Dealer Outlook

Trade Only Dealer Outlook Blog

Cyber attacks double on small businesses

If you think that because you’re a small business, hackers won’t seek your data, consider this: a hacker can steal bank account and/or credit card information from your computer, package it with similar information from a hundred or more other small businesses and sell it on the black market for big bucks.

So says the fifth annual Verizon 2012 Data Breach Investigations Report, authored by Verizon Risk Team leader Christopher Porter. The report was produced in conjunction with the U.S. Secret Service and similar agencies from Australia to the Netherlands. Porter recently told PC World magazine: “Small businesses don’t know how defenseless they’ve become, especially to automated and industrialized attack methodologies by organized crime.”

According to security software maker Symantec, the percentage of targeted attacks on small businesses doubled in the first six months of this year. The company says it blocked an average of 58 attacks per day aimed at small businesses. Daily attacks on all businesses averaged 154, up 24 percent. Doing the math, it’s apparent hackers are dedicating more resources to what they see as vulnerable targets.

The attacks are not random, they’re targeted. It means an attack is tailored for a specific business. Hackers use publicly available information or even information stolen from another company such as a supplier. Basically, the attackers create emails with malicious attachments they believe will trick employees into opening. It’s been dubbed “social engineering” and it’s sophisticated. So just warning employees about opening emails with attachments isn’t likely to be much protection anymore.

It’s notable that of all the attacks the report studied, it found that 96 percent were easy for the hacker to achieve. What’s more, 97 percent could have been foiled without the need for difficult or expensive countermeasures. Therefore, the Verizon report offers some simple recommendations:

• Use a firewall on Internet-facing services. Hackers can’t steal what they can’t reach.

• Change default credentials on any point of sale and other systems that come with preset credentials. This could prevent unauthorized access.

• Monitor third-party vendors if they manage your firewalls or point-of-purchase systems to be sure they have implemented proper security.

• Educate your staff, particularly about social phishing. Establish policies and make sure they’re being followed.

• Follow through on any security technology you purchase to be sure you have configured it properly. Do not ignore reports.

• Think often about security. Check logs of your Windows OS system, point-of-purchase system and security software or have a professional do it for you.

Finally, Porter indicated that in most cases, attacks were mostly opportunistic. When a small business follows simple procedures, it is less likely to become a target. Cyber criminals look for the easy marks.

Comments

One comment on “Cyber attacks double on small businesses

  1. Gary Rademaker

    Norm – this is great information – and is ESPECIALLY important for boat dealers. Many boat dealers conduct F&I operations through which they arrange financing for customers through indirect lenders. Although the dealership is not the “lender”, they are considered the original “creditor” on the transaction, even though they are immediately assigning the loan to a lender. Due to the dealer’s “creditor” status, they are responsible for compliance with the Gramm-Leach-Bliley Act – specifically the Safeguards Rule.

    Per the Safeguards Rule requirements, boat dealerships must develop a WRITTEN information security plan that describes their program to protect customer information. As part of the plan, boat dealers are required to include the following:
    • designate specific employees to coordinate its information security program;
    • identify and assess the risks to customer information in each relevant area of the company’s operation, and evaluate the effectiveness of the current safeguards for controlling these risks;
    • design and implement a safeguards program that protects customer information – both in electronic and paper format, and regularly monitor and test it;
    • select service providers that can maintain appropriate safeguards;
    • identify and assess internal and external risks to customer information
    • continuously evaluate and adjust the program in light of relevant circumstances, or the results of security testing and monitoring;
    • consider and address the unique risks raised by business operations — such as the risks raised when employees access customer data from off-site locations, or when customer data is transmitted electronically outside the company network;
    • Include a data breach response plan for use in the event that any customer information is lost, stolen or compromised.

    Penalties for violating the Gramm-Leach-Bliley Act are quite severe:
    • up to $100,000 for each violation
    • officers and directors can be fined up to $10,000 for each violation
    • Criminal penalties include imprisonment for up to 5 years, a fine, or both

    Boat dealers are not only small businesses, and potential targets for attack by hackers – they have increased responsibility as “creditors” to maintain compliance with federal financial regulations.

Leave a Reply

Your email address will not be published. Required fields are marked *

Comments are moderated and generally will be posted if they are on-topic and not abusive. For more information, please see our Comments Policy.