Pando

Small businesses present a huge, unreported opportunity for hackers

By Nathaniel Mott , written on June 30, 2015

From The Security Desk

It often seems like a week can’t pass without news breaking of a data breach at a retailer, government agency, or health insurer. But how many other breaches go unreported — or even unnoticed?

Large companies have systems that warn them about data breaches. Alarms went off when hackers stole at least 40 million credit cards from Target; it simply decided to ignore all the warnings. And of course the government knows — at least part of the time — when its systems have been compromised. (Repelling the attackers or learning not to open spam emails is another story entirely.)

Yet small businesses don’t often have access to the same systems. Some of that might be chalked up to their technical ignorance. it might also be caused by the belief that no one would bother to steal information from anyone without millions of customers.

This is a problem that Kevin Haley, the director of Symantec’s Security Response team, has encountered in the past. As he told me when I asked how small businesses respond to hacking attempts,

“I often have heard… well, I’m a small business, nobody would bother with me. And I would say, well, you know, do you have information worth stealing? Usually they say no, but if you talk to them, they go, oh, yeah.”

Haley’s anecdotal evidence is supported by a McAfee survey from January which revealed “that 90 percent of small-and medium-sized businesses in the United States haven’t bothered to protect their data,” as I wrote when the survey’s findings were published.

It’s hard to blame these businesses for thinking they don’t have anything worth stealing. How many of us really think about how much information — our phone numbers, our addresses, our credit cards — we hand over to countless mom-and-pop shops every single day?

And we’re not only trusting the stores themselves. Many of them don’t handle their own systems — they find the best service they can and then pay someone else to maintain it whenever that service doesn’t perform as expected.

“We do see attackers who look for smaller stores,” Haley told me. This problem is pronounced whenever “the owner and the vendor have the capability to remotely log in.” Hackers can take advantage of those remote connections to steal information.

Many businesses might not even know that a breach has happened.

“I talked to a small business after some of the large retail breaches,” Haley said, “and he was like, 'I don’t know if this could happen to me.'” The security of his data wasn’t a priority.

But even businesses that do notice a breach might never reveal it to the public.

“Many of these places, when they’re small like that, if they’re breached, we may never know, because they may never report it,” Haley said. “They may never know; but if they do, it probably won’t be publicly revealed.”

Simply put, many small business owners are using systems they don’t maintain offered by companies they don’t know without even thinking about the safety of their customers’ information. And, even if they do spot a breach, they probably won’t tell anyone.

Some of the biggest entities in the United States, from retailers like Target to the White House and the nation’s second-largest health insurer, have been hacked over the last few years. Now might be the time to ask how many of the smallest have had the same problem.

...

SPONSORED: Partnering with Intuit Developer will help expose your apps to millions of small businesses with an appetite for innovation. Add yours to the list.