A front-page story in the Wall Street Journal on 21 July 2011 says it all: small and midsize businesses are now at much greater risk.
Don’t believe it or think it’s just more scare tactics? Read the story for yourself at the WSJ.
If the link only provides you a summary, search for “Hackers Shift Attacks to Small Firms”
Some of the key findings in the story:
In 2009, of the 141 incidents of cyber-theft theft from businesses reported by the U.S. Secret Service and Verizon, 27 percent (38 events) involved small businesses with less than 50 employees.
One year later in 2010, the same sources report that 63 percent of 761 reported events of cyber-theft (479 events) involved small businesses with less than 50 employees.
The findings cited by the numbers from the Secret Service and Verizon are buttressed by similar findings from Symantec’s Internet Security Threat Report.
Shocking as the shift in the percentages are, the increase in the raw numbers of reported events show just how prevalent cyber-theft against small business is becoming: a staggering increase of more than 12-fold from one year to the next, between 2009 and 2010. And, these do include the number of cyber-thefts going unreported and unknown, which is probably more substantial than is reported or realized.
Case in point, the small business featured in the Wall Street Journal article, City News located in Chicago. The owner of City News, Mr. Angelastri, did not know that for a full year Cyber-thieves had placed malware on his invoicing systems for processing credit card payments. This resulted in a siphoning of credit card data to Cyber-thieves thieves that had set-up shop at a hosting site located in Russia. Who knows where they are really located? No one is saying, if they know, and Mr. Angelastri to this day does not know.
A small merchant, Mr. Angelastri does about $1 million in sales annually according to the article in the Wall Street Journal, and he is still paying off loans totaling $22,000 for forensics examinations and security improvements so that he can continue accepting credit card payments and stay in business.
Data from ongoing benchmarks conducted by the IT Policy Compliance Group reveal a disturbing trend since 2008, including:
22 percent of all organizations experiencing the highest rates of security problems that were having a material financial impact were among small businesses and mid-size firms with less than $50 million in annual sales.
The figure of small business with the most problems jumped to 27 percent.
This figure increased to 34 percent
As of the second quarter of 2011
This figure stands at 40 percent
In the United States, this translates into 2.3 million firms, which is 44 percent of all firms with less than 500 employees.
The threat is not limited to the U.S. as small merchants and midsize businesses in Frankfurt, Manchester, Paris, Milan, Singapore, Dubai, Sydney, Tokyo, Toronto, Mexico City, Minsk and many other locations around the World will attest.
If anything, the Wall Street Journal article shines a spotlight on a trend that has been long underway: Cyber-thieves are now focused on ill-gotten gain by targetting small businesses.
Unfortunately, Cyber-thieves have discovered small firms have some of the weakest controls and practices in place when it comes to information security.
On-site interactive assessments conducted by the IT Policy Compliance Group reveal small business owners and midsize firms routinely self-rate their practices and ability to deflect cyber-threats at a 1 or 2 level, on a 5-point scale. This is the equivalent of an “F” or “D” letter grade: not good enough when it comes to handling online finances or sensitive information.
A majority of small businesses do not have staff that understand what is needed for preventive or detective controls, technical and non-technical, to manage the risks of doing business online, despite the fact that many are now using online invoicing, payment processing and banking services.
For instance, an average of 76 percent of small and midsize businesses with less than $50 million in annual sales are not using any information security controls: simply staggering! The averages can be misleading however. For example, 53 percent are not using firewalls and 52 percent are not using anti-virus and anti-malware controls, while 81 percent are not employing anything to test for vulnerabilities.
Small and midsize merchants using credit card processing systems are required to abide by strictures put in place by the PCI DSS standard. This standard, developed over years of common-sense use, is widely credited with helping small, midsize and large firms understand – and hopefully improve – practices needed for adequate information security practices.
Penalties and sticks only go so far
However, the benefits of PCI DSS have been a stick, instead of a carrot. For instance, penalties for not complying can include not being able to transact credit card payments at all, as Mr. Angelastri discovered. The primary benefit of the PCI standard continues to be the ability to accept and process credit card transactions. As anyone will attest, incentives work better than sticks to drive behavior, and that most people and organizations find easier ways to avoid sticks.
Incentives drive behavior
What would have helped Mr. Agelastri, and will help the millions of other small business owners and midsize firms is a carrot to complement the existing PCI DSS stick. Such a carrot might involve tax-credits for beefing-up and implementing best-practice controls for information security that are largely missing and non-existent among a majority of small businesses. The competitive interests at stake should be obvious to most firms and governments in all nations, not just those in the United States.
We can hope that small business supporters, such as the Chamber of Commerce among others, can help drive this kind of carrot-based approach in the U.S. and give small business owners a fighting chance against Cyber-thieves.
What about inside the Beltway? Let’s first see which adults in Washington are able to resolve the tax and debt negotiations before August 2nd.
Beyond the U.S., support at the Euro Zone, individual country and even through the IMF or World Bank may be needed. The problem is one that is not going away without adequate incentives, practices and knowledge that can be readily consumed by small and midsize organizations, including government agencies.