[BreachExchange] No Such Thing as Too Small to Hack

Audrey McNeil audrey at riskbasedsecurity.com
Mon Sep 11 21:17:48 EDT 2017


http://infosecisland.com/blogview/24972-No-Such-Thing-
as-Too-Small-to-Hack.html

Small business owners all-too-frequently believe that they won’t be
targeted by hackers because they don’t offer anything of interest to
cybercriminals. Since mainstream media outlets tend to solely focus on the
“spectacular” large corporate and government breaches, it’s somewhat
understand that this misconception continues to fester. But that narrative
may be starting to shift – at least a bit.

The U.S. Securities & Exchange Commission recently stated that SMBs are “at
even greater risk, and are far more vulnerable once they are victimized.”
As the volume of attacks and lucrative profits continue to grow, all
business owners – from Fortune 100 companies to small family-owned
businesses – need to get serious about defending their business websites
from being compromised.

A 2016 SEC report projects that “cybercrime will cost the world in excess
of $6 trillion annually by 2021, up from $3 trillion in 2015.” Even with
these skyrocketing figures affecting every sector of the global economy,
mostly only large corporations have made significant progress toward
mitigating this threat. Either by refusing to admit that they will be
targeted or insisting that they already have sufficient protection, SMBs
are still largely in denial about the clear fact that a business remains
vulnerable as long its website remains unprotected or unmonitored.

Small business owners often aren’t aware of the fluid and dynamic nature of
discovering and disclosing vulnerabilities, and how this causes both
updated and outdated website platforms to be at risk. According to a
spokesperson for the Small Business Administration (SBA), companies that
used Web Content Management Systems face even more acute threats, as “at
any given time between 70 to 80-percent of users are running outdated
versions of WordPress – leading to critical and well documented
vulnerabilities.”

An owner of a typical small business site reviews web traffic figures
daily, and they are often pleased to notice any increase in volume.
However, analysis from multiple independent studies illustrates that an
average of seven percent of daily traffic actually consists of hackers
exploring and/or exploiting vulnerabilities. That figure is likely even
higher for a “small fish” SMB that provides goods and services to a “big
fish”– since these SMBs are often used as gateways into the more heavily
defended large enterprises.

While DDoS attacks tend to receive some of the more frequent, large-scale
press coverage, there are other website attacks that can wreak even more
havoc on a small business. The nearly constant stream of application-layer
bot attacks is much more common and harder to detect and defend against.
“Bad” bots are masquerading as “good” bots such as Google and Bing crawlers
– but are actually conducting competitive data mining, account hijacking,
and much worse. They affect a business website’s availability, degrade the
user experience, and vacuum up proprietary information all while under the
radar – potentially eroding consumer trust in a brand.

Small businesses that are hacked often suffer losses of much greater
magnitude than their larger counterparts because they lack the established
“name recognition” of big companies. Hackers may use a site to host
malware, to get around blacklisted IP addresses, which can gravely affect
company’s marketing efforts by hurting their search engine rankings on
Google, Bing and many others. If a company’s site is detected as
compromised, search engines will devalue a domain until its able to rid it
of malicious code.

Since mid-2010, attacks targeting small businesses have steadily increased
to the point that they now account for about half of all attacks. Despite
the high probability of facing a very real cyber-nightmare, the vast
majority of small business owners have not made significant progress
because they either lack the resources for sufficient defense or have not
taken the threat seriously. According to the Small Business Administration
cybersecurity portal, owners and staff with IT responsibilities must began
to think about how to respond to a sudden loss of control or access to
their website platforms. They should prioritize security assets “by
conducting penetration tests and then shoring up defenses against the
vulnerabilities that are discovered.”

SBA analysts recommend that owners utilize technology that is designed to
solve the specific challenges that the business is facing in the cyber
arena. “Small businesses should automate as much of their security as they
possibly can. If after performing an inventory, customers employ data loss
prevention technology to monitor if sensitive information is leaving the
organization, they can automate scanning for these types of
vulnerabilities,” the organization states.

Technology alone does not equal security, as owners and employees must
begin to realize that their websites offer a potentially immense value
proposition to hackers. An SMB is definitely not too small to care.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170911/e37b6b71/attachment.html>


More information about the BreachExchange mailing list