Attackers now targeting small business?
At the Visa Security Summit last week there was a panel discussion on “Small Business: The New Target of Data Thieves.”
We do a lot of work helping protect small and mid-sized business (SMBs), and it’s great to see these organizations get attention.
An article over at at Dark Reading covered the Visa discussion well: Small Business: The New Black In Cybercrime. Interesting tidbits:
- Improved security at large organizations is driving criminals to target the less secure SMB business sector.
- 85% of all fraud (in Canada, at least) occurs at SMBs
- SMBs struggling to meet PCI compliance should move to using payment processing gateways and other means to avoid having to deal directly with card data.
Do you buy that first point? Sure there have been incremental improvements in large business security in recent years, but hardly enough put a dent in the number and magnitude of their data breaches.
It’s easier to attack small businesses, but they have so much less to steal. It takes a little more effort and time to crack a large business, but a success nets criminals millions of card numbers, accounts, personal identities or dollars.
If large business security improvements were having a real effect I’d expect black market prices to trend upward. Most data sold on the underground originates from breaches of large businesses, yet prices continue to fall. For example, Symantec’s Internet Threat Report Jan- Jun 07 and July to December reports show still prices falling:
| Type of data | Jan – Jun 07 | Jul – Dec 07 |
|---|---|---|
| Credit cards | $0.50–$5.00 | $0.40–$20.00 |
| Bank accounts | $30–$400 | $10–$1000 |
| Full identities | $10–$150 | $1–$15 |
Regardless of trends, small and medium business are especially at risk, but from lack of resources and lack of awareness, not targeted attacks. The security attacks we’ve dealt with at small organizations have all been from standard malware, script-kiddie exploits and untargeted phishing.
Small and medium business security is yet another security blind spot, but of a different kind. The blind spot of the organizations themselves is in failing to see where they are most at risk.
Right now, the only exposure most small organizations have to a security standard is PCI DSS. Sadly that standard is myopic: it only addresses confidentiality.
Yet the biggest risk facing most small organizations is continuity: infrequent and untested backups, no offsite storage, no fallback web presence, etc. Most small businesses never recover from a business interruption longer than a few days. Too bad continuity and availability in general are outside the scope of PCI DSS.
Obviously, losing merchant status due to repeated breaches of card data would also shut down a business, but in reality that’s far less likely than banal incidents like hard drive failures, a smash-and-grab or a fire.
Sadly, we see organizations spend all their resources chasing PCI compliance at the expense of overall risk management.
So the third point above is good advice: if at all possible, transfer the risk of card processing to a payment gateway. It costs more per sale, but until sales reach a fairly high level overall winds up being less expensive (and risky). Plus resources are freed to identify and address higher risk security concerns such as continuity.
Tags: business continuity, small business security, trends