Security is an important part of all business operations. Whether you are securing customer information, your internal financial data, or a secret recipe for killer chocolate cake, you need to be aware of the many ways that information may be attacked and compromised. While you may think that your small business is too small to be affected, that is simply not the case.
According to a new Verizon study, no business is too small or insignificant to be attacked. 75% of data breaches are “Opportunistic attacks” where the victim is not chosen as a target but rather attacked simply because the attacker is able to identify and exploit a specific weakness in their systems.
The Verizon 2013 Data Breach Investigations Report looked at over 47,000 reported security incidents and 621 confirmed data breaches in 27 countries that occurred in 2012. 75% of the confirmed breaches were for financial gain, 76% of them used stolen credentials or exploited weak credentials, 84% of them took place in minutes or hours, and 66% of them went undetected for months. Even more troubling for a small business that relies on building customer relationships—10% of all breaches were discovered by customers before they were known to the business itself.
Business Hackers: International, Internal, Accidental
The question remains, Who is causing these breaches? Interestingly, while 92% of the confirmed breaches were attributable to sources outside the organization, 69% of the total reported incidents were attributable to internal sources. However, the study found that a majority of the incidents (though not of the confirmed breaches) were simply due to employee error such as configuring a secure system incorrectly or “low tech” incidents such as emailing work home.
Of the confirmed external breaches, organized crime networks with financial motives were responsible for a majority of them (55%), while state-affiliated espionage emerged as a growing problem, being responsible for 24% of the breaches. Interestingly, both large and small businesses were targeted in espionage attacks with it accounting for 20% of small company breaches and 24% of large company breaches. A majority of the espionage attacks were found to have origins in China, while a majority of the financially-motivated attacks were traced to the United States, Romania, Bulgaria, and Russia.
For confirmed breaches linked to internal sources, those at small companies were most likely to be caused by cashiers or others who handle payments such as bank tellers or waiters, while those at larger companies were most likely to be caused by system administrators. (However, the study points out that in over half the cases the sys-admin’s role was accidental rather than malicious.)
Business Security Attacks by Company Size
Company size can play a role in the type of attacks encountered. For example, physical tampering in the form of ATM skimming devices is most likely to affect large companies, while spyware is the largest threat against small companies. Malware, defined as any malicious software, script, or code added to a system that alters its state or function without permission, is involved in the largest percentage of attacks. In small companies it is typically directly installed by the attacker (84% of breaches) via a back door infiltration. In larger companies, email attachments (63%) are the primary source of malware infection.
Another growing attack vector identified by the study, particularly against small businesses, is “ransomware.” This type of attack is typically launched by exploiting unpatched vulnerabilities or weak passwords and gaining access to a business’ data via Microsoft’s Remote Desktop Protocol (RDP). Once access is gained, the criminals encrypt all the data and demand a ransom to release the data. If the business doesn’t pay, it loses all its files.
Protect Your Business from Security Attacks
So how can you protect your small business? The study provides a list of 20 critical security controls a company can implement. For example, keep a list of authorized and unauthorized software, monitor all installations, eliminate any unnecessary data and then secure and monitor the data you need to keep. It also suggests focusing equally on both detection and prevention.
Remember, the time to think about security at your small business is before you have a problem. Restoring and shoring up systems after you have been breached is not only significantly more expensive, but also exponentially more frustrating, than taking steps to prevent them in the first place.
See weekly Small Business Tips like this one by subscribing to our newsletter.
Curious about PaySimple? We’re so glad you asked! Check out our cloud-based business management platform.
Image Credit: Hacker Stock Photo by devdsp, on Flickr