When you hear the term corporate espionage, you probably think of companies like Microsoft, GM, Lockheed Martin Corp and Google having their intellectual property stolen. However, small businesses are more vulnerable because their weaker security levels allow hackers to use them as gateways into large corporations.
At TopPatch, a cyber-security company, we see many different kinds of attacks taking place across the globe. Over the years, our intelligence team has spotted an emerging trend among cyber criminals. Hackers are using the trusted partner status that small businesses have with larger corporations to facilitate security breaches.
Most small businesses don’t have the resources and security expertise to protect their computing infrastructure, like larger corporations do. Small business owners are focused on delivering the highest quality product or service to their customers, with very little consideration for security, while large corporations have entire teams devoted solely to protecting their computer networks. Cyber criminals know this, which is why they use small businesses to penetrate the bigger giants.
Like any organised criminal enterprises, cyber criminals want the highest possible financial return on the effort they invest. If it takes days to penetrate a sophisticated corporate network and only minutes to penetrate a small business, they will pursue the path of least resistance. Once the small business network has been compromised, they can use that company’s trusted partner relationship with a large corporation to launch an attack or conduct corporate espionage activities.
Criminal hacking works in many ways, but one of the more popular methods involves using hundreds of computers to form a cyber-army that can be controlled from one location to launch a cyber-attack. This is called an illegal botnet. If one hacker can penetrate 10 small businesses with only 10 computers each, suddenly he can have 100 computers working at once, trying to exploit weaknesses in multiple corporate networks.
Another way cyber-criminals use small businesses for corporate espionage is by utilising document and e-mail exchanges between small businesses and large corporations that exploit vulnerabilities.
Large companies often farm out their work to smaller businesses. If hackers can gain control of those emails, they can send files with hidden malware. Commonly available exploit kits such as Black Hole or Phoenix can be used to infect documents, or a trusted e-mail exchange can be used to embed a link that triggers a targeted spear-phishing attack. The end result is back door access into the large company’s network, which then opens the door to other more direct sophisticated attacks.
A corporate employee will likely not open an attachment, or click on a link, sent by someone he or she doesn’t know. But he will certainly open an attachment from a person at a small business partner he is working with.
So what can small business owners do to protect themselves?
Businesses need to remember to “ARM” themselves. ARM is an acronym that stands for Assess, Remediate and Monitor. Assess which free tools from reputed vendors can scan and protect your company’s computers. Then, Remediate the problems the scanning tool discovers. This means patching security holes or seeking expert advice on critical vulnerabilities. Finally, continue to Monitor logs for any irregular activity. If you discover any suspicious activity, address it quickly. The sooner a breach is reported, the higher the chance of avoiding reputational damage or financial loss.
The key to preventing security breaches is being proactive. Many security products, including our RemediationVault, are priced for the small business owner for as little as $19 per computer per month.
A recent cyber security analysis discovered that small and medium sized businesses lose an average of $188,242 when a security breach happens, so don’t assume this will happen to someone else. That same Symantec/NCSA report showed that these cyber-attacks forced roughly two-thirds of these small companies out of business within six months. Probably most disturbing is that roughly 80% of the cyber-crimes were completely preventable.
Corporate espionage is not going away. It might take a break from the news cycle, but the cyber security industry will continue to see small and medium sized businesses used as a vehicle to penetrate larger corporations. So the next time you hear about a corporation or media outlet being hacked, take the time to ARM yourself.
About Chiranjeev Bordoloi
Chiranjeev Bordoloi is the CEO of Top Patch and has more than 20 years of experience consulting large and small businesses on the security of their computer networks. He is a frequent guest as a security expert on television and radio news networks such as CNBC, CBS and NPR. TopPatch was the first cyber security company to develop a patent-pending Peer-to-Peer Security Patch Management Software.
NOW WATCH: Ideas videos
Business Insider Emails & Alerts
Site highlights each day to your inbox.