Give a Gift

Cybercrime Is a Growing Problem for Small Businesses

Ever-more-sophisticated computer hacking of business networks and Web sites will require more safeguards and constant vigilance.

By Richard Sammon, Senior Associate Editor, The Kiplinger Letter

August 24, 2009
Text Size T T
  • Comments
  • Print This Article
  • Order a Reprint

    • Advertisement

Think cyber crooks aren’t interested in your business? Think again. It’s not only the biggest or best-known companies that get hacked by organized syndicates or smaller cybercrime actors looking to steal corporate secrets and customer data.

Every company is a potential victim, even firms that spend heavily on security systems and IT staff. A determined and knowledgeable hacker will find a way to penetrate, and it can be costly. Losses are hard to calculate, but estimates from theft range as high as $1 trillion a year worldwide.

You may have been hit already and don’t know it. Many criminals operate under the radar, planting spyware and stealing valuable company data for months without businesses knowing it until it’s too late. Some thieves will tap into your customer base, grabbing credit card and other bank account information. Others copy trade secrets and sell them to competitors who may then lure away your customers. This is in addition to those who crash sites with the aim of keeping your online operation down for days and costing you business.

Not all of the popular targets are obvious. Charities and other nonprofits are targets because their lists and information on benefactors and donors can be valuable. And criminals often go after beneficiary lists from life insurers.

Organized crime rings are behind a high percentage of the attacks, often operating from abroad -- Russia, Ukraine and China, especially.

Fail-safe protection doesn’t exist. Even the Pentagon, with a battalion of the best computer specialists, gets hit repeatedly.

But it’s important to do whatever you can. Crooks will go where the taking is easiest, just as car thieves will grab a radio from an unlocked car before going through the trouble of circumventing a security system.

Many small businesses have no protection. One in five does not have antivirus software, and more than half don’t use encryption for wireless links. Two in three have no formal security policy, essentially banking on good luck that they won’t be victimized.

Computer safety doesn’t have to cost you a fortune. Some basic steps to take:

  • Install security software that includes antivirus, antiphishing, antispyware and networkwide anti-intrusion features and with automatic updating. The subscription cost is not much, about $100 a year.
  • Set up a firewall to protect all confidential information. Use multiple walls to guard your most sensitive data or keep it on a separate server or on paper. Use so-called smart passwords with numbers, letters and symbols, and change them periodically.
  • Be sure to block access to your network to ex-staffers. Beware of disgruntled workers who may be out to get you through computer stealth. Give employees in different departments and positions access only to parts of the network they need.
  • Also, vet anyone who buys advertising on your Web site. This, too, can be a source of malicious software. A personal phone call can trip up those who buy ads and use them to lure your customers to phony sites.
  • Train employees in safe computer practices. It’s the most important best practice and often overlooked by companies. Let them know that visiting nonwork-related sites puts the firm at risk. Eighty percent of malware is downloaded unknowingly at adult pornography sites.
  • Opening attachments from unknown sources can render a firewall useless. Laptops carried out of the office or left at a business conference are prime targets for theft.
  • Also, consider contracting with a certified “ethical hacker” to test your system regularly and to offer guidance to your in-house computer staff.

For weekly updates on topics to improve your business decisionmaking, click here.



DISCUSS

Permission to post your comment is assumed when you submit it. The name you provide will be used to identify your post, and NOT your e-mail address. We reserve the right to excerpt or edit any posted comments for clarity, appropriateness, civility, and relevance to the topic.
View our full privacy policy

Reader Comments (5)

Posted by: Thomas J. Raef at 08/23/2009 04:02:53 PM

Another way that hacker's or cybercriminals works is to infect websites of small businesses. They usually get into the website by installing a virus on a computer with FTP access to the website. This happens by chance. Then the hackers use valid FTP credentials to modify the website installing heavily obfuscated code in the websites html code and then just waiting for visitors to the site. This can cause tremendous strain on the small business as many security sites will find the infectious code and blacklist the site - thereby preventing many users from visiting the site. Another good reason to filter and protect your small business network.

Posted by: Doug McLean at 08/24/2009 02:29:48 PM

Also make sure to use strong encryption on all laptops and desktop machines. It's transparent to the user and prevents the bad guys from using the data on stolen machines.

Posted by: lancop1 at 08/24/2009 09:27:54 PM

All these are security best practices, but many SMB's are holding onto their money during this downturn and spending only on the most obvious fires. Proactive security measures seem like a waste of money to many SMB's when even the Pentagon can't completely defend itself. Why bother looting your treasury for a problem that is too complex for you to address no matter how deep your pockets are? Even though we do security work, I can see the logic behind their arguments. Network security is almost an oxymoron these days.

Posted by: Roy Alzua, CISSP at 08/25/2009 05:36:07 PM

I've always believed the firm's human resouces are the most effective and important tool in defending against cybercrime, be it a large or small business. First off, it is imperative that all trusted staff, contractors/temps and new hires undergo a financial (credit check) and criminal/DMV background check. Also, the firm should require and check out personal and professional references. Historically, 80-95% of cybercrime fraud and IT resource theft has been perpetrated by "trusted" insiders who work alone or in conjunction with other criminals. Review of recent cybercrime statistics indicates that this is a continuing trend. The firm should also maintain an updated and incentivized security awareness program. Educate the human resources so they can recognize IT vulnerabilities and know when to report risks, violations and suspicious internal activities. Have every employee aware that the firm operates within a "trusted" IT sphere and that any compromise puts everyone's job at risk.

Posted by: tktktk at 08/26/2009 07:47:06 AM

Until we are willing to have hackers executed (which would deter most of them), the only effective solution is to limit your use of the internet.




Connect With Kiplinger

E-mail Updates: Select the Kiplinger columns and topics to be delivered to your inbox.

email-sign-up

Featured Videos From Kiplinger




  Search Local Help & Info
powered by: nSphere
What:  
Where:
  Browse by state
 All Local Guides
 Alabama
 Alaska
 Arizona
 Arkansas
 California
 Colorado
 Connecticut
 DC
 Delaware
 Florida
 Georgia
 Hawaii
 Idaho
 Illinois
 Indiana
 Iowa
 Kansas
 Kentucky
 Louisiana
 Maine
 Maryland
 Massachusetts
 Michigan
 Minnesota
 Mississippi
 Missouri
 Montana
 Nebraska
 Nevada
 New Hampshire
 New Jersey
 New Mexico
 New York
 North Carolina
 North Dakota
 Ohio
 Oklahoma
 Oregon
 Pennsylvania
 Rhode Island
 South Carolina
 South Dakota
 Tennessee
 Texas
 Utah
 Vermont
 Virginia
 Washington
 West Virginia
 Wisconsin
 Wyoming
facebook
RSS