Detecting cyber attacks

Why small and medium sized businesses should be concerned

Today, I write about the need for small and medium sized businesses to be concerned about detecting cyber attacks. I advise these businesses to add a detective layer of security — it is called “monitoring”. The nature of today’s attacks make it important for businesses to monitor their networks and key systems for security threats — especially against sophisticated Internet-based threats. In the interest of full disclosure, this need led me to recently design and develop a cost effective software-as-a-service based solution called ynotLOG by SevenTwentyNine (www.seventwentynine.com).

Cyber attacks are on the rise. Symantec’s 2013 Internet Security Threat Report reveals that there was a 42% increase in targeted attacks in 2012. Attackers are also evolving their techniques from generic and opportunistic to one that is targeted, resilient and evasive. The targets are no longer just strategic government agencies and big businesses. 31% of all reported targeted attacks involved businesses with less than 250 employees. Bad news is that many small businesses falsely believe that they are immune to targeted attacks. An important question for small and medium sized business owners, executives and managers is “what are you doing to protect your business from cyber attacks?”

Let me explain why small and medium sized businesses should be concerned about cyber attacks.

First, some smaller organizations provide specialty services to large businesses, and this usually involves having some form of trusted access to the larger business. For example, law firms are usually involved in confidential mergers and acquisitions between large businesses. Go after the law firm and you will learn about the details of the transaction. State sponsored attackers are known to favour this option. Another example is the recent compromise of Target’s point of sale systems. This compromise resulted in the theft of information related to over 70 million credit and debit cards. Reports indicate that the initial intrusion into Target’s systems was traced back to network credentials stolen from a third party vendor (a HVAC company).

Second, attackers may be directly interested in a small and medium sized business. This may be for personal information or financial data belonging to customers, proprietary or intellectual information on a new product, or just for bragging rights. Smaller organizations usually have less sophisticated IT security systems. Smaller organizations also typically do not maintain the same level of data protection as larger businesses. It makes perfect sense to go after a softer target that may not easily and quickly detect the attack.

Third, an attack on a large organization can affect smaller businesses. The Financial Post recently reported a hacking incident involving a major telecommunication company. The incident exposed the usernames and passwords of over 20,000 small business customers. It is not uncommon for personnel to use the same usernames and passwords across a variety of services — including their business systems. Do you use the same password for Facebook, LinkedIn and your business’ remote access connection?

To further compound the issue of cyber attacks is the length of time that it takes to detect an attack. Findings reveal that it takes many organizations over 200 days to detect an attack. This is a long time for an attacker to freely roam about in an organization’s network. A question that should be on the minds of business owners and executives is “how can my business detect cyber attacks more quickly?”

Anti-virus software, firewalls, intrusion detection systems, etc. remain important to protecting your business. However, these tools will not prevent your business from being hacked. Big businesses have these tools and still get hacked. The future (which is here now) is being able to detect attacks in a timely manner — and before the attacker is able to do any real damage. Monitoring with the right type of threat intelligence is where organizations need to be. Big businesses are already moving in that direction. Why not smaller organizations?