Small Business Is Big Business in Cybercrime A TrendLabs Primer

Transcription

1 Small Business Is Big Business in Cybercrime A TrendLabs Primer

2 Things Every Small Business Should Know About Web Threats and Cybercrime For cybercriminals, no business is too small to exploit. Albeit being under a relatively smaller spotlight than typical enterprises, small businesses can ill afford to take the threat cybercrimes pose for granted. Myths abound regarding small businesses security but it s time to face the facts. Any organisation, regardless of size or type, can fall victim to cybercrime. Most small businesses are not convinced that cybercriminals are after them. In a Visa Inc. and National Cyber Security Alliance survey 1 of 1,000 small business owners, 85 percent believed that enterprises are more targeted than they are. Over half (54 percent) are confident that they are more prepared than enterprises to protect company and customer data. Small businesses may think they are under the radar because cybercriminals opt to target either very large enterprises or consumers instead. In reality, however, cybercriminals do not discriminate among the very large enterprise, small business, and consumer sectors, as long as these prove profitable and lucrative to exploit. There are no priority targets. Any entity with a weak security system, small business or not, is cybercrime fair game

3 Small businesses manage information that is of interest to cybercriminals. Small businesses do not face as many content security risks as larger enterprises do or so they think. The fact is, 7.4 percent of small business owners are victims of fraud, according to a May 2010 Council of Better Business Bureaus study 2. Small businesses hold employee and customer information, which makes them prime cybercrime targets in every way. The types of stolen data range from social security numbers to online banking credentials (refer to the figure below for the complete list and percentage distribution of stolen information). Business Breaches of Personal Information Physical address 37% Social security number Checking account number Driver s license number PIN on your credit card ATM PIN on your credit card E-banking user name and password 10% 19% 18% 22% 23% 24% Health insurance information 7% A passport 3% Medical records 3% Military ID card 1% 0% 10% 20% 30% 40% Base = all fraud respondents; n = 393; year = 2009 Source: Javelin Strategy & Research 2 May_10.pdf 2

4 Cybercriminals unleash 3.5 new threats targeting small businesses every second. The number of online attacks specifically targeting small businesses reportedly surged by almost 600 percent in early Trend Micro experts cite at least two factors accounting for this alarming increase. First, larger companies are investing more in Internet security, pushing cybercriminals to look for smaller but just as abundant targets. Second, small businesses present a huge market for exploitation, as they now number over 25 million in the United States alone. Adding to small businesses appeal to cybercriminals is their lack of budget for an IT team, much less a department, devoted to maintaining security. There have been cases wherein small businesses lost hundreds of thousands of dollars to cybercriminals whose weapon of choice has become bots. Bots are malicious software that stealthily infiltrate PCs, enabling cybercriminals to remotely control and ultimately steal critical data without the employees and customers knowledge. In January 2011, the Federal Bureau of Investigation (FBI) 3 reported that a certain U.S. company lost US$150,000 via unauthorised money transfers triggered by malware-laden messages. The malware in question belonged to the ZeuS/ZBOT family of Trojans, which is notorious for defrauding small businesses. TrendLabs experts have also seen phishing campaigns and vulnerability exploits specifically targeting small businesses. Fraud often comes in the form of tax-related messages using the names of legitimate government agencies, usually invoking fear through customer complaints or threats of legal action. Exploits, meanwhile, arrive via frequently used legitimate applications. Small businesses can be more vigilant against these attacks by ensuring that every employee technical or not stays abreast of the latest in cybercrime. They should be educated about the newest fraud schemes and urged to employ best practices such as not responding to or opening attachments and clicking suspicious links in unsolicited messages. Small businesses are also advised to enforce their internal security policies and to enhance their network security and their corporate banking protocols. Finally, they need to be constantly on the lookout for suspicious online activities and to prepare a contingency plan for instances of actual compromise

5 Compliance is costly, but noncompliance is costlier and can serve as a window to cybercrime. Not all small businesses are aware of compliance issues. Some even believe that they are compliant and have sufficient security measures in place. However, nearly 1 million U.S. small businesses have already fallen victim to data security fraud, revealed a January 2011 study 4 on the data security and fraud prevention strategies practiced by small and medium-sized businesses (SMBs). Noncompliance may eventually lead to productivity loss, business disruption, and high legal costs. The cost of compliance is placed at US$3.5 million 5 for multinational organisations but that is a small price to pay compared with the much higher cost of noncompliance. Small businesses would be ill advised to think that they are exempted from complying with data protection regulations. Like their large enterprise counterparts, they also deal with processes, people, and technologies, all of which are under equal threat of cybercrime Compliance_Report.pdf 4

6 Small businesses are moving to the cloud and are embracing cloud security but cybercriminals are not far behind. Cloud computing has well crossed over from being a catchphrase to become a reality. Today s overall SMB cloud market is valued at US$8.6 billion 6 and is set to approach US$100 billion 7 by In addition, up to 74 percent of SMBs plan to increase their spending on cloud-based software in 2011 a marked improvement from late 2010 when cloud computing adoption among SMBs stood at only 14 percent. SMB Cloud Computing Adoption Small businesses need to keep these five facts in mind as they strengthen efforts to keep their own and their customers data secure. 14% Currently using the cloud 49% Using private or hybrid cloud 62% Not using cloud, and have no plans 10% Planning on using the cloud 32% Concerned over unproven technology 38% of 1-19 SMBs using the cloud Source: Spiceworks Inc. Despite these overall positive developments, small businesses are still not spending nearly enough on cloud security. A 2010 Forrester report 8 says while 84 percent of SMBs considered data security a high priority, only about onethird (36 percent) of the respondents planned to increase their spending on network security and only by a factor of 5 percent. Small businesses run the risk of losing data, productivity, sales, even their reputation and most of all, dollars in the face of the exponentially increasing number of threats that cybercriminals unleash. 6 jhtml?articleid= billion-by-2014.htm?itc=refresh 8 5

7 What Trend Micro Can Do to Protect You In the current threat landscape, no organisation is safe. Every organisation is a prime cybercrime target. This is why Trend Micro always strives to protect its product users from any and every possible threat with the aid of the Trend Micro Smart Protection Network. Small businesses will do well to use the following products to protect their own and their customers data: Trend Micro Worry-Free Business Security Advanced protects Windows PCs, Macs, file servers, and mail servers from viruses, threats, and dangerous websites. The latest edition keeps business information private by locking down USB drives and other storage devices as well as by preventing data loss through . It also blocks spam both before it reaches and while on Exchange Servers. Trend Micro Worry-Free Business Security Standard protects Windows PCs and servers from viruses, threats, and dangerous websites. It features security scans that run quickly and quietly in the background and keeps business information private by locking down USB drives and other storage devices. Trend Micro Worry-Free Business Security Services is a cloud-based security solution that provides protection anytime and anywhere for your business data. It secures PCs, servers, and other Windows-based devices such as point-of-sale (POS) machines and tablets. In addition to providing industry-leading security solutions, we also provide information on the latest threats and threat trends to let users know what they can do to stay protected in today s digital world. For more information on the threats featured in this primer, please refer to our materials in the following portals: Threat Encyclopedia: Our malware, spam, malicious URL, and Web attack entries like Another LinkedIn Spam Leads to ZeuS-Related Site provide more information on the vectors cybercriminals use to infect users systems and corporate networks. TrendLabs Malware Blog: Our blog entries like Malicious.RTF Files Exploit Microsoft Office Vulnerability provide threat news and information direct from the experts. ABOUT TRENDLABS SM TrendLabs is a multinational research, development, and support center with an extensive regional presence committed to 24 x 7 threat surveillance, attack prevention, and timely and seamless solutions delivery. With more than 1,000 threat experts and support engineers deployed round-the-clock in labs located around the globe, TrendLabs enables Trend Micro to: Continuously monitor the threat landscape across the globe ABOUT TREND MICRO Trend Micro Incorporated is a pioneer in secure content and threat management. Founded in 1988, Trend Micro provides individuals and organizations of all sizes with award-winning security software, hardware and services. With headquarters in Tokyo and operations in more than 30 countries, Trend Micro solutions are sold through corporate and value-added resellers and service providers worldwide. For additional information and evaluation copies of Trend Micro products and services, visit our Web site at Deliver real-time data to detect, preempt, and eliminate threats Research and analyze technologies to combat new threats Respond in real time to targeted threats Help customers worldwide minimize damage, reduce costs, and ensure business continuity 2011 by Trend Micro, Incorporated. All rights reserved. Trend Micro, the Trend Micro t-ball logo are trademarks or registered trademarks of Trend Micro, Incorporated. All other product or company names may be trademarks or registered trademarks of their owners.