Small Businesses Under Attack

The Dreaded Call

Daniel Seward awoke to his cell phone vibrating on his nightstand. Groggily he rolled over and looked at the phone. It was just after 5am and he didn’t recognize the 800 number, but angrily answered it ready to give the telemarketer a piece of his mind. “Do you realize what time it is?”

“Mr. Seward, this is Ross Spears with the fraud prevention unit of Haneysville National Bank. We have detected activity within your account that we suspect may be fraudulent. Did you attempt a wire transfer of $73,500 to an account at 6:15am on Tuesday?”

Immediately, Daniel sat up in bed, his heart racing. “No, I did not. Who was the wire made to?”

“We cannot determine that, because the account number was incorrect and the attempted deposit was returned to your account. However, there were six other successful transfers made around the same time.”

“For how much?” asked Daniel.

“The total was $256,315.00,” responded Ross.

“Are you kidding? I didn’t authorize those transactions!” shouted Daniel, waking up his wife. “You stopped them, didn’t you?”

“I’m afraid not, sir,” answered Ross, “there was nothing fraudulent about those transactions. They were made on the website, and came from the IP address you always conduct your banking business from.”

“Are you saying the money is gone? A quarter million dollars?”

“That is the worst case scenario, Mr. Seward,” replied Ross. “We will work with you to try and get as much back as possible.”

Daniel promised to visit the local bank as soon as it opened, and completed his call with Ross. He then dialed Paul Helms, head of ABC Tech Consulting. Daniel outsourced the management of his small accounting firm’s computers and networks to ABC Tech. “Hello? Daniel?” answered Paul.

“Paul, someone stole a quarter million dollars from my bank accounts using my computer, which you manage for us. How could this happen?”

Paul’s sleep-deprived brain struggled to comprehend what Daniel had just said, and nothing but shocked silence filled the line.

“Paul?!”

“I’m not sure, Daniel. Let me get dressed and I’ll come in.”

Small Businesses Targeted Relentlessly

This story, while fictional, is representative of a true story that I’ve seen played out across many small businesses. Former Washington Post reporter Brian Krebs is now an investigative journalist that runs his own blog focused on security and cyber crime. He has an entire section of his website dedicated to the stories of small businesses who have been affected by cyber crime. Small business security, he writes, is paramount because:

…companies do not enjoy the same protections as consumers when banking online. If a banking Trojan infection results in cyber thieves emptying the bank accounts of a small business, that organization is essentially at the mercy of their financial institution, which very often in these situations disavows any responsibility for the breach…

The 2013 Verizon Data Breach Investigations Report (DBIR) separated the breaches investigated by the size of the organization. Surprisingly, the smallest organizations – from 1 to 100 employees – suffered the greatest number of breaches.

Small Business Security Needs A Better Approach

Small businesses don’t want to deal with security; they have to. For most small businesses, security is not a core competence. They want to be secure, but if focusing on security takes away from their time and energy, they will instead focus on their business needs and goals.

That’s where minimum viable security plays a role.

There are certain things that every business must do to protect information, whether they are a 3 person accounting firm, a 75 person regional medical practice, or a Fortune 100 company. Small business security needs to start with the minimums necessary to protect the business, and then grow in accordance with the priorities and capabilities of the organization.

Actions to Take Today

Small business leaders must start by asking themselves this question: “Am I confident my business is doing at least the minimum necessary to protect information?”

Then, they should ask their IT professional if he/she has recently assessed the security of the organization and its information.

If you’re not sure what the minimum necessary might be in your business, or what questions to ask your IT provider, I invite you to contact us and set up a free, no-obligation thirty minute phone call to discuss. We will leverage our experience handling both small business security and large enterprise security, and provide our advice to help you get started.