Small firms 'easy targets' for cyber crime
- 20 March 2012
- From the section Business
"Small businesses are fair game, it all depends what they have to offer," says the hacker.
"Everything is interconnected in one way or another so it's a beautiful playground to be in."
He stresses he now only carries out "White Hat" attacks, probing new technology to find its flaws so they can be corrected by the manufacturer.
But experience has taught him businesses can be an easy target.
"It's not easy to catch a hacker - if you go after governments there is a good chance you are going to get caught, but with businesses it's easier.
"They are often protected by insurance and it's very rare to see them going after a hacker for stealing their money, although with intellectual property it can be different," he adds.
A recent survey of 1,900 small businesses around the globe by internet security firm Symantec found the firms were plainly aware of cyber threats.
They singled out specific problems like targeted attacks, keystroke logging, and the dangers of using smartphones for company business.
But the Threat Awareness Survey also showed a considerable apathy towards security, with half of respondents replying they didn't feel in danger because they were a small company.
Instead they thought it was large enterprises that should worry about security threats.
This might account for the fact three out of five of the small businesses said they didn't use anti-virus technology on all their desktops, while two out of three failed to secure machines used for online banking.
Unfortunately the evidence is not on their side: Symantec's research shows that since the beginning of 2010, 40% of all targeted attacks have been directed at small and medium-sized businesses, compared to only 28% directed at large companies.
"Hackers are going after 'low hanging fruits', these are the companies who are less security aware and do not have the proper defenses in place," says Ross Walker, Symantec's director of small business.
"Hackers are increasingly targeting smaller, softer, less reactive targets since these provide a lower-risk alternative to financial institutions."
Such criminals could be after a whole host of things, such as data they can sell on the cyber-underground (credit card numbers, employee details and login details are particular favourites).
They might upload malware to your site that attacks your visitors without you even knowing about it, or they might take control of your server, from where they can attack third parties.
With small firms often having to deal with a lack of budget, inadequate security policies and a general lack of knowledge of the subject, all sorts of weak points can be exploited.
"Examples might be the development of websites and customer portal type applications, adoption of cloud computing services, allowing employees to bring their own mobile devices and laptops into work to use for work purposes - even just buying IT systems and storage solutions," says Piers Wilson from PricewaterhouseCooper's information security team.
"Maybe it will have staff who are disaffected or maybe it has highly valuable intellectual property rights - small companies often spring up around a simple idea, which may or may not be well protected," he adds.
Since the explosion in mobile working a small firm's staff all need to be security guards, but some are plainly asleep on the job.
For example, recent research of 1,000 SMEs by IT consultancy Modis, found 20% of staff regularly sent confidential business information using unsecured wi-fi hotspots - a hacker's dream come true.
But the risk your own staff might pose to your firm's security, even unwittingly, is not restricted to the inappropriate use of new technology.
"People are the weakest link at any level of security," says the hacker.
"You can attack a business from anywhere - even through the mail room.
"For example, you can send them marketing material - perhaps with a CD attached that they put into their computer and then you're in.
"You can make an enquiry of their accountancy department and as soon as you've got a name and email address you can send an email with an attachment, which they open because they recognise you," he says.
"Often you even say thank you for their help in the email."
Small firms wanting to protect themselves need to start by tackling a couple of issues, says David James, managing director of risk management specialists, Ascentor.
"These fall into two categories: understanding what and where your valuable data is and then doing something to protect it," he says.
Mr James says 80% of attacks can be thwarted by doing the basics, including having strong passwords and regularly changing them - and not having them written on a sticky note under the keyboard or on the monitor, of course.
Other key steps include installing anti-virus software and keeping it up to date, as well as restricting your valuable information to only those that need it (that means keeping your children off your work computer and limiting admin rights).
Other good security measures include working behind a firewall and considering encryption, regardless of where the data is stored, be it on a laptop, smartphone, tablet, USB drive or even a humble CD.
Then there is making sure your software has had the latest updates, or "patches".
It might be nigh-on impossible to stop a determined cyber attacker from doing your business some kind of damage.
But you can make it as difficult and frustrating as possible, which might well send them off looking for easier prey.