There was an interesting article in the Wall Street Journal on July 21st. It was titled “Hackers Shift Attacks to Small Firms.” It seems that you cannot read a newspaper without seeing an article about a “hacking” attack. With all the press on the hacker groups like Anonymous and LulzSec, and attacks on large organizations such as Sony, Booz Allen, and the CIA, it is easy to forget that anybody can be a target. I think it is a common misconception among small business that they are not large enough to draw the attention of cyber criminals. However, as the article details, this is not the case. Attacks against businesses with fewer than 100 employees have doubled since 2009.
The primary example in the article focuses on a small business and PCI that had credit card information stolen. Simple security mistakes were made, such as having a weak password and remote access to the point of sale (POS) system. This is something that SeNet sees on a regular basis when performing vulnerability assessments and PCI compliance work. Even large organizations with dedicated security staffs have these problems, so it is no surprise that small businesses with limited resources have similar problems.
Often, cost is given as the reason for small businesses not implementing good security. But, as seen in the article, the cost to mitigate an intrusion after the fact can be higher than doing the right thing in the first place.