Small firms ‘easy prey for cyber criminals’

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.bdlive.co.za/business/technology/2013/11/18/small-firms-easy-prey-for-cyber-criminals

Millions of small businesses with fewer than 20 employees, ranging from
dental surgeries, financial advisers, independent legal counsellors,
information technology consulting firms, and other companies, are
neglecting the security of their information technology (IT) equipment and
putting their customers, and the future of their business, at risk,
according to a report by international software security group Kaspersky
Lab.

Kaspersky and Verizon’s 2013 Data Breach Investigations Report, which
includes data from global forensic probes, found that of the 621 data
breaches analysed, 193 occurred at companies with 100 or fewer staff.

Advances in technology across industries are yielding significant
opportunities for cyber criminals, says consulting firm KPMG.

Paul Orffer, a senior manager risk advisory at Deloitte, says company
behaviour needs to change as technology on its own cannot protect against
all forms of cyber-attacks. In fact, the security techniques companies
adopt need to be reviewed if they are to protect themselves more
effectively than in the past. "Social media has certainly contributed to
raising awareness around hacks and security loopholes, resulting in more
people being vigilant both in their personal lives and at work," he says.

One of the targeted sectors is financial services, where cyber crime has
become the second-most frequent type of economic crime being experienced by
companies in the sector, according to PwC.

Although financial institutions benefit from regulatory requirements and
industry regulations designed to safeguard customer data, small financial
service providers are hindered by limited budgets and lack of expertise
when protecting customers’ information, Kaspersky says.

These businesses are obvious targets for cyber criminals that seek to steal
the stored credit card information, credentials, and bank account details
of customers.

"For any growing company, successfully earning the account of a well-known
business is a milestone in its growth. For small financial service
providers, managing the taxes of a local grocery store or helping process
payrolls for local charities is a sign of growth, and many will list their
clients on their websites. But for cyber criminals, this can be an
opportunity to attack the smaller business as a way to gain access to the
larger clients," Kaspersky says.

The healthcare sector is also under threat and any security breach within
the sector could damage the trust patients have in their healthcare
practitioners.

Healthcare records have become increasingly digital and records can easily
make their way onto laptops and mobile devices such as smartphones and
tablets.

According to Kaspersky, a study released last year by the Ponemon Institute
revealed 94% of hospitals in the US had experienced at least one data
breach in the previous two years. But cyber criminals are not interested in
reports on patient blood pressure or medication, but after patient’s
personal details such as billing, says Kaspersky.

"The report found the information stolen largely consisted of patient
billing and insurance records. Identity theft, again for the purposes of
stealing money, was a common outcome," it says.

Despite popular belief, Mr Orffer says South African infrastructure is
often on a first-world level when it comes to cyber security. But as a
result of the booming mobile landscape, there is still a lack of security
awareness from a large number of end users.

"And while the country is not more of a target than anywhere else in the
world, this lack of awareness is seen to make citizens easy pickings. That
is not to say attacks could not come from inside Africa. The rise in
‘hacktivism’ sees countries and organisations being targeted for their
socioeconomic and political viewpoints."

Mr Orffer says most of the attacks on companies seem to be happening
"through social engineering on employees".

"This is where the greatest risk is for South Africa. The high proportion
of an ill-informed user base that is linked to global networks could see us
being used as a hop for attacks on other countries or companies," he says.

For small healthcare and financial service providers, Kaspersky recommends
using a limited number of mobile devices. While smartphones and tablets may
add some convenience and accessibility, they add many new layers of risk.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

# OWASP http://www.appsecusa.org
# Builders, Breakers and Defenders
# Time Square, NYC 20-21 Nov
o()xxxx[{::::::::::::::::::::::::::::::::::::::::>

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.