No, Your Small Business Is Not Safe From Cyber Attacks

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.huffingtonpost.com/mike-pugh/no-your-small-business-is_b_4164015.html

Comedy legend Jerry Seinfeld has a clever bit on how little we worry about 
our safety when we're in a taxicab. "They've got that glass partition in 
front of you," Jerry says, "so it's like you're watching the whole thing 
happen on television." Jerry then points out that no matter how dangerously 
the cab driver weaves through traffic, we remain completely unworried. We 
just sit back calmly and think, "Wow, that looked dangerous. I don't think 
I'd try that in my car."

How is this relevant to a discussion of Cyber Security? As small business 
owners and members of the general public, we tend to take in the 
ever-present news of the latest electronic security breach with the same 
level of detached fascination. JPMorgan Chase had its customer data stolen? 
Wow! That's going to require some PR damage control. Pentagon computers 
were breached? I thought that only happened in the movies. Twitter was 
hacked by the Syrian Army? Amazing!

What's left unsaid throughout all of these attacks -- but what many of us 
are probably thinking -- is that they make logical sense because the 
targets are large, public and offer something valuable to the attackers: 
national-security information, vast sums of money, etc. But, we reason, our 
small business isn't under the same constant threat. After all, we're just 
a small provider of fill-in-the-blank. No one would even bother trying to 
hack our systems, right?

Wrong.

Smaller targets can mean big rewards for cyber criminals
Small and medium-sized businesses are equally susceptible to attacks from 
hackers as are large entities and even government agencies. According to 
the National Cyber Security Alliance, an astonishing one in five small 
businesses falls victim to cyber crime each year. Even more frightening: 
According to an August 2013 story in PCWorld, of those small businesses 
whose systems are breached, roughly 60 percent go out of business within 
six months after the attack.

Why do hackers, data thieves and other cyber criminals target small 
businesses? Several reasons. First, gaining illegal access to a smaller 
firm's data can help a cyber criminal later hack into a larger entity -- 
because these smaller companies often do business with large firms and have 
passwords and other electronic access to their systems. Why try to break 
into the big bank directly, when you can just sneak into a tiny company 
that does business with that bank, and steal its access?

Another reason hackers target the computer networks of smaller firms is 
that they assume -- often correctly -- that these small businesses have 
less sophisticated cyber security in place and do not enforce the same 
level of data-protection protocols as their larger-firm counterparts. 
According to a 2013 Internal Threat Report from data security provider 
Symantec, 31 percent of targeted cyber attacks in 2012 were leveled against 
businesses with fewer than 250 employees. The report further points out 
that this represents a massive jump from 18 percent in the previous year. 
Cyber criminals are targeting small businesses in increasing numbers. And 
yet Symantec has also found that an incredible two-thirds of small and 
medium-sized businesses do not worry about cyber attacks. Perhaps hackers 
are reading these reports as well.

Smart phones: the walking security threat
Contrary to a common misconception, cyber attackers don't limit their 
targets only to the web or to businesses' data servers. Clever hackers have 
found they can also steal sensitive electronic information by targeting 
mobile devices, often through hacking voicemail. As eVoice's 2013 "Device 
Vice" Survey Data finds, our mobile phones play an increasingly prominent 
and essential role in our business lives, making them a juicy target for 
cyber threats. Consider:

• 36 percent of small business professionals use three or more mobile 
devices to run their business. Each of those is a point of risk, not only 
for loss or theft, but now also for attack.

• 32 percent give their mobile number out to customers, 19 percent give it 
out to partners or investors, and 18 percent give it to vendors. That means 
your contact list, call log, and voicemail contain valuable information 
about your business.

• 35 percent of small business professionals text every day for business. 
No longer just for chit chat with friends, your text messages now expose 
business information, too.

So how can you protect your business's mission-critical mobile information 
from cyber attacks? Here are a few simple, yet effective suggestions.

Mobile data security tips from eVoice

1. Password Protect your Devices
Out of convenience, many people do not use the password feature on their 
phones and tablets, the thought being "Who wants to type in a password 
every time their phone buzzes?" Mistake! Keeping someone from ever 
activating your device is your first line of defense.


2. The Bigger the Better
A six-digit PIN is better than a four-digit PIN. It's also important never 
to use a device, email, or voicemail password that is the same as your 
banking PIN.

3. Change Your Pin for Extra Security
Never use the default PIN provided to you by your service provider. Small 
business owners should change their PIN right away. In addition, create a 
new PIN every few months for an added layer of security.

4. Leverage the Cloud
Even if your mobile phone is your only phone, you can separate your 
business use from your personal use, virtually. Services like eVoice give 
you a separate business phone number that routes calls anywhere. Someone 
stole your iPhone? Re-route your business calls to another phone so 
you--not the thief--gets the call or voicemail.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

# OWASP http://www.appsecusa.org
# Builders, Breakers and Defenders
# Time Square, NYC 20-21 Nov
o()xxxx[{::::::::::::::::::::::::::::::::::::::::>

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.