Saturday, March 21, 2009

Small Business: The New Black In Cybercrime Targets

Enticed by poor defenses of mom-and-pop shops, hackers turn away from hardened defenses of banks and large enterprises
Mar 19, 2009 05:53 PM
By Tim Wilson
DarkReading

"As the security becomes better at large companies, the small business begins to
look more and more enticing to computer criminals," said Charles Matthews,
president of the International Council for Small Business, in a panel
presentation here. "It's the path of least resistance."


Matthews quoted industry research that states small businesses are far less
prepared to defend themselves against cyberattack. "Nearly one-fifth of small
businesses don't even use antivirus software," he said. "Sixty percent don't use
any encryption on their wireless links. Two-thirds of small businesses don't
have a security plan in place. These numbers are both surprising and
disturbing."

I'd encourage you to have a read of the full article and think about how this applies to your clients, your own business and small businesses in general. Quark IT is fairly security conscious and encourages this in our clients which is a good reason why we see very, very few of our clients suffering from security-related incidents. We do come across new clients occasionally who are secured to a level we find acceptable, but really, not that often. This isn't bad for the SBSC partners who should really understand this, but it means that those who are not SBSCs don't really have a good understanding of security (nor networking, from what we've seen on way too many occasions).

The article talks a lot about PCI Compliance which is related to Credit Card processing, and this is a good target for cybercriminals, but there are also other things for them to target - sporting associations often have lists of children's names, phones, addresses and sporting teams and this is absolute paedophile gold, a business will have a list of their clients on their computers which an unscrupulous competitor may be after, larger businesses with multiple locations will often have staffers who are unfamiliar with management and IT staff, and therefore can more easily fall foul of social engineering and even small businesses can let almost anyone into their server if you pick the right time. So, it is not just about PCI Compliance, but securing the whole business.

The more mobile the workforce becomes and the more remote workers we have, the further out the network perimeter extends and the bigger it becomes. Big and wide is harder to protect against then small and tight - we need to ensure that allowing users to have remote access to the company network is not introducing unacceptable and/or uncalculated risks.

Regards,

The Outspoken Wookie

No comments: