Small Business Is Big Business in Cybercrime

ABOUT TRENDLABSSM

TrendLabs is Trend Micro’s global network of research, development, and support centers committed to 24 x 7 threat surveillance, attack prevention, and timely and seamless solutions delivery.

1

Small Business Is Big Business in Cybercrime

Things Every Small Business Should Know About Web Threats and Cybercrime

For cybercriminals, no business is too small to exploit. Albeit being under a relatively smaller spotlight than typical enterprises, small businesses can ill afford to take the threat cybercrimes pose for granted. Myths abound regarding small businesses’ security but it’s time to face the facts.

Any organization, regardless of size or type, can fall victim to cybercrime.

Most small businesses are not convinced that cybercriminals are after them. In a Visa Inc. and National Cyber Security Alliance survey1 of 1,000 small business owners, 85 percent believed that enterprises are more targeted than they are. Over half (54 percent) are confident that they are more prepared than enterprises to protect company and customer data. Small businesses may think they are under the radar because cybercriminals opt to target either very large enterprises or consumers instead. In reality, however, cybercriminals do not discriminate among the very large enterprise, small business, and consumer sectors, as long as these prove profitable and lucrative to exploit. There are no priority targets. Any entity with a weak security system, small business or not, is cybercrime fair game.

1 http://staysafeonline.mediaroom.com/index.php?s=43&item=72

2

Small Business Is Big Business in Cybercrime

Small businesses manage information that is of interest to cybercriminals.

Small businesses do not face as many content security risks as larger enterprises do—or so they think. The fact is, 7.4 percent of small business owners are victims of fraud, according to a May 2010 Council of Better Business Bureaus study2.

Small businesses hold employee and customer information, which makes them prime cybercrime targets in every way. The types of stolen data range from social security numbers to online banking credentials (refer to the figure below for the complete list and percentage distribution of stolen information).

2 http://www.bbb.org/us/Storage/113/Documents/Cox_BBB_Presentation%20_11_May_10.pdf

3

Small Business Is Big Business in Cybercrime

Cybercriminals unleash 3.5 new threats targeting small businesses every second.

The number of online attacks specifically targeting small businesses reportedly surged by almost 600 percent in early 2010. Trend Micro experts cite at least two factors accounting for this alarming increase. First, larger companies are investing more in Internet security, pushing cybercriminals to look for smaller but just as abundant targets. Second, small businesses present a huge market for exploitation, as they now number over 25 million in the United States alone. Adding to small businesses’ appeal to cybercriminals is their lack of budget for an IT team, much less a department, devoted to maintaining security.

There have been cases wherein small businesses lost hundreds of thousands of dollars to cybercriminals whose weapon of choice has become bots. Bots are malicious software that stealthily infiltrate PCs, enabling cybercriminals to remotely control and ultimately steal critical data without the employees and customers’ knowledge. In January 2011, the Federal Bureau of Investigation (FBI)3 reported that a certain U.S. company lost US$150,000 via unauthorized money transfers triggered by malware-laden email messages. The malware in question belonged to the ZeuS/ZBOT family of Trojans, which is notorious for defrauding small businesses.

TrendLabs experts have also seen phishing campaigns and vulnerability exploits specifically targeting small businesses. Fraud often comes in the form of tax-related messages using the names of legitimate government agencies, usually invoking fear through customer complaints or threats of legal action. Exploits, meanwhile, arrive via frequently used legitimate applications.

Small businesses can be more vigilant against these attacks by ensuring that every employee—technical or not—stays abreast of the latest in cybercrime. They should be educated about the newest fraud schemes and urged to employ best practices such as not responding to or opening attachments and clicking suspicious links in unsolicited email messages. Small businesses are also advised to enforce their internal security policies and to enhance their network security and their corporate banking protocols. Finally, they need to be constantly on the lookout for suspicious online activities and to prepare a contingency plan for instances of actual compromise.

3 http://ct.bbb.org/article/connecticut-bbb-issues-alert-about-cyber-criminals-targeting-small-businesses-with-malware-attacks-25028

4

Small Business Is Big Business in Cybercrime

Compliance is costly, but noncompliance is costlier and can serve as a window to cybercrime.

Not all small businesses are aware of compliance issues. Some even believe that they are compliant and have sufficient security measures in place. However, nearly 1 million U.S. small businesses have already fallen victim to data security fraud, revealed a January 2011 study4 on the data security and fraud prevention strategies practiced by small and medium-sized businesses (SMBs).

Noncompliance may eventually lead to productivity loss, business disruption, and high legal costs. The cost of compliance is placed at US$3.5 million5 for multinational organizations but that is a small price to pay compared with the much higher cost of noncompliance. Small businesses would be ill advised to think that they are exempted from complying with data protection regulations. Like their large enterprise counterparts, they also deal with processes, people, and technologies, all of which are under equal threat of cybercrime.

4 http://www.nacsonline.com/NACS/News/Daily/Pages/ND0113112.aspx5 http://www.tripwire.com/ponemon-cost-of-compliance/pressKit/True_Cost_of_Compliance_Report.pdf

5

Small Business Is Big Business in Cybercrime

Small businesses are moving to the cloud and are embracing cloud security but cybercriminals are not far behind.

Cloud computing has well crossed over from being a catchphrase to become a reality. Today’s overall SMB cloud market is valued at US$8.6 billion6 and is set to approach US$100 billion7 by 2014. In addition, up to 74 percent of SMBs plan to increase their spending on cloud-based software in 2011—a marked improvement from late 2010 when cloud computing adoption among SMBs stood at only 14 percent.

Despite these overall positive developments, small businesses are still not spending nearly enough on cloud security. A 2010 Forrester report8 says while 84 percent of SMBs considered data security a high priority, only about one-third (36 percent) of the respondents planned to increase their spending on network security and only by a factor of 5 percent.

Small businesses run the risk of losing data, productivity, sales, even their reputation—and most of all, dollars—in the face of the exponentially increasing number of threats that cybercriminals unleash.

6 http://www.informationweek.com/news/smb/services/showArticle.jhtml?articleID=2292191317 http://www.crn.com/news/cloud/226700149/smb-cloud-spending-to-approach-100-billion-by-2014.htm?itc=refresh8 http://www.eweek.com/c/a/Security/IT-Security-Spending-Expected-to-Increase-for-Enterprises-SMBs-532369/

Small businesses need to keep these five facts in mind as they strengthen efforts to keep their own and their customers’ data secure.

Small Business Is Big Business in Cybercrime

ABOUT TREND MICRO™

Trend Micro Incorporated is a pioneer in secure content and threat management. Founded in 1988, Trend Micro provides individuals and organizations of all sizes with award-winning security software, hardware and services. With headquarters in Tokyo and operations in more than 30 countries, Trend Micro solutions are sold through corporate and value-added resellers and service providers worldwide. For additional information and evaluation copies of Trend Micro products and services, visit our Web site at www.trendmicro.com.

©2011 by Trend Micro, Incorporated. All rights reserved. Trend Micro, the Trend Micro t-ball logo are trademarks or registered trademarks of Trend Micro, Incorporated. All other product or company names may be trademarks or registered trademarks of their owners.

TREND MICRO INC.

10101 N. De Anza Blvd.

Cupertino, CA 95014

US toll free: 1 +800.228.5651

Phone: 1 +408.257.1500

Fax: 1 +408.257.2003

www.trendmicro.com

ABOUT TRENDLABSSM

TrendLabs is a multinational research, development, and support center with an extensive regional presence committed to 24 x 7 threat surveillance, attack prevention, and timely and seamless solutions delivery. With more than 1,000 threat experts and support engineers deployed round-the-clock in labs located around the globe, TrendLabs enables Trend Micro to:

• Continuously monitor the threat landscape across the globe

• Deliver real-time data to detect, preempt, and eliminate threats

• Research and analyze technologies to combat new threats

• Respond in real time to targeted threats

• Help customers worldwide minimize damage, reduce costs, and ensure business continuity

What Trend Micro Can Do to Protect YouIn the current threat landscape, no organization is safe. Every organization is a prime cybercrime target. This is why Trend Micro always strives to protect its product users from any and every possible threat with the aid of the Trend Micro™ Smart Protection Network™.

Small businesses will do well to use the following products to protect their own and their customers’ data:

• TrendMicro™Worry-Free™BusinessSecurityAdvancedprotects WindowsPCs, Macs, file servers, and mail servers from viruses, threats, and dangerous websites. The latest edition keeps business information private by locking down USB drives and other storage devices as well as by preventing data loss through email. It also blocks spam both before it reaches and while on ExchangeServers.

• TrendMicro™Worry-Free™BusinessSecurityStandardprotects WindowsPCs and servers from viruses, threats, and dangerous websites. It features security scans that run quickly and quietly in the background and keeps business information private by locking down USB drives and other storage devices.

• TrendMicro™Worry-Free™BusinessSecurityServicesis a cloud-based security solution that provides protection anytime and anywhere for your business data. It secures PCs, servers, and other Windows-based devices such as point-of-sale (POS) machines and tablets.

In addition to providing industry-leading security solutions, we also provide information on the latest threats and threat trends to let users know what they can do to stay protected in today’s digital world. For more information on the threats featured in this primer, please refer to our materials in the following portals:

• ThreatEncyclopedia:Our malware, spam, malicious URL, and Web attack entries like “Another LinkedInSpam Leads to ZeuS-Related Site” provide more information on the vectors cybercriminals use to infect users’ systems and corporate networks.

• TrendLabsMalwareBlog:Our blog entries like “Malicious .RTF Files Exploit MicrosoftOfficeVulnerability” provide threat news and information direct from the experts.