Feeling paranoid? Think people are out to get you? If not, you're just not paying attention. Small businesses have gained the attention of large companies who lust after their buying power. And unfortunately, hackers now lust after small business for their intellectual property and customer data, and find smaller companies make easier targets because their defenses are weaker.
So says Dan Hubbard, vice president for security research at Websense, the security firm which just announced the Websense Express product line for SMB. The trend for large companies to make sophisticated security tools affordable for small companies is a trend we should all encourage.
Who says hackers target small businesses besides Websense? How about Visa? According to the credit card company, since 2005 small businesses represent less than 5% of exposed accounts but have been the source of 80% of identified data security compromises (I don't now how they define "small business," so it may be companies with up to 1,000 employees). You know the reason: small businesses don't have the security expertise in house to protect themselves. And crunched budgets often stop businesses from adequately defending themselves even when they know they should.
Hubbard says his company's research shows phishing attacks have moved from the big national companies down to neighborhood credit unions and small banks. Quaintly known as "puddle" phishing, these attacks prove spam must be cheap, because the phishers will launch millions of messages to get a bite from a customer of a small financial services company with only a few thousand accounts.
Websense says some of the technical managers it has talked to at banks and credit unions don't know enough about phishing, and even those that do often lack a plan to contact and reassure customers and handle questions when they are victimized.
Even small retailers have value to hackers. Take a look at, say, a liquor store. They do thousands of transactions every week or two. If the store installed its own wireless network with poor security, hackers can sit outside and capture customer data in real time. If they snag one complete transaction, they have a stolen identity in their pocket. They might have done this in the past by dumpster diving and hoping to find credit card receipts, but sitting in the parking lot keeps them smelling better. The fact that most printed receipts today include only a part of the credit card number adds another reason hackers eavesdrop rather than dive.
Midsize companies in industries full of intellectual property, like aerospace firms, get targeted as well. Stolen data gets sold to competitors, often overseas.
While I've never been a big fan of tight Web surfing controls on employees, believing managers should manage rather than trust software, hackers may force me to reconsider. Websense reports Web browsers are the preferred entry point for viruses and worms now, taking over from e-mail payload delivery. Stopping employees from surfing to gambling sites, for example, cuts your exposure considerably.
But you need surfing security even when you block every suspect site, because well known national sites get compromised. Hubbard says one of the sites for the last Super Bowl turned into a hacker tool for a while the day before the big game. Oops.
What can small companies do? Outsourcing Web hosting, especially e-commerce sites, turns security management over to professionals (for the server but not necessarily your applications). Treat every byte of customer data like money, because if you lose it, you will pay and pay and pay. Too many small businesses believe "common sense" can protect their customer data. Not only is that not true, but even if it worked, common sense remains in short supply.
Websense licenses its products on a per-seat, per-year basis. In the U.S., the cost is $20.50 each for 1-250 users. Over 251, and the price drops to $15.50 per seat. Prices also drop with longer contract times and more licensed users.
Is it a shame we have to worry about attackers targeting data and customer information every minute of the day? Yes. Will life get easy in the next year or two? Not really, so bite the bullet and protect yourself if you've only been using the "cross your fingers" method. If you do have strong security systems in place, check them regularly.