Tom Olzak

You Just Have to Run Faster than the Bear

In Business Continuity, Cybercrime, Data Security, Hacking, Risk Management on March 23, 2009 at 09:49

For years, large businesses have spent millions to improve information security.  Much of this expense was driven by regulation or fear of public relations issues.  As security around large networks and data repositories improved, however, many small and medium business (SMB) managers didn’t feel the need to spend money on security.  After all, only large targets get hit.  Why should they care?

The reason SMBs should care is simple.  They are typically softer targets than their big brothers.

As large organizations–once easy pickings for business-minded cyber-criminals–strengthened their defenses, the cost associated with unlawfully obtaining valuable information from them increased.  Along with cost increases there was also growing probability of being detected and arrested.  So criminals had to look for less expensive targets with lower personal risk.  They often found them among SMBs.

According to an article by Tim Wilson,

Hackers and computer criminals this year are taking a new aim — directly at small and midsize businesses, according to experts who spoke here today at Visa’s annual security event. The consensus: Smaller businesses offer a much more attractive target than larger enterprises that have steeled themselves with years of security spending and compliance efforts.

“As the security becomes better at large companies, the small business begins to look more and more enticing to computer criminals,” said Charles Matthews, president of the International Council for Small Business, in a panel presentation here. “It’s the path of least resistance.”

Source: Small Business: The New Black in Cybercrime Targets, Tim Wilson, DarkReading, 19 March 2009

This has always been the case, as depicted in an old joke about a bear.  You remember the one.  Two friends are in the woods when a bear starts chasing them.  The first friend begins to run as the second exclaims, “You can’t outrun a bear!”  The first friend replies, “I don’t have to.  I only have to outrun you.”

The same principle is working here.  For attackers to shift attention from large enterprise targets to SMBs, large network security doesn’t have to be perfect.  It just has to be stronger than the controls protecting SMB networks.  This makes extracting valuable information from SMBs less expensive, increasing attack ROI.  And since most SMBs don’t deploy detection systems, the risk of getting caught while in the act is much lower.

I’ve written previously about the problem with ignoring SMBs as a source of PII and ePHI breaches.  In many cases, SMBs also provide critical services to public and private entities, making their infrastructure availability as important as data confidentiality and integrity.  Hopefully it won’t take a series of publicized breaches against smaller organizations for everyone to get the message. 

And it isn’t just SMBs which have to start taking a closer look at security.  Once they’re locked down, the next softest, lucrative targets might include home networks.

%d bloggers like this: