance of protecting one’s business from cybercrime.


RECOMMENDATIONS

Consider using in third-party security services to manage credit card purchase processes to reduce the risk of cybertheft.

Changing passwords regularly is an effective security policy especially after an employee leaves the company.

Purchasing cybersecurity insurance is one effective measure of protecting a business’ assets.  After a recent incident in which cyber thieves stole $35,000 from Brookland Fresh Water Supply District, the company was able to retrieve all of their funds in exchange for a $500 deductable.  Without the insurance not only would the company have suffered but so would the 1,300 homes and businesses it provides for.

Encrypt your wireless networks – this needs no further explanation.  Consult a computer professional if you are unsure how to do this.

Establish an acceptable use policy for office computers storing company data.

Arrange for all company computers to be equipped with up-to-date security software.
SOURCES

Tim Wilson, Darkreading, March 19, 2009
http://www.darkreading.com/security/perimeter/showArticle.jhtml?articleID=215901301

Brian Krebs, KrebsonSecurity, blog from Jun 10 – July 10   http://krebsonsecurity.com/category/smallbizvictims/

Randy James, Time, June 1, 2009 http://www.time.com/time/nation/article/0,8599,1902073,w00.html#ixzz0thKk6ckI

BusinessPundit.com interview with Robert Gorby, June 17, 2010            http://www.businesspundit.com/interview-protecting-your-small-business-from-cybercrime/

1 comment:

  1. Hi there, awesome site. I thought the topics you posted on were very interesting. I tried to add your RSS to my feed reader

    and it a few. take a look at it, hopefully I can add you and follow.
    Maamidi Enterprises

    ReplyDelete