zentilia - Fotolia
IT service providers may have the skills and resources required for protecting their customers' networks, but many of their small and medium-sized customers may be reluctant to purchase many of those security services. Given their size and resources, small and medium-sized businesses (SMBs) might not regard themselves as the potential target of cybercrime. According to Page Moon, CIO of Alexandria, Va.-based Focus Data Solutions, they are cybercrime targets, and service providers can make a more compelling case for upping their SMB clients' security strategies and changing common misperceptions many SMBs have about cyberthreats.
At this month's IT Nation 2014 event held by ConnectWise in Orlando, Fla., Moon led an educational session, titled "Cybercrime & Small Business," which aimed to help service providers make the case for strong security protection when speaking to their SMB customers. In the session, he provided tips, as well as information for service providers to drive security discussions with clients.
Page MoonCIO of Focus Data Solutions
First of all, how does a service provider convince an SMB that threat prevention should be a top concern? "We all know about credit card theft at Target and Best Buy, and all of the big organizations that are getting caught basically with their [or their customers'] bank accounts open. … We know about all those, and our clients do, too. But what they don't know is that these same [criminals], these same organizations, are looking at their numbers every day and trying to figure out a way to get in," Moon said. He cited a 2013 Verizon study as evidence: Of the 855 data breaches the study examined, 71% were in companies with fewer than 100 employees.
In many cases, however, it is not so much what's on a client's network a hacker will care about. Hackers can use an SMB's network for other purposes, he said. "The hackers are looking at that network as another means, as another jump-off point, to go out and get some other networks. They want to turn your network into basically a botnet."
Small businesses will often find this security vulnerability hard to believe, Moon said. He said some of Focus Data Solutions' SMB clients get pinged from China 10,000 times a day. "When you say that to them, they go, 'Really? We're only a five-[person] intellectual property law firm. Why would anyone care about our network?'"
Types of cyberthreats
To make the vast range of cybercrime easier to understand for clients, Moon offered three broad categories of threats: non-technical threats, electronically direct threats, and undirected probes. All cybercrimes can fall under these three categories, he said.
According to Moon, the non-technical attacks include the "grab-and-go people out there who are after [a client's] laptops or [a client's] servers for the hardware." The attack might involve physically breaking into an office to take the hardware, and, in many instances, the motive behind the thefts is simply to sell the hardware for cash. But while these attacks may be unsophisticated, the damage could cost the SMB thousands of dollars to recover from -- typically $23,000 an incident, according to an HP study. That $23,000 number, although it may seem surprisingly large, factors in the equipment costs, the loss of data, the time to recover, the replacement costs and more, he said. "Your clients don't necessarily know that. They don't have any concept of what happens when a laptop walks out of their office."
Electronically directed attacks, the second category of cybercrimes, are perpetrated by individual hackers or hacker organizations looking to directly access a business' network. "They know who you are, they know what you have, and they want to find a way to get in," he said.
One of the ways these hackers will find a way into an SMB network is through the use of social engineering, Moon said. He encouraged IT services companies to educate SMB security services customers about social engineering, as many SMBs believe it is only their back-end operations that house any security vulnerabilities. "What we need to do is improve their understanding of that vulnerability [in the front of the house]," he said. An example of social engineering is a company receiving a suspicious call from a person asking for passwords. These types of calls are a common occurrence, he said. "I think this is an opportunity to teach our clients about how to be aware of [social engineering], how to look for the signs. Someone calls your office and says, 'Hey, I'm really behind. Your boss just told me I had to work on the server. I don't want to bother him again. I wrote it down, but then I lost the piece of paper. Give me the password.' And [that caller has] that individual feeling compelled to help them. And you give away your secrets."
Moon cited a statistic from a Check Point study that might help make the case: "Social engineering costs victims on average $25,000 to $100,000 per security incident."
He shared an anecdote that illustrates the cautious mindset necessary for guarding against potential social engineering ploys. The anecdote also illustrates how even IT security professionals could fall prey. "I drove into our [company's] parking lot. I parked my car. I'm usually the first one to the office. I was the first one there. I looked down on the tarmac next to my car, and there was a USB thumbdrive there with our logo on it. … And the first thing that went through my mind was, 'This has got to be one of my employees! I need to find out whose this is!' So, I thought, 'Wait. I'll just go right up and throw it on my laptop and figure out whose it is.'" Here, discovering what appeared to be simply an employee's lost thumbdrive, Moon suggested it could easily have been planted intentionally, a trick to get the device inside the company's office.
Then there are the undirected probes, the third category of security threats, which Moon said are in some ways "much more concerning" than the non-technical and electronically directed threats. "[Undirected probes are] essentially a war dial of the Internet," he said, where attacks are looking for a way into anyone's network. Undirected probes can include spam, malware and scamware.
Moon pointed out that many studies are available online to help support a case for bolstering SMB security. Customers may not think they can afford the protection, but research can show them that the cost of recovering from the damage done by a security breach can be significantly more expensive.
"We're in the business of [securing our customers'] data. It's critical that we have this communication with them," he said. "If it turns out to be financially beneficial to your organization, [then that's] great. But in good will, I think this is a wonderful opportunity for you to have a dialogue."
Learn how SMB technology priorities have changed
Survey provides insight into customers' firewall-purchasing decisions