Big corporations have long understood the need to protect against cyber criminals out to wreak havoc on their computer systems in order to steal money or customer data—or both.
Yet technology experts say small businesses are just as vulnerable, and don’t even know it. “The same small business owner who will spend money putting in an alarm system, a fence around the building, and locks on every door, is the same person who doesn’t see the need to take security precautions with his IT system,” says Brian Reich, founder and president of The Reich Group, a security consulting firm based in northern New Jersey. “The three prongs of security are physical, personnel, and IT security. Unfortunately, a lot of small businesses forget about that last piece because they operate under the assumption that since they’re small, they can’t get hacked.”
Nothing could be further from the truth. That’s because small firms typically have weaker security profiles that enable hackers—or even disgruntled ex-employees—to easily penetrate their systems to steal proprietary information, explains Ed Skoudis, an instructor with the SANS Institute, a leading information security training and certification school based in Bethesda, Maryland. And with few (if any) IT professionals on staff at small firms to monitor these breaches, the issue often gets pushed aside until an attack actually happens.
And it’s occurring more frequently at these smaller firms. According to Verizon Communications Inc. and the U.S. Secret Service, of the 761 cyber attacks that were reported in 2010, 482 of them—or 63 percent—were at companies with 100 or fewer employees. With thinner financial resources, the cost of a digital break-in can even put a small company out of business. Speaking at the recent International Conference on Cyber Security in New York City, Shawn Henry, the FBI’s top cyber investigator, cited a case where a small business had to close up shop after hackers were able to steal $5 million from its accounts.
Passively scan for security holes
So how does a small business figure out just how vulnerable its online data is? Skoudis and others recommend that they start with a vulnerability scan. Akin to a routine physical, this test looks at your entire computer network every quarter or so to determine weaknesses—or vulnerabilities—that could allow an attacker to get in and steal sensitive information, such as customer lists and credit card information.
Qualys, a provider of on-demand IT security risk and compliance management solutions, based in Redwood Shores, California, offers a free security assessment that small businesses can try, says Skoudis. It includes a scan that detects security vulnerabilities in your systems that face the Internet, including your web server. For a fee, the company can conduct scans that look across your entire network and detect internal vulnerabilities, such as malware infections and threats. The cost is based on the number of IP addresses being scanned and the frequency of those scans.
Actively test your defenses
Going one step further, Skoudis recommends a penetration test—or pen test, as it’s often called. It begins with a vulnerability scan, but then attempts to exploit a company’s IT weaknesses to determine how easily, and to what extent, a hacker can bring a company to its knees. A penetration test can cost anywhere from a few thousand dollars to tens of thousands of dollars depending on the size of the company and how many computers need to be scanned.
“We’ve done pen tests where we were able to get a company’s customer records and all their credit card information,” Skoudis recalls. “When a company gets breached like this, it can destroy its reputation and drain its bank accounts overnight.” And any company that needs to be compliant with Sarbanes-Oxley or HIPAA rules, adds Reich, is even more vulnerable should a security breach occur.
Of course, the difference between a penetration tester and a hacker is that the former has permission to break into a computer network and steal information and the latter does not, according to SANS.
Kevin Mitnick is skilled at both roles. He was once one of the world’s most notorious hackers and today is a best-selling author on information security and president of his own firm, Mitnick Security Consulting. He often consults with small businesses and sees first-hand what happens when cyber security issues are ignored.
For example, he’s currently working with a small e-commerce company based in New Jersey that routinely takes and stores credit card information from its customers. The problem, explains, Mitnick, is that the company stored this financial information on its servers unencrypted, or in other words, as plain text. A hacker who was able to get access to the data had to do little more than copy the numbers to begin fraudulently using them. “The credit card company was the one who figured out the stolen numbers were coming from this business,” Mitnick says. “The owner of the company had no idea this was happening and now they’ve hired me to do a security assessment of their site.”
The cost of doing nothing
Mitnick, as well as others, point out that companies—big and small—who accept credit cards are required to be compliant with PCI Security Standards, the governing body that establishes the security measures merchants must have in place in order to securely accept and store credit card data. Routine vulnerability testing is one of requirements in order to be PCI compliant, points out Skoudis, and yet companies will regularly overlook or ignore this step because they think they’re too small to be hacked or just don’t make the time. According to PCI, should customer credit card data be stolen, a small business can be liable for fines and penalties. According to FocusOnPCI.com, a site dedicated to explaining the details of PCI compliance, each cardholder data breach can cost a small business between $50 and $90. Multiply that by hundreds or even thousands of customers and the cost escalates quickly. Further, non-compliance can also result in a small business being prohibited from accepting credit cards in the future.
No amount of IT security and vigilance can completely eliminate the risk of an IT breach, say the experts. “There isn’t an agency, organization, or company I know of that hasn’t be hacked to some degree,” says Edward J. Appel, a former FBI agent for 28 years and now a computer security consultant. The goal, they say, is to mitigate that risk by making it harder for networks to be compromised in the first place. Says Appel: “If you say you can’t afford it or don’t need to periodically see where your company might be vulnerable, you’ve already ceded control to the bad guys.”
Thumb_HackProof.jpg 25.8 K