More than ever before, cyber crooks are targeting small businesses, law enforcement, members of Congress, and top cybersecurity experts say. It’s not just the blue chip companies or governments that are under fire.
It’s now small mom-and-pop businesses of all stripes -- retail shops, leisure activity businesses, hotels, health clinics, even colleges are getting hammered by cyber criminals. And it’s pushing many entrepreneurs to the verge of bankruptcy.
Small business cybersecurity is now a top priority of the House Committee on Small Business, which conducted hearings on the dangers of cyber-attacks on small businesses last week.
Cybersecurity firm Symantec now says that cyberthieves have been increasingly targeting small businesses over the last four years. Cyber hackers view small businesses as a soft, easy mark versus big blue chip companies which have ramped up their cyber firewalls, said Sian John, a chief strategist at Symantec.
“The owners, employees and customers of America’s 28 million small businesses need to have confidence that their data is secure,” said House Small Business Committee Chairman Steve Chabot (R-OH) in a statement. “I think it is fair to say that confidence has been shaken in recent years with the cyber-attacks on the IRS, the State Department, OPM [Office of Personnel Management], and even the White House. Between foreign hackers from countries like China and Russia and domestic identity thieves, the federal government has a target on its back that seems to get larger by the day.”
Almost half of cyber-attacks worldwide, 43%, last year were against small businesses with less than 250 workers, Symantec reports. The FBI reported last summer that more than 7,000 U.S. companies of all sizes were victims of cyber hacks via phishing email scams as of late 2013, the latest data available, with losses of more than $740 million.
The cyber crooks steal small business information to do things like rob bank accounts via wire transfers; steal customers’ personal identity information; file for fraudulent tax refunds; commit health insurance or Medicare fraud; or even steal intellectual property. The criminals can also hijack a small business’s website to cyberhack other small businesses. “There are probably 20 different ways a bad guy can get into a website” run by a small business, Scott Mann, CEO of Orlando-based Highforge Solutions, has said.
Over a two-year period through February 2016, about one in five small and midsize businesses reported they were hit by cyber-attacks on their computer networks, a survey of 233 small to midsize companies by CFO Magazine found, versus a little more than four out of ten finance executives at larger companies reporting cyber-attacks. Cyber criminals raked in an average of $32,000 from small business accounts, according to a December survey of owners by the National Small Business Association.
The World Economic Forum has listed cybercrimes as a top global risk, and warns that industrial-scale attacks are on the rise. An estimated 430 million new types of malware flooded the Internet last year, up nearly 40% versus the year prior. The Department of Justice’s Internet Crime Complaint Center recorded 269,422 cybersecurity related complaints in its 2014 report, an exponential increase of over 1500% from 2000.
Rep. Chabot said: “With all of the uncertainty facing small businesses in today’s world of e-commerce, it will take vigilance by all federal agencies and the watchful eye of this [Small Business] Committee to ensure the data of small businesses and individual Americans remains secure.”
Many small businesses have poor cybersecurity, lacking things like anti-phishing email measures, a chief cybersecurity officer, data encryption, or off-site backups of their websites. A survey commissioned by insurer Nationwide of 500 small businesses in late 2015 revealed that eight in 10 small-businesses don’t have a basic cyber-attack response plan, even though a majority was hit by cyber crimes.
The cyber criminals are breaking into small businesses in a number of ways, law enforcement experts say. They include easy phishing attacks, where cyberthieves will blast realistic-looking spam emails to small business employees pretending to be Citigroup or Bank of America.
The fake emails fraudulently inform the workers that they need to update their Internet banking passwords, directing them to a phony website that then steals their banking, credit card, and personal identification information. Small businesses are also getting hit by ransomware, which shuts down their computer systems, locks up all of their files via encryption, and demands thousands of dollars in exchange for a return of the data.
A phishing scam slammed entrepreneur Rick Snow, who testified before Congress last week. Snow is the owner of Maine Indoor Karting, a go-cart racing business in Scarborough, Maine (http://www.maineindoorkarting.com/).
“When I started my business, I had the naïve expectation that I would be able to follow my passion and race go-karts with the help of my wife and a few close friends,” testified Snow. “Phishing can happen to anyone, phishing attacks are meant to scare you and make you act without thinking, given the right circumstances, anyone can be lured by them. I am certainly no exception.”
“I logged into our bank accounts, and to my utter horror, I found that my balance was zero,” explained Snow. “This was a pay day, and I was terrified that the paychecks that were issued that day would not clear. We were supporting a number of families, many of which live paycheck-to-paycheck and could not have made it without the paycheck we issued them that day. I was also very worried about our business’ reputation since a restaurant nearby had just bounced their paychecks and the company never recovered from the bad publicity they received from not making their payroll.”
Snow then asked the Small Business Committee: “If the federal government cannot protect its networks and data from cyber-attacks with almost unlimited resources at its disposal, how can we expect America’s small businesses to do so?”
Kevin Dunn, technical vice president for NCC Group Security Services, also testified that cyber-attacks on small businesses can lead to cyber hacks into government. Government agencies rely on numerous independent contractors and small businesses in their supply chains.
“If the small business is compromised by a targeted attacker, it could be used as a conduit for gaining access to government systems,” concluded Dunn, who said he has spent the last fifteen years conducting cybersecurity attacks against private companies and government organizations searching for cyber holes in their systems.
Rep. Chabot has also questioned IRS Commissioner John Koskinen about the steps the federal tax collector has been taking to improve cybersecurity after a breach exposed data from 700,000 accounts, many of whom were small businesses.
The IRS had launched its Get Transcript application on its IRS.gov website in January 2014.
The app let taxpayers view and download their tax return transcripts or order previous years of tax filing information. But cyber criminals broke in and stole tax return information from what the IRS first believed were 225,000 accounts, but that number has since more than tripled.
Rep. Chabot and Small Business Committee members also asked Small Business Administration (SBA) Administrator Maria Contreras-Sweet about cybersecurity vulnerabilities at her agency. A Government Accountability report revealed serious weaknesses even in the SBA’s own network systems.