IT Security for Small Businesses – Are You Listening?

Hacking of the IT resources of small and medium businesses is on the increase. The age-old excuse of ‘We have nothing worth hacking’ is no longer valid, although this doesn’t always register with SMBs. Hackers see small businesses as targets of interest for several reasons. Firstly, SMBs are vulnerable. Their security is weak, because of limited budgets and technical staff resources. Secondly, even if they don’t have funds to be stolen (although most SMBs do – anything from a few hundred to a few hundred thousand dollars), they have other riches: customer names, contact details and other data. And thirdly, perhaps the most pernicious: SMBs make good cover for hackers who in reality want to attack other, larger targets.

SMB hacker horror stories abound. For instance, hacking into computerized cash registers or stealing online banking details allows hackers to transfer funds out of the country and out of range of law enforcement. Criminals will also substitute the portable, wireless credit card machines so common in shops with their own versions. The fakes look and act exactly like the originals, plus one important difference: they send customer credit card details to the hackers at the same time as transmitting them to the credit card company for normal processing. Credit card companies spotting the trend may then ban the shop or the business from accepting any further credit card payment.

What’s the answer? SMBs typically don’t have extensible budgets for IT security, either for buying more protection or hiring more expertise. They need to accommodate customers who want to pay by credit card. They also need to maintain their good standing as suppliers to larger companies that in turn are often the real target of hackers; who get them by first hacking into the smaller company.  Common sense, IT security awareness and good processes however can go a long way to improving the situation. Always using ‘strong’ passwords, never sharing passwords (including inside the company) and never leaving access to information to any unauthorised third party are the basics – for those who want to listen!