Two recent studies, one from software giant Symantec Corp. and the other from the Small Business Technology Institute, suggest the nation's small businesses are more vulnerable to cyberattacks than at any time in the past. The accelerating adoption of networking and mobile computing, a cyber class of criminals who no longer need to be tech savvy to steal computer data and -- watch out for the sales pitch -- underinvestment in security solutions by small businesses are putting this important economic sector and its customers at risk.
The findings were presented to the U.S. House Small Business Subcommittee on Regulatory Reform and Oversight at a public hearing last month.
Symantec's semiannual Internet Security Threat Report found that small businesses have consistently been near the top of targeted groups for cyberattacks during the past year, and the nature of the attacks is changing. While past attacks were designed to destroy data, today's cyberattacks are all about stealing data.
"Cybercrime is the dominating security threat we're seeing today," said Vincent Weafer, director of Symantec Security Response. "Today, we're talking more about criminals who don't want to make a lot of noise but simply get inside and steal your assets."
This represents a shift from the late 1990s, said Weafer, when the threat landscape was shaped largely by virus pandemics. Such attacks were launched to be noticed and more political in nature, the aim being to show that security at name-brand institutions was weak. From 2004 to 2005, the number of pandemic viruses dwindled from 37 to five, according to Symantec. Even among the top viruses, 80% were about stealing confidential information.
In addition the ranks of cyberoutlaws are widening. Unlike the vandals of previous years, today's criminals don't necessarily know or care about the technology. The Internet allows cybercriminals to click and download the malicious code they need to launch their attacks. In addition, said Weafer, data mining tools allow this new breed of criminals to expand their territory and pool of potential victims.
"We're seeing cybercriminals go after smaller companies, compared to large brands, even more so than a year ago," Weafer said. "You see phishing attacks on small and regional banks, credits unions, companies you wouldn't think overseas groups would understand. Now they have the means."
Small businesses are acutely aware of the threat but are ill-prepared to deal with it, according to data from the San Jose, Calif.-based Small Business Technology Institute. The organization's 2005 survey of more than 1,000 businesses with up to 100 employees found that while more than 70% consider information security a very high priority, only 30% increased spending on information security software during the past year. Less than half (41%) of those surveyed allocate a specific budget for security solutions. A significant percentage lack sufficient controls for even basic systems, such as e-mail (18% are unsecured). Wireless networks are especially vulnerable: 60% are not secured. A majority of small businesses (56%) experienced at least one security incident in the past year, citing computer viruses, spyware and other malware as the main cause.
Natalie Lambert, a security analyst at Cambridge, Mass.-based Forrester Research Inc., agreed cybercrime is all about stealth attacks and the circle of victims is widening. The slowdown in major viruses may be giving small businesses a false sense of security. "When a small company's confidential information is stolen, it's not going to make headline news," she said.
The research firm's market survey in September of nearly 800 IT decision makers at U.S. small and midsized businesses (SMBs) found that upgrading security came in third or fourth behind this group's No. 1 spending priority in 2005 -- replacing or upgrading personal computers or laptops. That contrasted with large companies, where upgrading security was the top priority for 2005 -- nearly two-thirds of the 1,400 polled expected to increase spending security in 2005 over 2004.
SMBs, however, are spending on security. Overall, 71% of U.S. SMBs planned to buy software security in 2005, with utilities, telecommunication firms and manufacturers the biggest spenders. Fifty-nine percent of the respondents said they planned to buy network firewalls, 57% planned to buy antispyware software and 45% planned to buy host antivirus software. Only 21% of SMBs said they were buying host-based intrusion prevention systems, and only 13% will buy patch management -- key technologies used to prevent viruses and worms.
Interestingly, Symantec dominates the SMB security software market, with 66% naming Symantec as their preferred vendor in the Forrester survey. More than one-third of SMBs also consider McAfee for security software. Forrester also found that SMBs listed security assessment as one of the top three consulting services they planned to buy last year.
This article originally appeared on SearchSMB.com.
Let us know what you think about the story; e-mail: Linda Tucci, Senior News Writer