Oh, what a year it was for insecurity, and especially for the small business. It wasn’t as though we didn’t already know – that small businesses were firmly in the crosshairs of hackers. But early in the year Verizon put the final stamp on it. In its annual Data Breach Investigations Report, published at the beginning of 2013, Verizon revealed that businesses with fewer than 100 employees made up the single largest group of victims of data breaches. That conclusion was supported by other security studies around the same time that found small businesses suffered the most cyber attacks.
Perhaps the single biggest and most dangerous change in threats came in the world of malware delivery. For years, hackers and malware authors had used the same ways to deliver and spread their malware. Email and spam were by far the most popular. It was easy to buy hundreds of millions of email addresses, pack them with phishing messages, and attach a nasty malware payload.
And even if most users didn’t fall for the scam, even a small percentage of hundreds of millions was enough to make the attacks very lucrative for criminals. But as more users got the message, and began to grow more reluctant to open email attachments they weren’t expecting, many thought the malware industry was on its last legs. After all, how else could you get the goods to market?
So hackers had to choose a new way to deliver and spread malware. And they found it in small business websites. Every month, thousands of poorly protected websites are hijacked by hackers who use vulnerabilities in these sites to install malware. That malware is then spread to visitors to those websites, as well as attack other websites, and so continue the spread of malware.
And if you think that simply relying on antivirus software will get you through safely, there’s some more bad news. Some reports have suggested that today’s antivirus software can detect very few of the most dangerous types of malware – the stuff you really want to avoid. And the New York Times can testify to that. Early in 2013, Chinese hackers were easily able to breach the extensive defenses the Times had in place. Out of 45 different types of malware the Chinese used to attack the newspaper, the Times’ own security and virus protection detected only one.
But Chinese hackers weren’t just targeting big businesses like the New York Times. In September, the Huffington Post reported that Chinese hackers were actively targeting small businesses in the U.S., from pizza restaurants to medical clinics.
According to the Huffington Post, “The hackers find computer systems to take over by using tools that scan the web for Internet-connected PCs with software vulnerabilities they can exploit. Small businesses are popular targets because they often have lax security.”
And the year didn’t end too well either. When security researchers discovered more than 2 million stolen passwords on a hacker server in December, a piece of malware called a keylogger was suspected. That very same week, other security researchers found that out of 44 popular antivirus products tested, only one was able to detect a keylogger.
Which probably explains why an estimated $5 billion was siphoned from U.S. bank accounts in 2012 by cybercrooks using malware like keyloggers. And if any of those were business accounts, the business owners were probably on the hook for all the losses.
So safe to say (no pun intended) that 2013 was not a good year for business security, and especially for small business security. And we don’t predict much improvement over the next twelve months. It’s now clear that small businesses are the favorite target for the worst kinds of hackers. Whether it’s to steal your personal and customer information, break into your bank account, or use your website to host a variety of very dangerous malware, your small business may be getting all the wrong attention from all the wrong visitors.
So let’s make 2014 the year you take back your security and peace of mind. Security isn’t hard, no matter how sophisticated hackers and their tools have become. There are plenty of ways you can protect your business and your website, and make it just hard enough for hackers to decide that you’re just not worth the effort and that they should move on to small businesses that are doing little about security. It’s like locking your car and closing the windows while being parked next to a convertible with the top down. The easy target gets attacked first, and you’re at least lower on the radar by showing your security awareness.
If you make just one security choice this year, make it your website. Securing your website is simple and affordable, and yet it’s the single best way to protect your business, your customers, and any visitors to your site. And you’ll also help slow the spread of malware to other users and sites, which is one in the eye for the bad guys.
And remember that as a SiteLock customer you get more than prevention. SiteLock will work with you to address any website security issues that crop up, including malware removal, if any is detected on your site. And as always, our security advice – the best in the business – is always free, and we are here around the clock whenever you need support.
If you’re a frequent reader of this blog, then you’ll know that our expertise and advice goes far beyond just protecting your website. All good security has to be holistic, which is why we offer no-nonsense advice on a variety of security topics that can impact your business, from security policies and planning, to employee education, malware prevention, data privacy and security, and much more.
Our goal for 2014 is to be the best security partner for online businesses. We hope that, even if SiteLock is not your chosen security provider, website security is on your list of goals for 2014 as well. To get started on meeting this goal call SiteLock at 855.378.6200.