CRN Special Report: Head in the sand
This report, commissioned by McAfee, explores how SMBs' smaller size no longer means they are under the radar of cyberattackers
With stories of Jason Bourne-style cyberattacks continuing to dominate the media narrative, small business owners could be forgiven for thinking they are immune from cybercrime.
But away from the flashing lights of state-sponsored malware assaults on governments and critical infrastructure, there are growing fears that SMBs are fast becoming the primary target for cybercrooks hunting easy targets further down the food chain.
While enterprises have beefed up their security in recent years, many SMBs are leaving their back doors wide open to attack and appear to be unaware of the value of their intellectual property.
How the channel can help arm these smaller firms doing battle on this new frontier of security was the subject of a recent CRN roundtable, commissioned by McAfee.
According to a recent PwC study, 63 per cent of small businesses reported attacks from unauthorised outsiders in the past year, up from 41 per cent a year earlier.
Raj Samani, European chief technology officer at McAfee, said many are labouring under the misconception that they pass under the radar of cybercriminals.
He claimed the industry itself is partly to blame.
"The security industry is really interested in the flashing neon lights, the masked men, the attackers from different countries - the Michael Crichton and Jason Bourne-type stories. You read that and think you're well down the food chain and because the media builds up these bigger stories, people feel it won't happen to them."
SMBs often are not cognisant they can be used by hackers as a stepping stone to larger organisations, added Andy Mayle, chief technology officer at Armadillo.
"RSA [Security] was not hacked [in 2011] because it was RSA, it was hacked because the information it held could be used to get to defence organisations. SMEs don't realise they could be used to get to someone they deal with."
According to McAfee, the threat to SMBs is becoming even more pronounced due to the emergence of a rampant online marketplace wannabe hackers can use to purchase tools and services to bring down a company of their choosing.
The study highlighted a service offering to launch a distributed denial of service [DDoS] attack on behalf of would-be attackers from as little as $2 (£1.28) per hour. The service simply required attackers to inform it of which site they wish target, decide how much they are willing to pay, and initiate the service (Click the image on the left to view the prices and options available to would-be attackers).
Samani, who co-authored the report, added that five million email addresses can now be purchased on eBay for £3.49, while credit card numbers can be readily procured via YouTube.
"When I was originally asked whether the team would consider researching this, I said ‘well this really isn't anything new'," he said. "We knew hackers could be hired and that you can go and buy tools online. But what really surprised us was the ease and accessibility of these tools and services.
"And I think this is really relevant for small business. If they think they're too small to be hit - well, if they're in competition with that small business down the road and they can bring you down for $2, that makes business sense, and let's be honest, they're not going to get caught."
Nowhere to hide from attack
David Lannin, IT security strategist at Sapphire, agreed that hackers are diversifying how they sell their skills to the market through managed services and support agreements. Although rootkits and toolkits were available to purchase five or even 10 years ago, there has been a marked increase in their availability, he said, meaning that firms of all sizes are now fair game.
"The tools are so much more accessible; everybody is potentially under attack," he said. "There is a degree of head in the sand - ‘it won't happen to us' - that seems to permeate the SME market."
According to PwC, 23 per cent of SMBs questioned in April reported they had suffered DDoS attacks in the past year, up from 15 per cent last year. The consequences of these disruptive techniques can be dire for an SMB whose annual profits are measured in the thousands.
In May, the Federation of Small Businesses found that 41 per cent of its members had been a victim of cybercrime in the previous 12 months, with an average cost of £4,000 per firm.
Mayle said one of his clients, which operates a website turning over £1m annually, was floored by a DDoS attack for a week because it had not rolled out adequate defences.
"Because it was a hosted website, the owner thought he had protection in place," he said. "The guy was a bit blasé about it when it was back up and running. I had to point out to him that it had cost about £25,000. That is a massive loss to a small company and that's just the financial cost."
Stephen Love, security practice lead at Cisilion, had a similar tale to share about a mobile ringtone firm which was losing £10,000 a day after suffering a DDoS attack, a situation made worse by the fact it had just a single, creaking Cisco PIX firewall.
"Once the problem was fixed, they did not want to continue the conversation about upgrading their infrastructure and making it more robust because they were making money again," he said.
As eye-catching stories about state-sponsored cyberattacks continue to rack up the column inches, there is a danger that SMBs will wrongly conclude they are out of reach, warned Colin Blumenthal, co-founder of Complete i.t.
"Business owners are not aware of their peers being attacked and therefore do not think there is any need for them to take any extra-special measures besides having a firewall and anti-virus," he said. "It comes down to a lack of education, knowledge and awareness."
Blumenthal agreed that some SMBs refuse to take security seriously even after they have been hit, giving the example of a recruitment firm that suffered a five-day outage after its SBS server was taken down by a malware attack. Rather than accepting help from a professional supplier to minimise the threat of a similar attack in the future, it simply bought a new SBS server and carried on as before.
"I just wanted to get angry," Blumenthal said.
"SMEs have tight, fixed budgets, and they would prefer to spend £10,000 on marketing to increase sales. So it's about educating them, explaining the risks, and getting them to see investing in security over and above these other things as a priority - and that is a real challenge."
Matt Hampton, chief technology officer at Imerja, said: "We have found that a lot of SMEs do not treat their corporate network as having anything valuable on it. They have an externally hosted website and all their protection is loaded on to that and they do not see the need for [anything else] until it's too late."
SMBs often lack an internal IT department and are reliant on their suppliers, both vendors and resellers, to frame technology in language that makes sense to their business. But the industry has not always stepped up, the roundtable participants agreed.
Spread the word
Lannin (pictured) urged vendors to provide SMBs with more case studies giving real-world examples of how peers have been attacked and how they should mitigate against this. Messaging should be tightly tailored to the nature of their business, he said.
"It's all very well talking about cyberattacks and DDoS attacks, but quite frankly that might not be their biggest problem," he said. "It might be the fact they have 20 sales guys and every month one of them loses a laptop or mobile with data on it. So forget pouring the investment into the latest and greatest in IPS and firewalling - let's look at things such as encrypting data while it's in transit or while it's in rest on mobile devices and encourage them to put appropriate controls around their organisation."
Lannin added: "I think the technology has got to a point where it totally delivers - if you're doing a bake-off between McAfee, Symantec and Check Point, essentially it's the same firewall and small business owners are not too concerned about the badge.
"But unless vendors move down the education piece, we are never really going to grow this market and it will continue to be a case of people being reactive - ‘something's happened, let's look at a quick fix'. Organisations will not have enough in place to protect their critical assets as all they have done is lifted the standard building blocks the company down the road has. What's missing is addressing what's important to them."
Jon Penney, managing director of Intellect Security, agreed that vendors have taken too much of a nuts-and-bolts approach to promoting their technology in the past.
"I think it would be very useful in conversations with SMEs to say ‘here's why an attacker might be motivated to attack
you'. Because I think the assumption for SMEs is [hackers] have bigger fish to fry and wouldn't be remotely interested. When in reality, they are."
Love agreed: "Resellers need to pay more attention to education of their client base, to enable them to understand the cyberthreats that are out there today."
SMBs face a further hindrance in that many security technologies remain out of their reach in terms of cost and complexity, none less so than encryption tools that protect critical back-end infrastructure such as database servers and SaaS applications, said Penney.
"It has not got to the same point in maturity as email and hard-disk encryption," he said. "Vendors have been far too focused on protecting the end-point devices and not enough on the back-end infrastructure. There is technology available but the accessibility of that technology from a price entry point is prohibitive for most small businesses."
If the carrot approach does not work, SMBs are being prodded to bolster their security by an increasingly long and spiky stick wielded by the technocrats in Brussels. The EU is bringing in tough new laws that will force firms to report any breaches of data protection regulations to authorities as well as affected individuals within 24 hours.
Those who fail to act may also be ostracised by large customers demanding their suppliers be compliant with standards such as ISO 27001. Mayle said this is driving a lot of conversations with smaller firms outside Armadillo's core enterprise customer base.
"Some large companies are saying ‘if you want to deal with us, you have to look at your security'," Mayle said. "And I think that's going to be a very big driver for SMEs in the future if they want to do business with larger organisations."