As money and corporate information have morphed from hard currency and blueprints to digital files, small and midsized businesses have become the new banks to rob. In fact, bank robberies across the U.S. have plummeted from 9,400 in 1991 to just 3,870 last year. As Doug Johnson of the American Bankers Association puts it: "As more and more transactions become electronic, more bank crimes become electronic."
Look at it from the criminals' perspective: why risk getting arrested breaking into an engineering company or, worse, shot sticking up a bank when you can sit in an ergonomic office chair with an espresso on your desk and music in the background while plundering small companies thousands of miles away?
"Small and medium businesses are being targeted at an alarming rate," says Brian Burch, Symantec's vice president, Consumer & Small Business Segment Marketing. SMBs are easy targets primarily because "they don't believe they have the public visibility of bigger companies so they don't believe they are in the gun sights of the bad guys. As a result, SMBs do not put the needed effort into securing their businesses. Further, even if they want to, smaller companies tend not to have the funding, staff or knowledge needed to formalize let alone maintain more secure policies and procedures all combining to make them the path of least resistance . . . and the bad guys have discovered this."
The numbers bear out this alarming trend.
"It began in 2011, when attacks on companies with less than 250 employees shot to about 18% of all targeted attacks; then in 2012 the number jumped to 31%," says Burch, referring to statistics found in Symantec's latest Internet Security Threat Report.
According to TrendMicro, cybercriminals unleash a new threat targeting SMBs every second. And, according to the 2012 Data Breach Investigations Report by Verizon's RISK Team, 96% of companies subject to PCI DSS (for credit card processing security) had not achieved compliance. That's a lot of SMBs with merchant card accounts leaving their digital cash registers open.
Another attraction to cybercriminals is the sheer number of targets. In the U.S., there are about 23 million SMBs, 52% of which are home-based. And, even in this slow economy with weak new business start numbers, there are more than 500,000 new SMBs launched every month. Then add another 20 million in the E.U. and even more in Asia.
Furthermore, criminals increasingly look at SMBs as part of the supply chain of a larger company that they want to raid. By penetrating an SMB with an established communication path into the larger company, cybercriminals can often bypass much of the larger firm's more sophisticated security. The SMB, unknowingly, becomes a kind of Trojan horse.In a frightening example from 2009, China purportedly wanted access to Lockheed Martin but could not breach the company's walls. However, by penetrating a smaller defense contractor, they were able to make their way in and steal blueprints for the joint strike fighter planes F-35 and F-22 worth more than $1 trillion.
Sign up for Computerworld eNewsletters.