Small firms 'easy targets' for cyber crime

Person using a tablet computer at a fashion show Staff using tablet computers or smart phones can cause security problems

"Small businesses are fair game, it all depends what they have to offer," says the hacker.

"Everything is interconnected in one way or another so it's a beautiful playground to be in."

Technology of Business

He stresses he now only carries out "White Hat" attacks, probing new technology to find its flaws so they can be corrected by the manufacturer.

But experience has taught him businesses can be an easy target.

"It's not easy to catch a hacker - if you go after governments there is a good chance you are going to get caught, but with businesses it's easier.

"They are often protected by insurance and it's very rare to see them going after a hacker for stealing their money, although with intellectual property it can be different," he adds.


A recent survey of 1,900 small businesses around the globe by internet security firm Symantec found the firms were plainly aware of cyber threats.

Ross Walker, Symantec Ross Walker says hackers are increasingly targeting small firms

They singled out specific problems like targeted attacks, keystroke logging, and the dangers of using smartphones for company business.

But the Threat Awareness Survey also showed a considerable apathy towards security, with half of respondents replying they didn't feel in danger because they were a small company.

Instead they thought it was large enterprises that should worry about security threats.

This might account for the fact three out of five of the small businesses said they didn't use anti-virus technology on all their desktops, while two out of three failed to secure machines used for online banking.

Start Quote

People are the weakest link at any level of security”

End Quote Hacker

Unfortunately the evidence is not on their side: Symantec's research shows that since the beginning of 2010, 40% of all targeted attacks have been directed at small and medium-sized businesses, compared to only 28% directed at large companies.

"Hackers are going after 'low hanging fruits', these are the companies who are less security aware and do not have the proper defenses in place," says Ross Walker, Symantec's director of small business.

"Hackers are increasingly targeting smaller, softer, less reactive targets since these provide a lower-risk alternative to financial institutions."

The targets

Such criminals could be after a whole host of things, such as data they can sell on the cyber-underground (credit card numbers, employee details and login details are particular favourites).

Key security questions

Can your firm answer these five security questions?

• How am I protected if a member of my staff decides to steal data, misuse information, commit fraud or just makes a mistake?

• What stops my business being hit like the bigger firms that I see in the press getting attacked?

• What are the most valuable things my business has (customer data, IPR, reputation etc.)?

• If I had a security breach tomorrow what would I do? (or how would I know?)

• Could I get all the data back if I lost a server, laptop, member of staff, filing cabinet etc?

Source: Piers Wilson, PwC information security

They might upload malware to your site that attacks your visitors without you even knowing about it, or they might take control of your server, from where they can attack third parties.

With small firms often having to deal with a lack of budget, inadequate security policies and a general lack of knowledge of the subject, all sorts of weak points can be exploited.

"Examples might be the development of websites and customer portal type applications, adoption of cloud computing services, allowing employees to bring their own mobile devices and laptops into work to use for work purposes - even just buying IT systems and storage solutions," says Piers Wilson from PricewaterhouseCooper's information security team.

"Maybe it will have staff who are disaffected or maybe it has highly valuable intellectual property rights - small companies often spring up around a simple idea, which may or may not be well protected," he adds.

Since the explosion in mobile working a small firm's staff all need to be security guards, but some are plainly asleep on the job.

For example, recent research of 1,000 SMEs by IT consultancy Modis, found 20% of staff regularly sent confidential business information using unsecured wi-fi hotspots - a hacker's dream come true.

Vigilant staff

But the risk your own staff might pose to your firm's security, even unwittingly, is not restricted to the inappropriate use of new technology.

Woman using a wi-fi hotspot Staff using unsecured wi-fi hotspots could be a major problem for firms

"People are the weakest link at any level of security," says the hacker.

"You can attack a business from anywhere - even through the mail room.

"For example, you can send them marketing material - perhaps with a CD attached that they put into their computer and then you're in.

"You can make an enquiry of their accountancy department and as soon as you've got a name and email address you can send an email with an attachment, which they open because they recognise you," he says.

"Often you even say thank you for their help in the email."

Use protection

Small firms wanting to protect themselves need to start by tackling a couple of issues, says David James, managing director of risk management specialists, Ascentor.

Robber breaking into a safe Crime and security issues were a lot more straight forward in the past

"These fall into two categories: understanding what and where your valuable data is and then doing something to protect it," he says.

Mr James says 80% of attacks can be thwarted by doing the basics, including having strong passwords and regularly changing them - and not having them written on a sticky note under the keyboard or on the monitor, of course.

Other key steps include installing anti-virus software and keeping it up to date, as well as restricting your valuable information to only those that need it (that means keeping your children off your work computer and limiting admin rights).

Other good security measures include working behind a firewall and considering encryption, regardless of where the data is stored, be it on a laptop, smartphone, tablet, USB drive or even a humble CD.

Then there is making sure your software has had the latest updates, or "patches".

It might be nigh-on impossible to stop a determined cyber attacker from doing your business some kind of damage.

But you can make it as difficult and frustrating as possible, which might well send them off looking for easier prey.

More on This Story

Technology of Business

The BBC is not responsible for the content of external Internet sites

More Business stories


Features & Analysis

Elsewhere on the BBC

  • TravelAround the world

    BBC Travel takes a look at the most striking images from the past seven days


  • BatteriesClick Watch

    More power to your phone - the lithium-ion batteries that could last twice as long

Try our new site and tell us what you think. Learn more
Take me there

Copyright © 2015 BBC. The BBC is not responsible for the content of external sites. Read more.

This page is best viewed in an up-to-date web browser with style sheets (CSS) enabled. While you will be able to view the content of this page in your current browser, you will not be able to get the full visual experience. Please consider upgrading your browser software or enabling style sheets (CSS) if you are able to do so.