Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

9/27/2010
11:08 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Five Main Causes Of SMB Security Incidents

Like you, I have read many articles covering small business security, the authors of which have made up various lists of "top X threats" or "this year's biggest vulnerabilities," etc. So I thought it would be interesting to dig into a sampling of the data breach reports and collect some real data on causes of breaches and other security incidents in SMBs.

Like you, I have read many articles covering small business security, the authors of which have made up various lists of "top X threats" or "this year's biggest vulnerabilities," etc. So I thought it would be interesting to dig into a sampling of the data breach reports and collect some real data on causes of breaches and other security incidents in SMBs.Here are the five primary causes that were repeated in the vast majority of reports from small businesses (in order of most offenses to fewest):

1. Improper destruction of confidential data. Small and large organizations alike are subject to employees dumping files that should have been shredded. Report after report demonstrated specific cases of confidential data -- customer records, bank account info, medical records, and employee files -- being disposed improperly. As small businesses cleaned out files, changed personnel, moved offices, or went out of business, employees routinely dumped sensitive papers in public trash and recycling bins. In many cases, the boxes of juicy data were simply left out near a dumpster or back door, making them an easy target.

Many employees felt the information on the papers was dated and of no use, so therefore it didn't need to be shredded. Others simply weren't aware of the need for proper disposal. The takeaway for SMBs: Have a detailed policy in place for data and record destruction and make sure EVERY employee is made aware of the policy and reminded of it constantly. You should also be aware of the breach laws in your area and understand the consequences and fines associated with every compromised record. The fines incurred for even a small stack of papers could be enough to put you out of business.

2. Database attacks on Web transactions. The majority of businesses these days conduct transactions online in one form or another, and SMBs are certainly no exception. I was surprised, though, to see the volume of incident reports that detailed cases of attackers collecting billing and customer information from online servers. In some instances, the attack was on the actual transaction component, and in others they stole static data from servers often inside the organization.

Many SMBs feel they're too small to be targeted, but the type of automated attacks these guys can launch is scary. They may not be after you specifically, but if you're vulnerable and you're on the Internet, they'll still find you. The takeaway here for SMBs: Put the same effort in protecting your digital assets as you would your physical ones. If you don't have the staff in-house to maintain, patch, and secure public-facing servers, then outsource to transfer risk.

3. Data theft from insider attacks. I giggled as I read the numerous stories of clerks, cashiers, and wait staff who compromised volumes of customer credit cards using skimmers, small physical devices that capture the card data for malicious intent. In each case, the culprit inside either used the card numbers for their own direct gain or sold the data to others.

Other insider attacks of similar nature included theft and sale of customer data or company records in digital form. It's pretty easy for an employee to save, export, and transport via email or removable media these types of files. I hate to use the phrase "data leak prevention," but often that's what's missing in smaller environments where employees usually are more familiar with one another and more trusted by the management. The takeaway for insider threat prevention: It's a tough fight to win, but a good start would be basic access protection around key resources, explicit policies, and employee awareness so they understand the consequences of malicious activity. We always say not to use FUD tactics in security, but when dealing with employees, I say "FUD away!"

4. Credit card transaction slips. If you're like me, you pay attention to your credit card slip and make sure they haven't printed the entire card number. I sure do. In fact, I scribble those things so hard with the pen I usually chew right through the paper. Yeah, no one's going to read THAT later. For everyone who defends, "Oh, PCI says you can't do that," well guess what -- they do. And apparently enough merchants are printing card numbers that even in the past year we can attribute a number of SMB security incidents to physical attacks on businesses in which the cash drawer and credit card receipts were taken.

The takeaway here is easy. If you're still printing full card numbers, then call your merchant services number and have them reprogram your credit card machines. If you're not printing full card numbers, but you have account numbers printed elsewhere (physically) in the organization, then make sure they are secured in a way that makes them a difficult target during a break-in at any location.

5. Malware on endpoints. Ah, the one that never goes away. That nasty malware thing rounds out my top five. The effects of malware in your small business can be multifaceted. Many of them turn your systems to zombies in the background, draining processing and resources. Others do silly things like send out emails and attach random files. I've seen this firsthand numerous times and my most recent research shows malware is still no stranger on the incident reports. The takeaways: Be sure you're using an enterprise-class endpoint security solution. This is usually your antivirus with some steroids and a nice central management system you can use to push out updates, monitor activity, and ensure compliance. The second take-away often gets overlooked -- what I call the dirty dishrags of the networks -- laptops, remote and mobile devices that don't live in the office, or are employee-owned and not considered managed endpoints. Make sure there's a policy in place for these and some means of enforcing protection or watching for malicious activity.

Jennifer Jabbusch is a CISO and infrastructure security specialist at Carolina Advanced Digital. By day she architects enterprise security solutions and by night, well, she does the same thing. For Dark Reading, she melds her enterprise experience and intimate knowledge of small business operations to deliver relevant security guidance for SMBs everywhere. Jennifer Minella is VP of Engineering and consulting CISO at Carolina Advanced Digital, and an author, speaker and consultant for infrastructure security for government, education and Fortune 100 and 500 corporations. View Full Bio

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/2/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9498
PUBLISHED: 2020-07-02
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
CVE-2020-3282
PUBLISHED: 2020-07-02
A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
CVE-2020-5909
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
CVE-2020-5910
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
CVE-2020-5911
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.