A front-page story in the Wall Street Journal on 21 July 2011 says it all: small and midsize businesses are now at much greater risk.

Don’t believe it or think it’s just more scare tactics? Read the story for yourself at the WSJ.

If the link only provides you a summary, search for “Hackers Shift Attacks to Small Firms”

Some of the key findings in the story:

In 2009, of the 141 incidents of cyber-theft theft from businesses reported by the U.S. Secret Service and Verizon, 27 percent (38 events) involved small businesses with less than 50 employees.

One year later in 2010, the same sources report that 63 percent of 761 reported events of cyber-theft (479 events) involved small businesses with less than 50 employees.

The findings cited by the numbers from the Secret Service and Verizon are buttressed by similar findings from Symantec’s Internet Security Threat Report.

Shocking as the shift in the percentages are, the increase in the raw numbers of reported events show just how prevalent cyber-theft against small business is becoming: a staggering increase of more than 12-fold from one year to the next, between 2009 and 2010. And, these do include the number of cyber-thefts going unreported and unknown, which is probably more substantial than is reported or realized.

Case in point, the small business featured in the Wall Street Journal article, City News located in Chicago. The owner of City News, Mr. Angelastri, did not know that for a full year Cyber-thieves had placed malware on his invoicing systems for processing credit card payments. This resulted in a siphoning of credit card data to Cyber-thieves thieves that had set-up shop at a hosting site located in Russia. Who knows where they are really located? No one is saying, if they know, and Mr. Angelastri to this day does not know.

A small merchant, Mr. Angelastri does about $1 million in sales annually according to the article in the Wall Street Journal, and he is still paying off loans totaling $22,000 for forensics examinations and security improvements so that he can continue accepting credit card payments and stay in business.

Staggering numbers!
Data from ongoing benchmarks conducted by the IT Policy Compliance Group reveal a disturbing trend since 2008, including:

In 2008
22 percent of all organizations experiencing the highest rates of security problems that were having a material financial impact were among small businesses and mid-size firms with less than $50 million in annual sales.

In 2009
The figure of small business with the most problems jumped to 27 percent.

In 2010
This figure increased to 34 percent

As of the second quarter of 2011
This figure stands at 40 percent

In the United States, this translates into 2.3 million firms, which is 44 percent of all firms with less than 500 employees.

The threat is not limited to the U.S. as small merchants and midsize businesses in Frankfurt, Manchester, Paris, Milan, Singapore, Dubai, Sydney, Tokyo, Toronto, Mexico City, Minsk and many other locations around the World will attest.

If anything, the Wall Street Journal article shines a spotlight on a trend that has been long underway: Cyber-thieves are now focused on ill-gotten gain by targetting small businesses.

Unfortunately, Cyber-thieves have discovered small firms have some of the weakest controls and practices in place when it comes to information security.

On-site interactive assessments conducted by the IT Policy Compliance Group reveal small business owners and midsize firms routinely self-rate their practices and ability to deflect cyber-threats at a 1 or 2 level, on a 5-point scale. This is the equivalent of an “F” or “D” letter grade: not good enough when it comes to handling online finances or sensitive information.

A majority of small businesses do not have staff that understand what is needed for preventive or detective controls, technical and non-technical, to manage the risks of doing business online, despite the fact that many are now using online invoicing, payment processing and banking services.

For instance, an average of 76 percent of small and midsize businesses with less than $50 million in annual sales are not using any information security controls: simply staggering! The averages can be misleading however. For example, 53 percent are not using firewalls and 52 percent are not using anti-virus and anti-malware controls, while 81 percent are not employing anything to test for vulnerabilities.

Small and midsize merchants using credit card processing systems are required to abide by strictures put in place by the PCI DSS standard. This standard, developed over years of common-sense use, is widely credited with helping small, midsize and large firms understand – and hopefully improve – practices needed for adequate information security practices.

Penalties and sticks only go so far
However, the benefits of PCI DSS have been a stick, instead of a carrot. For instance, penalties for not complying can include not being able to transact credit card payments at all, as Mr. Angelastri discovered. The primary benefit of the PCI standard continues to be the ability to accept and process credit card transactions. As anyone will attest, incentives work better than sticks to drive behavior, and that most people and organizations find easier ways to avoid sticks.

Incentives drive behavior
What would have helped Mr. Agelastri, and will help the millions of other small business owners and midsize firms is a carrot to complement the existing PCI DSS stick. Such a carrot might involve tax-credits for beefing-up and implementing best-practice controls for information security that are largely missing and non-existent among a majority of small businesses. The competitive interests at stake should be obvious to most firms and governments in all nations, not just those in the United States.

We can hope that small business supporters, such as the Chamber of Commerce among others, can help drive this kind of carrot-based approach in the U.S. and give small business owners a fighting chance against Cyber-thieves.

What about inside the Beltway? Let’s first see which adults in Washington are able to resolve the tax and debt negotiations before August 2nd.

Beyond the U.S., support at the Euro Zone, individual country and even through the IMF or World Bank may be needed. The problem is one that is not going away without adequate incentives, practices and knowledge that can be readily consumed by small and midsize organizations, including government agencies.

http://www.theiia.org/

Established in 1941, The Institute of Internal Auditors (IIA) is an international professional association with members in 165 countries and global headquarters in Altamonte Springs, Fla., United States. Throughout the world, The IIA is recognized as the internal audit profession’s leader in certification, education, research, and guidance. (more…)

www.isaca.org

The nonprofit, independent ISACA is a global leader in IT governance, security, control and assurance. Founded in 1969 as the EDP Auditors Association, ISACA is the single leading international source for information technology controls. ISACA is dedicated to serving the needs of IT governance professionals. (more…)

www.itgi.org

The nonprofit, independent IT Governance Institute® (ITGI) was established by ISACA in 1998 in recognition of the crucial role of information technology in the success of an enterprise. Effective IT governance helps ensure that IT supports business goals, maximizes business investment in IT, and appropriately manages IT-related risks and opportunities. ITGI offers original research and case studies to help enterprise leaders and boards of directors fulfill their IT governance responsibilities and successfully use IT to support the enterprise’s mission and goals. (more…)

http://www.cisoexecnet.com

The CISO Executive Network is a peer-to-peer membership organization dedicated to helping information security, IT risk management, privacy, and compliance executives be more successful. (more…)

http://www.impact-alliance.org

As the world’s first not-for-profit comprehensive global public-private partnership against cyber threats, the International Multilateral Partnership Against Cyber Threats (IMPACT) is well positioned to assist partner countries, especially developing nations who are broadening their Internet capabilities. IMPACT is dedicated to bringing together governments, academia, industry leaders and cyber-security experts to enhance the global community’s capacity to prevent, defend against and respond to cyber threats. (more…)

The following list may be out of date. We recommend you check on the site to see the currently available titles.

• Industry spend comparison
• Data driven reporting about IT
• Manage the risks of smartphones
• Manage the benefits of smartphones
• Value of IT
• IT assets and Cloud computing
• Organizational structure for information security
• Risk and compliance management
• Organizational and policy risks of Cloud computing
• Operational and technology risks of Cloud computing
• Management of Policy
• Frameworks and Standards
• Management of Procedural Controls
• Management of Information Controls
• IT Assets and Cloud Computing
• Management of Technical Controls
• IT Security Controls and Outcomes
• Vulnerability and Threat Management
• Reporting and Risk Management
• Financial impact of practices

Choose one of them to start.

Step 1: Launch the assessment and select answers for your practices for the questions posed on the “Questions” pane

Step 2: Select the “Results” pane button located at the top of the page

This will display a ‘Results’ pane that is specific to your answers along with comparisons against:

• Your industry
• Your peers
• Best performing organizations

Step 3: Return to the Questions pane to identify improvement opportunities

When you change answers to questions, you’ll see the “Overall’ risk or benefit index in the upper right of the display pane change from Red to Green, or from Green to Red, depending on the answers you select. Maximizing value and minimizing risk is always at the “green” end of this display. Identify “gaps” between your current practices and those that achieve the “green” end of the spectrum and you’re on your way to identifying practices that will improve outcomes for your organization.

Each of the assessments focuses on the relationship between outcomes organizations are experiencing and practices responsible for very different outcomes that are specific to each of the titles.

We focus on three major areas including (1) practices most responsible for the delivery of value from IT, (2) the management of risk related to the use of IT, and (3) the management of compliance with policy, compliance with regulatory and legal mandates, and the controls needed to better manage business risk related to the use of IT.