Small businesses worried about their IT need to find better ways to guard their data – especially as they present easy, unsecured targets, with hackers levelling their sights at them.
Contrary to what small to mid-sized businesses (SMBs) often believe, hackers often go for them since they’re low-hanging fruit, said Christopher Pogue, director of SpiderLabs at Trustwave Holdings, an information security company based in Chicago.
And coupled with the fact many Canadians feel they’re not a target for hackers, as opposed to the U.S., our more high-profile neighbour to the south, Canadian SMBs just aren’t putting in their due diligence when it comes to protecting their data, he said.
“There’s this naïve belief that it’s not going to happen to me… that we’re Canadians, we’re not targets. Yeah, you are,” said Pogue in an interview at Sector 2013, a security conference held in downtown Toronto on Oct. 8.
“That’s the cost of doing business in the cyber age. Everyone has locks on their doors, and everyone has cash registers that can’t readily be opened. That was the cost of doing business to combat the criminal element 10 years ago,” he added.
“Now, a guy coming in the front door with a shotgun to take your cash out of the cash register, who cares. A criminal can siphon data off your servers for seven months before he’s caught.”
In its 2013 Global Security report, Trustwave found the number of data breaches in Canada shot up 58 per cent this year, versus in 2012. However, that’s only a reported number of breaches, said Pogue, with that figure not accounting for businesses who did not report incidents, or even for businesses that are still completely unaware they were attacked.
And because SMBs typically don’t have the resources or employees to dedicate to security, especially if they’re not in tech, they’re more likely to be vulnerable. During a controlled penetration test, one of his team members rifled through a poorly secured Web site and came away with 300 credit card numbers in about 15 minutes, Pogue said.
Still, there are ways for SMBs to protect themselves, he said. One way is to put up a firewall, something many SMBs don’t seem to do.
“You say firewall and people’s eyes glaze over,” he said, adding setting up a firewall can take just an hour and $500, if an SMB wants to hire a third-party to configure it for them. Or SMBs can even do it themselves, just by following a manual and looking up instructions online.
It’s also important for SMBs to disable open remote access to their networks. Some SMBs leave it open as a default setting, which can be very dangerous. And then of course, practicing basic password hygiene is key, Pogue said.
For SMBs who don’t want to manage their own IT services, or don’t know how, Trustwave also has offerings aimed towards them. For retail, it has bundles ensuring stores’ point-of-sale (POS) terminals are PCI compliant, said Brent Davidson, Trustwave’s vice-president of sales in Canada.
Alternatively, they can always buy some of Trustwave’s security products and then implement them on their own, he added.
Pogue’s team also runs pre-breach checks, helping small businesses check for vulnerabilities and possible gaps in their systems. However, most SMBs opt for the post-breach responses, where his team will look into an incident and find out why it happened, developing a report and recommendations to improve that SMB’s security.
Pricing for Trustwave’s managed services depends on the package chosen, as well as an organization’s specific needs, but the basic Trustkeeper service is about $250 a year, said Davidson. The service includes checking that an SMB’s point-of-sale system is PCI compliant, and it comes with external vulnerability scanning.