The 2012 Data Breach Investigations Report published by the Verizon RISK Team disclosed that there were 855 data breach incidents and 174 million compromised records that occurred in 2011. In comparison to the 2011 investigative report, there was an increase of 94 data breach incidents and an overwhelming 170 million compromised records. These alarming statistics show that well-executed cyber attacks resulting in a successful data breach almost doubled in the past year. Today, the threat of cyber attacks continues to monopolize news headlines around the world as cyber criminals increasingly use the web to implement a mass generation of malware exploits. Cyber attacks have now evolved into a frequent and costly incident with an increasing number of businesses becoming a victim of at least one data breach in the past year. According to the Ponemon Institute, “the chances of an organization being hacked in a 12-month period is a statistical certainty and businesses of every type and sizes are vulnerable to attacks.”
But as large enterprises begin to ramp up their security network posture in response to the daily onslaught of attacks, small- and medium-sized business (SMB) now become the weak and easy prey. As more SMBs increasingly rely on the Internet to reach and communicate with customers, hackers are able to expand their target base and take advantage of small businesses that have inadequate and poor security measures. According to the Verizon Risk Report, mainline cyber criminals continued to automate and streamline their method of high-volume, low-risk attacks against weaker business targets. The collective susceptibility of businesses to cyber attacks is a considerable economic security challenge for all nations worldwide. However, a successful data breach can prove to be more financially devastating to a smaller organization in terms of a quick recovery. Baer Insurance Services, a leader in providing protection for small businesses, has estimated that “60% of the small businesses victimized by a cyber attack closed permanently within six months. Many of these businesses put off making necessary improvements to their cyber-security protocols until it was too late because they feared the costs would be prohibitive.” By almost any measure SMBs have a major impact in the economic security of a nation overall. As an important force in driving innovation, SMBs also outperform larger firms in net job creation and employ nearly half of all private sector workers. Although, many small businesses have found considerable financial success in operating effective e-commerce to gain a competitive edge in the global marketplace, cyber fraud criminals are making the Internet much riskier and dangerous for business owners.
The National Cyber Security Alliance reports that a large percentage of small business owners are still operating under a false sense of cyber security and 85% still believe that they are immune to security breaches. More worrisome, 53% of small business owners believe the high cost in time and money to fully secure their business is not justified by the threat. Small business owners are not fully aware of the true motives of cyber criminals and their ultimate goal in controlling smaller websites in order to spread malware infections, operate scams, obtain corporate intellectual property, and steal sensitive customer information and online bank accounts. Aside from the fact that SMBs can become a victim of data theft by managing sensitive information that is of interest to hackers, small firms can also even unknowingly aid in perpetuating cyber fraud by using unsecured computers, which hackers can infiltrate and use to attack other online businesses.
Moreover, Advanced Persistent Threats (APT) which are implemented by organized criminal groups have been a growing trend over the past couple of years. In a Dark Reading article, it was revealed that “Cisco Security Intelligence Operations has reported a significant increase in the number of unique instances of malware it’s finding, an indication of APTs under development or being deployed. And although big and well-armed companies such as Google, RSA, Sony, and Lockheed Martin have been hit, there are signs that APTs may be going after smaller and less well-protected organizations to get to their eventual targets.” Cyber criminals target small business websites because small companies traditionally rely on consumer anti-virus application or firewalls to secure networks and often lack the resources and technical knowledge to deploy effective network security technology and threat management protocols. For owners of websites that have been penetrated by malicious hackers, the cost of malware remediation comes with a painful price as well as lost business opportunities. Unexpected lawsuits, fines, negative publicity, and loss of valuable data can also tarnish business reputations and further disrupt the business operation. Nearly 41% of the companies surveyed by Ponemon Institute reported that security breaches have cost at least half a million dollars to address, when costs such as cash outlays, business disruption, revenue losses, internal labor, and overhead were taken into account. 59% revealed that information assets were the most serious consequence of a security breach, followed by disruption of business operation.
Small firms overall are soft targets for cyber crimes and are a more abundant prey. There are 25 million businesses that can be targeted in the business world compared to the 500 lucrative U.S. companies listed in Fortune Magazine. In the National Cyber Security Alliance survey, 85% of SMBs believed that they are less of a cybercrime target than large companies and 54% believe that they are more prepared to secure sensitive customer and corporate data than larger businesses. The Visa Inc. startling statistics, however, paint a different reality as 95% of credit card breaches that Visa has discovered are from their small business customers. The escalating number of cyber intrusions aimed at small firms can be attributed to a number of unique factors and challenges. Small business are still lagging behind in establishing a comprehensive security protective measures to protect their business and customer database. Small business owners are also not taking the necessary steps to establish a culture of responsible security among their employees, third-party providers, and customers. The National Cyber Security Alliance reports that 77% of small organizations do not have a formal Internet security policy and only 40% have a corporate policy preventing employees from connecting company devices to unsecured wireless networks.
The survey also reveals that only 52% of small-business owners have plans for keeping their networks, data, and computers safe, and only 43% have a plan in place to respond to the loss of customer data, such as credit or debit card information or personal identifying data. Small organizations also lack the resources and technical skills to stop cyber attacks against networks. With limited budgets and only a few security staff members operating the IT departments, small firms generally have weak security making them more susceptible to cyber attacks. In addition, malware exploits account for most data breaches as downloads, embedded on a rogue Websites, or distributed by social networking sites. Security Week has reported that the prevalent use of sophisticated malware is crafted to ensure it remains undetected by antivirus products and have advised all organizations to start dealing with malware at the network level and to analyze all malware-related traffic by performing a full inspection of all traffic on all ports. Traditional malware detection solutions such as antivirus applications, firewalls, spyware, and spam softwares are not designed to detect and prevent advanced malware threats.
The Business News Daily, a guide for start-ups and small businesses report that small business cyber attacks are getting more creative and stealthier. Cyber criminals are always looking for innovative ways to commit fraud and are armed with sophisticated malware exploits and hacking techniques to net more new victims. It has been estimated that there are now 403 million different versions of malware designed to gain user access control, send malicious content, obtain sensitive personally identifiable information (PII), and steal credit card details. Simple security measures can go a long way to deter some attacks, but in order to effectively prevent successful security breaches from actualizing and becoming a persistent threat, a complete network security solution with situational awareness and a strong intrusion detection technology is required. The Verizon RISK Team report revealed that 85% of the investigated data breaches incidents that occurred in 2011 took weeks or more to be discovered and 92% of incidents were discovered by third-parties, not the compromised company. More alarming, 56% of small businesses surveyed by Ponemon Institute reported that most of the breaches were discovered accidentally or through a costly audit.
Security risks are increasing in quantity and complexity, while at the same time successful cyber attacks are significantly impacting an organization’s operations and success. Data breaches have become the latest epidemic rising in proportion. Like an epidemic, the impact of a data breach can be reduced only through proper planning and appropriate response. Understanding the security risk factors combined with taking action to reduce risk is how small organizations can overcome. Reversing these trends and security risk factors requires a comprehensive security approach that reduces the risk of cyber attacks, financial loss, and reputation damage. Aside from establishing a responsible security plan for the entire organization, SMBs need to invest in an capable network security solution that will provide both network visibility to mitigate security risks and a strong intrusion detection to detect both internal and external security threats.