The landscape
This year’s Internet Security Threat Report is very sober reading for SMBs. Last year, targeted attacks on small companies (fewer than 2,500 employees) went up 50%. Yes, it's true: Criminals realized that money stolen from the SMB would spend just as nicely as money pulled from a large corporation, and was much easier to acquire. Smaller companies have income in the bank, employee and customer data, and sometimes very valuable intellectual property that they're hoping to make a lot of money with. Yet with all these assets, surveys last year showed that the majority of smaller business owners think they're too small to be targeted by evildoers.
A secondary problem for the SMB situation is the larger enterprise they want to do business with. With inadequate security, the vulnerabilities for an SMB can be points of entry into larger organizations. A sophisticated cyber-criminal may choose to target an enterprise’s subsidiaries, partners, or vendors to find inroads into their environment. Compromised SMB websites can also become 'watering holes', or lures for phishing or cyber-espionage. Mitigating these risks may create an inevitable march toward more regulations, especially with organizations that wish to do business with any state or government agency.
53% of websites scanned by Symantec in 2012 showed vulnerabilities. The most common vulnerability found was related to cross-site scripting. Many small businesses do not have a dedicated or experienced security force in their IT arsenal. Even for large businesses, a web page or database can be compromised for years without it being discovered internally, or known how to properly harden. Trojans are being inserted into point-of-sale systems and left unfound while data flows out into the wrong hands. Some lie dormant for weeks or months until activated.
A lack of security-specific training for a SMB IT department can also create an environment of success for scareware or ransomware tactics. A small business can spend money on the wrong things, fixing the wrong problems, and by doing so create more problems by trusting the wrong advisors.