Smaller businesses, like the HVAC company that caused the Target penetration in 2013, often think they are too small to be security targets, but SMB cybersecurity can have big implications. Size doesn’t matter as long as your firm has something of value that someone thinks is worth stealing, or a connection that someone thinks is worth exploiting.
In the case of Target, the retail chain had pretty solid cybersecurity practices in place. Its Achilles’ heel was a Windows server running on the HVAC vendor’s site that could be compromised. That server breach led to Target’s point-of-sale system being infected with malware, resulting in millions of dollars in subsequent losses.
Small Leaks Lead to Big Problems
The leak of a pending merger, new product description or confidential personnel memo can cause problems. None of these involve a lot of data in terms of megabytes, but all can influence markets or compromise the reputation of a particular organization. The “I’m too small to be a target” fallacy makes it easier to steal data and compromise SMB cybersecurity than to attack a large bank or other enterprise directly.
Indeed, the more vertical the SMB market, the more likely it is to sustain attacks. Take a specialized medical device vendor, for example. Many of these devices are connected to the internet and have embedded servers. An attacker could potentially penetrate an entire hospital network by compromising a single device.
SMB Cybersecurity Best Practices
Tripwire offered some suggestions to improve SMB cybersecurity practice that won’t cost millions, such as providing incentives through tax breaks or noncompliance fines to motivate SMBs to partner with a cybersecurity vendor to improve their posture and strengthen their security program. Another idea is to emulate financial firms and other large businesses by leveraging threat data and sharing best practices.
Small businesses should also train employees to recognize phishing attacks. SMB firms often lack the security depth and training to recognize these scam emails, especially as cybercriminals get better at using insider information to make the communications more believable.
Finally, SMB cybersecurity insurance should be made more available and attractive to help protect smaller companies from potential adverse effects.