The latest Internet Security Threat Report from security vendor Symantec Corp. has a warning for small and medium-sized businesses (SMBs) – you’re in the sites of hackers as the weak point in the larger corporate supply chain.
Symantec’s 2013 report identifies SMB attacks as a key trend, noting that, in 2012, 50 per cent of all targeted attacks were aimed at businesses with fewer than 2,500 employees, and the largest growth area for targeted attacks in 2012 was businesses under 2500 employees – accounting for 31 per cent of all targeted attacks.
“This year we saw a change in the techniques used by the attackers to expand their focus on SMBs,” said Liam Murchu, manager of security response operations for NAM at Symantec, in an interview. “SMBs are vital in the supply chain. Before they would target big companies, but now hackers are moving down.”
According to Symantec, SMBs also seem themselves as somewhat invulnerable to the sophisticated, targeted, financial gain-driven sort of attack. But as the report notes, SMB cash spends just as well as large enterprise cash. And to think they have nothing worth stealing is wrong as well – they have customer data, intellectual property, and cash.
“SMBs are still part of the process they still have intellectual property and information hackers are looking for, but they’re not as well protected as the bigger companies with more budget to spend on security,” said Murchu. “Smaller companies may have a smaller budget for IT security but they still have intellectual property that attackers are looking for.”
And SMBs aren’t falling victim to random attacks. Murchu said SMBs are being specifically targeted, due to their place in the supply chain and the other companies they work with – they’re viewed as a weak point that can be exploited to move up the chain.
“We saw attackers who normally target defence contractors also targeting small electronics companies that ship to those companies,” said Murchu. “It’s both financial and corporate espionage.”
Besides the loss of intellectual property and money, if SMBs become seen a weak point into a sensitive corporate supply chain, they risk being cut out by the larger players if they don’t tighten their security. It’s easy to say just spend more on IT security, but it’s not so simple for many resource and budget-challenged small businesses.
Still, Murchu said there are some steps that SMBs can take. And it begins with awareness, which is one of the reasons for the Symantec report.
“A lot of SMBs don’t think they’re being targeted because they think they don’t have much important intellectual property or a lot of money. We’re trying to show small companies they still need to think about these things, because the attackers are thinking about it,” said Murchu.
Next, companies should have a strategy for protecting what they have that’s valuable. It doesn’t always mean spending money, just having a clear strategy and educating employees to the fact that they may be targeted.
Finally, keeping your computers patched and up to date and your security solutions up to date and configured is a must.
“We see some times where companies are affected, even though they have a solution in place, because they didn’t have it set up effectively,” said Murchu.