Small companies are being swept up in a surge of cyber espionage that was once aimed mainly at corporate giants.
In the last year, hackers working at the behest of governments or unscrupulous competitors have been actively targeting an array of small companies that have valuable intellectual property and corporate secrets, but lack the security protections of larger businesses.
Small businesses with big digital assets are most frequently targeted by hackers, says Ashar Aziz, founder and chief executive of FireEye Inc., a Milpitas, Calif., security firm that defends companies and government agencies against attacks. Among them are law and other professional-services firms that possess information belonging to larger, better-protected companies -- especially strategies for contract, merger and litigation negotiations.
Companies being pursued for acquisition by larger players are also being targeted by hackers, as are businesses with valuable intellectual property or information of their own, such as specialty manufacturers, small defense firms, high-tech and clean-tech startups and hedge funds.
Ten or 15 years ago, military computer networks were the target. But hackers, especially those believed to have ties to China, broadened their attacks to other government networks, then to commercial defense companies, and finally to companies of all stripes, including small ones in 2011, according to Mandiant Corp, an Alexandria, Va.-based information security firm.
"Small companies are targeted now because there's high return at fairly little effort," says Grady Summers, a vice president at Mandiant and former chief information security officer at General Electric Co. "If you're a company with a hot piece of technology … I'd consider it a certainty you'd be a target."
While it can be nearly impossible to stop a skilled and determined hacker, you can make your business less vulnerable and mitigate the damage. Here are five key strategies to consider:
1. Foil phishing.
Most targeted attacks begin with a personalized email con known as a "spear phish." It's designed to get the recipient to visit a website or open an attachment that infects his or her computer with malware, giving attackers access to the network so they can take what they like.
Spear phishing preys on human weakness, but a mix of spam filtering and employee education can go a long way toward stopping it.
2. Take on malware.
Up-to-date antivirus software is a vital first line of defense for blocking malware. But because it works by stopping known attacks, new ones can still get through.
Because malware typically exploits a software flaw, one of the most effective defenses is to apply updates without delay for all applications you use, especially oft-targeted Microsoft and Adobe products.
To make sure you're closing key vulnerabilities, consider using scanning tools such as those from Qualys Inc., which offers a number of free tools, as well as QualysGuard Express (14-day free trial, annual subscriptions starting at $1,495).
Web-filtering services can help prevent employees from visiting malware-laced sites. There are many options, but if your budget is tight, try the free basic service for small businesses from OpenDNS. Web-filtering services allow you to block entire categories of sites and provide reports on employee web activity to help you find out what happened if you are attacked.
3. Control access to sensitive data.
Hackers take advantage of loose policies that, for example, let a secretary, whose computer they hacked, access the work of your research and development group. To control employee access to such sensitive information, large companies use complex "identity and access management" systems. Simpler alternatives for smaller companies are emerging.
For instance, Symplified Inc. offers a cloud-based access management service that works with other cloud-based applications. Its Symplified ONE service costs $1 per user per month, starting at $100 for the first 100 users. Another option is Route1, which offers a device called MobiKEY. Employees can plug it into any computer to secure their remote access to the network resources they're authorized to use.
If you feel you can't protect vital assets, simply keep them off the network. What’s not remotely accessible to hackers can’t be stolen.
4. Hire a security services firm.
If you don't have the resources to lock down your network yourself, you can outsource the job to a managed security services firm. These companies offer state-of-the-art technologies and seasoned security pros at prices affordable to many small businesses because they spread the costs across many clients.
5. Create an incident response plan.
Hackers hunting for intellectual property can maintain a quiet presence on a target network for months and even years, stealing valuable information the entire time. Rooting them out as quickly as possible can significantly reduce the damage.
Encourage your employees to report suspicious activity and put a plan in place for how you will investigate and respond to a security breach.