News coverage on Internet security breaches is dominated by large companies and government, but SMBs are a favourite target for cybercriminals, according to Symantec.
The report suggested that hackers and cybercriminals do target SMBs as they tend to have more money in the bank than an end-user, and fewer cyber defenses than a larger company.
“Many SMBs throughout the GCC still haven’t recognized the tremendous impact a disaster such as hacking can have on their businesses. Despite warnings, it seems like many still think it can’t happen to them,” Prajit Arakkal, Director of Distribution Channel Sales for Symantec, explained.
The issue of SMB’s being at risk is of particular concern in a market like the UAE where, according to the Planning and Economy Department in Abu Dhabi, SMBs constitute 94 percent* of total projects in UAE, while Symantec’s Internet Security Threat Report XVI also reported that the UAE ranked no 36 in the world for malicious activity in 2010. The country has climbed four places from no 40 in 2009.
Symantec’s recent 2011 SMB Disaster Preparedness Survey found that although SMBs are at risk, they are still not making disaster preparedness a priority until they experience a disaster or data loss. The findings show that many SMBs do not understand the importance of disaster preparedness. Half of the respondents do not have a plan in place and 41 percent said that it never occurred to them to put together a plan. The remaining respondents stating that disaster preparedness is not a priority for them.
SMBs may consider themselves a small target, but any company that is vulnerable is worth attacking, according to cybercriminals. Similarly, senior executives are not the only employees being targeted. In most cases, a successful compromise only requires victimizing a user with access to even just limited network or administrative resources. A single negligent user or unpatched computer is enough to give attackers a beachhead into an organization from which to mount additional attacks on the business from within, often using the credentials of the compromised user.
Attackers can construct plausible deceptions using publicly available information from company websites, social networks, and other sources. Malicious files or links to malicious websites can then be attached to or embedded in email messages directed at certain employees using information gathered through this research to make them seem legitimate. This tactic is commonly called spear phishing.
Businesses also have employees using smart phones and tablets to access corporate data but have not yet implemented security policies for these devices. The most serious current risk is that users will download applications – such as the ever-popular social networking sites – that may include malicious code, giving hackers access to user information or even control over the device. As mobile devices continue to become more critical to business in the coming years, Symantec anticipate a sharp increase in destructive software developed specifically for these devices.
“Hackers are already taking note of this opportunity to exploit a new market, with Symantec’s latest Internet Security Threat Report XVI reporting that the number of vulnerabilities for mobile devices rose by 42 percent in 2010. Employees who download applications are providing cybercriminals with the ideal opportunity to use such sites and infect the individuals devise with malware. The viral nature of these social networking services means that the right messages can be spread for little expense,” Arakkal added.