The global costs of cybercrime are now estimated at between $500 billion to $1 trillion annually. This growth moves cybersecurity from the back burner of small businesses’ pressing concerns to the ‘can’t ignore’ category. Information security experts say small businesses now account for more than 60% of attacks, partly because criminals view them as the path of least resistance. One of the chief tools criminals employ in attacks is malware, an umbrella term for a range of hostile or intrusive software that includes computer viruses, worms, trojan horses, ransomware, spyware, adware, scareware and other programs.
What is Malware
Malware is a shortened version of “malicious software,” programs created to secretly enter or damage a computer and steal information. Security experts said malware comes in many forms, sometimes installing spyware to steal data; or adware, a kind of involuntary advertising or extorting money through a new program called ransomware, all of which can cost businesses money and reputation.
Bill Needles, president and CEO of Highland, Ind.-based technology solutions provider PC Plus, said most small businesses first feel the effect of malware intrusions as lost productivity through denial of service.
“They can’t do business because their computers are down and that’s bad news,” said Needles, who has worked in IT for more than 30 years. “It means lost productivity and lost sales. And if the business is responsible for safekeeping customer data and that is violated, it could have very serious complications.”
He said if malware perpetrators can infect a business computer and attack vulnerabilities in Microsoft Windows or Internet Explorer, they may prevent small businesses from accessing the Internet and reaching their customers or vendors, a denial of service.
Needles said that identify theft is another malware criminal’s goal.
“Some malware designers or users use key loggers designed to capture all your keystrokes,” he explained. “Those keystrokes can divulge the name of your bank or online account where you purchase products, along with your login and passwords, identifying information that could allow them to steal money directly or create false identities in your name.”
He said hackers employ many tactics to break into computers.
“It could be as simple as having an employee bring in a thumb drive or disc with data from their personal computer to download to their office computer and by doing that, infect the business’s computer. It could be a virus that arrives in an e mail or from an Internet web site clicked on by employees.”
He said that e mails often seem to come from reputable sites, disguised as something that will dupe people into thinking they got something good, such as fake security improvement tools that are actually designed to steal information and make it more difficult for the business to use their computers.
“It’s a huge cat and mouse game,” Needles said. “The minute a new fix or update to a security program is announced and released to people who own these products, the hackers are trying to get around it.”
He said many small businesses fail to update their protections.
“They buy their computers from a big box store and when the 90-day trial period for their antivirus program runs out, they fail to renew. They need to keep up with system patches. If not, the foundation of the computer system weakens and the tools they purchase and deploy can’t do their job.”
Needles said rather than buying a suite of products from one company, he prefers selecting “the best of breed” for each of the solutions. “It’s more important to me to get the best protection for my customers,” he said.
Gary Davis, chief consumer security evangelist for Intel Security, said malware often disguises itself as the computer’s owner when sending malware to the owner’s friends, who click on the e mail and inadvertently infect their own systems.
Davis added that one of the growing threats is ransomware, a program that arrives, embeds itself in a computer’s system and begins locking up files. In some cases, the hackers purport to be investigating child pornography and threaten to turn over the owner’s files to authorities unless a ransom is paid. He said this form of cyber extortion is growing.
“We saw a 155% increase in ransomware attacks in 2014,” he said. “This is causing havoc, from a surf shop in California to a suburban Chicago police department. You either pay, or you can’t access your data and business information. It’s a very painful and laborious process.”
Education as important as security tools
Davis said Intel has collected more than 350 million samples —six every second—in what its McAfee Labs call its Malware Zoo, a massive volume of malware signatures the company sifts through to deliver protection to its customers.
“Mobile devices are emerging threat vectors,” he said. “We have more than six million samples in that zoo and we think that’s going to be explosive going forward.”
He said small businesses should invest time and resources not only in purchasing products to protect their computers, but also to educate and train their employees.
“Take the time to understand what’s going on in this space and educate your employees in safe online hygiene, how to look for phishing e mails and not to upload files from their home computers onto their work computers,” he said.
“Make sure they apply system patches when they come out,” he said. “Malware people will look for those holes. Finally, they should make sure they have antimalware and firewall software installed on their system and layered across the whole environment. That goes a long way to making sure you don’t wake up as a victim. You don’t have to spend every hour of every day fretting over this, but be mindful of how fast the industry is changing.
Taking aim at Small Business
Brian Burch, vice president of product marketing for Symantec’s Norton Security, said the number one mistake small business owners make is thinking they’re too small to be relevant to criminals.
But Symantec’s 2014 threat report indicates that three of every five targeted cyber-attacks are aimed at small businesses.
“Big companies spend millions to protect themselves and have erected great defenses,” he pointed out. “Small businesses don’t have those kinds of resource and criminals have figured this out, hiring the best hackers in the world to steal money, customer data and intellectual property. They often turn their attention from better-defended targets to those less-defended. And increasingly many are gravitating to small businesses. They will go where the guard dog isn’t present.”
Burch said Symantec staffs hundreds of researchers to monitor 58 million global sensors detecting attack vectors internationally.
“We’ve learned a lot about these guys and we’re working to profile them, to put faces to the shadows,” he said.
He said the hackers portrayed in movies in the past were young kids trying to challenge themselves with mostly harmless intrusions for thrills and computer world celebrity.
“They’ve been replaced by criminal operators,” he said.
In 2011 Symantec announced that cybercrime had surpassed drug crime as the most lucrative criminal enterprise in the world. Burch said that the United States lacks extradition treaties with some of the countries— China, North Korea, Russia and Ukraine –where hackers operate outside legal bounds.
“They are recruiting very talented individuals who have otherwise limited career prospects in those nations and the fastest route to riches is for these talented programmers is to become criminals,” he said. “They’re creating business plans, training programmers, setting objectives and building attack teams to target what they’re trying to steal. They’re like assembly lines of programmers building malware instead of automobiles. These guys aren’t seeking celebrity or fame, but would rather steal for years without discovery.”
He said for roughly $20 per employee (using a computer) per month, products like Symantec’s can offer protection that thwarts most cyberattacks most of the time. He suggested small businesses should establish a written computer security policy and make sure protections are installed on all computers, including home computers and devices if those staffers work at home and revoke access for staffers once they leave the company.
He advised small businesses to take a multi-layered approach to cyber security that includes installing firewalls, anti-phishing, anti-virus and anti-malware protections. Though he conceded: “No one can guarantee 100% protection, there is a lot that small businesses can do to protect themselves.”