The Smaller They Are …

In the world of 21st century cyber warfare, there is a perception that the smaller you are, the less likely you are to grab the attention of cyber thieves and spies.  After all, there are plenty of big, juicy targets out there just waiting to be plundered like a Spanish galleon. Why waste time snatching digital purses?

The truth is sadly far from the common-sense assumptions.  Small businesses are in fact ripe targets for cyberattack, and indeed have been under siege for some time, whether they realize it or not.  Companies have to come to grips with this because a cyberattack on a small company can result in the loss of very valuable information, and also be used to gain access to larger companies.  In other words, the smaller they are, the harder the cyber loss. 

Cyber Attacks On Small Businesses Are On The Rise

There is fairly consistent agreement that attacks on small businesses are common and increasing.  For instance, Verizon (NYSE:VZ) estimated that 70%-plus of data breaches occurring in 2012 were suffered by companies of 100 employees or fewer.  The National Small Business Association surveyed a large number of small businesses and found that nearly half had suffered some form of cyberattack.  Cybersecurity vendor Symantec found that attacks on small businesses had the highest growth rate of all types of attacks.

Mobile and Cloud Threats

How are these attacks conducted?  Dr. Phyllis Schneck, then the Chief Technology Officer for McAfee (and current Deputy Under Secretary for Cybersecurity and Communications at the Department of Homeland Security) outlined two of the most popular attack vectors for small businesses.  First was exploitation of mobile malware.  Mobile malware (malware directed at mobile devices like smartphones or tablets) is dramatically rising, according to Dr. Schneck.  She noted that of all mobile malware catalogued at the end of 2012, 95% of it had been detected in the last 12 months.  Examples of malware being used to attack small businesses included malware spread through near-field communications (tap to pay systems), and applications designed to take control of a victim’s phone.  These types of attacks are particularly challenging for small businesses as they tend to allow employees to “bring their own device”, making it nearly impossible for them secure the wide variety of devices with access to their network.

Dr. Schneck also noted that movement to the “cloud” posed significant threats for businesses.  Dr. Schneck reminded us that movement to the cloud can help small businesses by reducing costs, but at the same time cyber criminals knew about this trend and as a result, increased attacks on cloud providers.   This is putting smaller company’s data at risk, forcing them to spend additional funds on cyber forensic and security remediation costs.

The Consequences Of Insecure Small Businesses

So what is the real impact of attacks on small businesses?  While the economic impact on small businesses is important, there are far more serious consequences to worry about.  Indeed, the integrity of our national security establishment is at risk when small businesses are insecure.

These worries are best highlighted by the “Operation Beebus” campaign recently highlighted by cybersecurity vendor FireEye, Inc.  FireEye uncovered a massive “advanced persistent threat” campaign targeting companies in the aerospace and defense industries. The campaign used both “email” and “drive-by downloads” as a means of infecting end users.  The attacker (in this case alleged to be originating out of China) used attachment names of documents/white papers released by well-known companies to unleash malicious email attachment exploits common vulnerabilities in PDF and DOC files.

Examining available data, FireEye determined that the Beebus campaign had been targeting companies in the aerospace and defense industries, including companies involved in the manufacturing of drones.  The attacks were characterized by the retooling of malware to defeat new security measures put in place, leading to a cyber cat-and-mouse game.  Ultimately, as documented by the New York Times, FireEye and others realized that the attackers were seeking out information related to unmanned aerial vehicles, and were just as interested in data from small companies as large ones (thanks to the fact that they could piece together useful information from the small companies).  When all was said and done with the attacks, the Chinese were able to gather enough information to make rapid breakthroughs in their indigenous drone programs.  In other words, by attacking the smaller companies, they were able to achieve massive breakthroughs in military technology.

Where Do We Go Now?

Clearly, the cybersecurity threat facing small businesses is not one that can be written off.  It has already materially harmed our national security.  But what can or should we do?  Recognizing that successful attacks will continue to occur against both big and small companies, Dr. Schneck noted that small business could better protect themselves by investing in simple measures like paying attention to who they use as a cloud service provider.  Small businesses also can more tightly control their own information technology infrastructure, limiting what devices can be brought on to the network.  Large businesses that partner with small businesses have some responsibilities here too – they should look to do business with better secured small businesses and, where possible, assist them with cybersecurity measures.

Still, the main point here is that no business is too small to be hacked.  Our enemies know that small companies have just as much valuable information as the big vendors, and thus they too are on the hit list.  Ignoring the cybersecurity posture of small businesses is the 21st century equivalent of not bothering to check whether the side and back doors are locked --- criminals will find that exploit, get in, and get what they want.  That’s not a risk we can take.

Brian Finch (@brianefinch) is a partner at Dickstein Shapiro LLP and represents FireEye and McAfee.