Don't Invite Trouble into the Office

A recent survey shows small businesses are more at risk from hackers than ever before.

Symantec (SYMC), the Mountain View, Calif. computer security company, which each year takes a look back at the level of attacks in the previous year, found in 2009 the number of virus definitions written increased 71% from 2008. Even more alarming, statistics show each year the number of attacks continues to increase -- despite more and more efforts to prevent them.

“The headlines tend to focus on the large corporations that have had a break in but the amount of money being taken from small businesses is extremely significant,” said Kevin Haley, director in Symantec’s Security Response unit. Tools are readily available specifically targeted at small businesses, he said.

According to Haley, there is an underground marketplace unbeknownst to many whereby people sell virus-programs made specifically to attack small businesses. The toolkits, which can be used by novices, attempt to capture login and passwords to gather banking information or take over a computer to send spam or steal e-mail addresses.

“Someone with very limited skills can buy this kit and it does most of the work for them,” said Haley.

For a small business it can be devastating, especially if a hacker gets a hold of an online banking password and cleans out an account. In the third quarter of 2009, the FDIC reported that over $120 million was lost due to online banking fraud. While a major corporation could recover from that, a small business could go under as a result.

On top of worries about losing all the money in the bank account, there’s also the real concern about a company’s reputation getting ruined thanks to a computer attack. If a small business’ e-mail address or social-network Web site is turned into a bot to send spam or results in malware being downloaded on a visitor’s computer, it is very bad for business.

“If you’re trying to establish a social networking presence and people go to your Facebook account and get spam or malware downloaded, they won’t go anymore,” said Haley.

While attacks in the past would go after a computer, these days the attacks target the person, whether it’s through a phishing e-mail or a trick to get you to click on a link or download an application.

“Most attacks are going through Web browsers,” said Haley, noting that while many small businesses are patching their operating system they aren’t patching holes in the Web browser.

So what is a small business owner to do about all these threats? According to Haley, in addition to keeping up to date with patches for browsers and the OS, companies should have a good security software program.

“Having no security is inviting big trouble,” said Haley.

Based on a survey Symantec conducted of 1,500 small businesses this past September, it found that 33% of small businesses didn’t have antivirus protection. What’s more, 65% do store customer data, 43% store financial records, 33% store credit card information and 20% have intellectual property and other sensitive corporate content online. And while 75% of survey respondents said they use the Internet to communicate with customers only 6% fear the loss of customer data.

If the small business has a social network the number of people that have the password to it should be limited, according to Symantec. Same goes for online banking. The login and password shouldn’t be shared with the entire office. To keep the password from falling into nefarious hands, it doesn’t hurt to use a password manager, which lets you store encrypted passwords on your machine.

At the end of the day the best protection for a small business is knowledge.  According to Symantec, being aware of the risks and the safeguards available are the first lines of defense. The entire company has to understand security issues and act in a way to minimize the risks. Creating and enforcing polices that identity and restrict applications that can make a business vulnerable could go a long way in fending off attacks.