SMB Extra recently asked Warren Shiau, lead analyst, IT research at the Toronto office of The Strategic Counsel how hacking has evolved, which security threats are most severe, and what organizations are doing to fight back.
SMB Extra: Do today’s small and medium-sized businesses have more security threats to worry about today or simply more serious ones?
Warren Shiau: The attackers are getting better all the time. All the data shows that more attacks are being launched and the sophistication of the attacks are by necessity better because defences are better. There are usually about 5 per cent or 10 per cent increases in reported attacks every year.
On the flipside of that, we find that for the most part the implementation of things like antivirus solutions has been increasing as well. Antivirus package use for SMBs these days are well above 80 per cent. Now, granted, a lot of that has to do with antivirus software shipping out of the box more, but we also have higher numbers of businesses using more than one antivirus package, which indicates an awareness of the threat and a desire to try to counteract it.
SMBE: Why is the threat greater today?
WS: The surface area that we expose to attack as a business is increasing because we’re all doing more business online and exposing more data online. But while the number of attacks and their sophistication are increasing, people generally say their software is catching more [threats] year after year. The last piece of that puzzle is that people say, ‘All this is happening, but in terms of suffering from the attacks, as each year goes by we suffer less in terms of lost productivity.’
SMBE: Have hackers’ motivations changed?
WS: I think we have to divide the hacker population up into different segments. The pure hacker, the guy who just hacks for the hell of hacking, is never going to change. Like a pure open source advocate, they do things for religious reasons. There’s a fervour attached to it, and their motivation is purely that. That’s a small but important group.
One really big change in hacking, or malware, is that there’s a lot of organized criminal activity behind it now. A lot of criminal activity before was done by individual criminals or relatively small groups of criminals. Now it’s very sophisticated and it’s essentially an arm of organized crime. You have big crime syndicates setting up large operations. Those fake emails saying your Citibank account needs updating – they look really professional too – for the most part the people behind those spoofs are part of organized crime.
SMBE: Are there fewer denial of service attacks today or are they just being reported less?
WS: Everyone’s reporting that denial of service attacks have, at worst, remained steady, and in better cases, declined as a percentage of the kind of attack being suffered. They’re still happening now, but the thing that really makes headlines now is data theft or data loss.
And if you’re a big company or organization that’s a scary one because the media picks up on that immediately. The University of Ohio had servers they thought they took off-line and it was two or three years later that they discovered they never did, and they had been hacked into almost immediately.
SMBE: What is the most common security related mistake SMBs make?
WS: Right now probably the biggest risk for an SMB is data loss. For the most part, large enterprises are implementing policies to try to prevent that. In a small business, let’s say you’re 20 or 30 people, they tend to be more family like environments. You trust the people you’re working with. So how many small businesses have a policy that says things like: ‘You can only use certain types of devices, or “Our PCs will lock down if they detect someone plugging a USB drive into them.’
This is one area where SMBs, relative to enterprises, are lacking. It’s not as if they will be unaware of data theft. Like everybody else, they’re reading the big stories. It’s more that they think ‘This is not a security risk for me because I know the people that I work with.’ There has got to be a formalized implementation of a policy around this.