The Risks of Malware to Small Businesses

The Risks of Malware to Small Businesses
5 minute read

The global costs of
cybercrime are now estimated at between $500 billion to $1 trillion annually.
This growth moves cybersecurity from the back burner of small businesses’
pressing concerns to the ‘can’t ignore’ category. Information security experts say
small businesses now account for more than 60% of attacks, partly because
criminals view them as the path of least resistance. One of the chief tools criminals
employ in attacks is malware, an umbrella term for a range of hostile or
intrusive software that includes computer viruses, worms, trojan horses,
ransomware, spyware, adware, scareware and other programs.

What is Malware

Malware is a shortened version of “malicious
software,” programs created to secretly enter or damage a computer and steal
information. Security experts said malware comes in many forms, sometimes
installing spyware to steal data; or adware, a kind of involuntary advertising or
extorting money through a new program called ransomware, all of which can cost
businesses money and reputation.

Bill Needles, president and
CEO of Highland, Ind.-based technology solutions provider PC Plus, said most
small businesses first feel the effect of malware intrusions as lost
productivity through denial of service.

“They can’t do business
because their computers are down and that’s bad news,” said Needles, who has
worked in IT for more than 30 years. “It means lost productivity and lost
sales. And if the business is responsible for safekeeping customer data and that
is violated, it could have very serious complications.”

He said if malware
perpetrators can infect a business computer and attack vulnerabilities in
Microsoft Windows or Internet Explorer, they may prevent small businesses from
accessing the Internet and reaching their customers or vendors, a denial of
service.

Needles said that identify
theft is another malware criminal’s goal.

“Some malware designers or
users use key loggers designed to capture all your keystrokes,” he explained.
“Those keystrokes can divulge the name of your bank or online account where you
purchase products, along with your login and passwords, identifying information
that could allow them to steal money directly or create false identities in
your name.”

He said hackers employ many
tactics to break into computers.

“It could be as simple as
having an employee bring in a thumb drive or disc with data from their personal
computer to download to their office computer and by doing that, infect the
business’s computer. It could be a virus that arrives in an e mail or from an
Internet web site clicked on by employees.”

He said that e mails often
seem to come from reputable sites, disguised as something that will dupe people
into thinking they got something good, such as fake security improvement tools that
are actually designed to steal information and make it more difficult for the
business to use their computers.

Staying up-to-date

“It’s a huge cat and mouse
game,” Needles said.  “The minute a new
fix or update to a security program is announced and released to people who own
these products, the hackers are trying to get around it.”

He said many small businesses
fail to update their protections.

“They buy their computers
from a big box store and when the 90-day trial period for their antivirus
program runs out, they fail to renew. They need to keep up with system patches.
If not, the foundation of the computer system weakens and the tools they purchase
and deploy can’t do their job.”

Needles said rather than buying
a suite of products from one company, he prefers selecting “the best of breed”
for each of the solutions. “It’s more important to me to get the best
protection for my customers,” he said.

Gary Davis, chief consumer
security evangelist for Intel Security, said malware often disguises itself as the
computer’s owner when sending malware to the owner’s friends, who click on the
e mail and inadvertently infect their own systems.

Davis added that one of the
growing threats is ransomware, a program that arrives, embeds itself in a
computer’s system and begins locking up files. In some cases, the hackers
purport to be investigating child pornography and threaten to turn over the
owner’s files to authorities unless a ransom is paid. He said this form of
cyber extortion is growing.

“We saw a 155% increase in
ransomware attacks in 2014,” he said. “This is causing havoc, from a surf shop
in California to a suburban Chicago police department. You either pay, or you
can’t access your data and business information. It’s a very painful and
laborious process.”

Education as important as
security tools

Davis said Intel has
collected more than 350 million samples —six every second—in what its
McAfee Labs call its Malware Zoo, a massive volume of malware signatures the
company sifts through to deliver protection to its customers.

“Mobile devices are emerging
threat vectors,” he said. “We have more than six million samples in that zoo
and we think that’s going to be explosive going forward.”

He said small businesses
should invest time and resources not only in purchasing products to protect
their computers, but also to educate and train their employees.

“Take the time to understand
what’s going on in this space and educate your employees in safe online hygiene,
how to look for phishing e mails and not to upload files from their home
computers onto their work computers,” he said.

“Make sure they apply system
patches when they come out,” he said. “Malware people will look for those
holes. Finally, they should make sure they have antimalware and firewall
software installed on their system and layered across the whole environment.
That goes a long way to making sure you don’t wake up as a victim. You don’t have
to spend every hour of every day fretting over this, but be mindful of how fast
the industry is changing.

Taking aim at Small Business

Brian Burch, vice president
of product marketing for Symantec’s Norton Security, said the number one mistake
small business owners make is thinking they’re too small to be relevant to
criminals.

But Symantec’s 2014 threat report
indicates that three of every five targeted cyber-attacks are aimed at small businesses.

“Big companies spend millions
to protect themselves and have erected great defenses,” he pointed out. “Small businesses
don’t have those kinds of resource and criminals have figured this out, hiring
the best hackers in the world to steal money, customer data and intellectual
property. They often turn their attention from better-defended targets to those
less-defended. And increasingly many are gravitating to small businesses. They
will go where the guard dog isn’t present.”

Burch said Symantec staffs
hundreds of researchers to monitor 58 million global sensors detecting attack
vectors internationally.

“We’ve learned a lot about
these guys and we’re working to profile them, to put faces to the shadows,” he
said.

He said the hackers portrayed
in movies in the past were young kids trying to challenge themselves with
mostly harmless intrusions for thrills and computer world celebrity.

“They’ve been replaced by
criminal operators,” he said.

Organized Crime

In 2011 Symantec announced that
cybercrime had surpassed drug crime as the most lucrative criminal enterprise
in the world. Burch said that the United States lacks extradition treaties with
some of the countries— China, North Korea, Russia and Ukraine –where hackers
operate outside legal bounds.

“They are recruiting very
talented individuals who have otherwise limited career prospects in those
nations and the fastest route to riches is for these talented programmers is to
become criminals,” he said. “They’re creating business plans, training
programmers, setting objectives and building attack teams to target what they’re
trying to steal. They’re like assembly lines of programmers building malware
instead of automobiles. These guys aren’t seeking celebrity or fame, but would
rather steal for years without discovery.”

He said for roughly $20 per
employee (using a computer) per month, products like Symantec’s can offer
protection that thwarts most cyberattacks most of the time. He suggested small
businesses should establish a written computer security policy and make sure
protections are installed on all computers, including home computers and
devices if those staffers work at home and revoke access for staffers once they
leave the company.

He advised small businesses
to take a multi-layered approach to cyber security that includes installing
firewalls, anti-phishing, anti-virus and anti-malware protections. Though he
conceded: “No one can guarantee 100% protection, there is a lot that small
businesses can do to protect themselves.”