Small and medium-sized businesses may think they're immune to the kinds of attacks that wreaked havoc on Target last year, but they're susceptible to the same nefarious forces — sometimes even more so, as they can lead hackers to a bigger prize.
Since the Target breach, other retailers have been affected, including Neiman Marcus, eBay and P.F. Chang's. But the Target breach was huge — information on 40 million credit and debit cards was stolen, along with records of 70 million customers, including name, address, email address and phone number.
The breach obviously hurt Target — both CEO Gregg Steinhafel and CIO Beth Jacob have resigned, and costs continue to add up. Cards were affected across financial institutions — 10 percent at big banks, 14 percent at credit unions and nine percent at community banks, according to a Discover Financial Services study. Overall, 84 percent of financial institutions were impacted; after a typical data breach, that number is only 29 percent.
More directly, small businesses that keep customer cards on file to for recurring monthly charges, such as gyms, couldn't process transactions on cards that had been closed.
It's easy to think that your small business won't be affected by hackers, says Dr. Larry Ponemon, chairman and founder of the Ponemon Institute, a research firm and think tank dedicated to advancing privacy and data protection practices. "Large companies have a bull's eye on their backs. A lot of small companies thought they were immune. It's just at small company. Who's going to hack them?"
A lot of people, it turns out. SMBs face some challenges that are the same as their larger counter partners, but some that are unique to them, too.
You Are the Company You Keep
Target's failure was a holistic one, says Mark Hammond, senior director of security consulting for Neohapsis Security Services, a security and risk management consulting company specializing in mobile and cloud security services. "One of the things that stuck out was the way partners are managed in the organization. It's not just technology. There's also people and processes filling in all the pieces of the puzzle."
Hackers used credentials from Target's HVAC company to upload malware into the security and payment's system. Target's malware detection tool, called FireEye, caught the attack, but the feature that would have automatically disabled the threat was turned off. Subsequent warnings were ignored, according to a Bloomberg Businessweek report.
This is why a small business can be a different kind of target, especially if it provides a service to a larger company. Hackers used Target's heating and air conditioning contractor as a gateway; subsequent failures on the security chain lead to a successful attack.
Sign up for CIO Asia eNewsletters.