It's no secret that the internet is rife with threats that can be difficult to deal with, but small businesses with limited resources shouldn’t just throw in the towel, security experts say. Simple things can go a long way to securing any business against computer security breaches.

SPECIAL REPORT: Small Business

Coverage of the latest small business news, trends and issues, as well as advice from experts on everything from starting and marketing a business, to managing staff and improving the bottom line.

Small businesses may think cyber attackers only go after big companies, but of the 31,000 targeted cyber attacks recorded by anti-virus software maker Symantec in 2010, 40 per cent were against businesses with fewer than 500 employees.

Still, even for those aware of the problem, it’s easy to see why many smaller businesses think that good security is beyond their reach. Case in point: Between June 2009 and April 2010, what many computer-security experts describe as a "groundbreaking" computer virus repeatedly attacked and infected systems at five industrial organizations in Iran. The Stuxnet worm is widely thought to have been designed to disrupt the country’s nuclear program by taking down the computers that control uranium enrichment.

Security firm Kaspersky Lab said it seemed to be the work of a "nation state-backed group." What’s even more astounding is that such computer systems, because of their sensitivity, would almost certainly not be connected to the internet. That means that someone, likely by accident, had to sow the virus in person by transferring an infected file to a server.

Stuxnet’s success makes the computer-security efforts of lesser organizations seem futile. If Iran can’t safeguard its clandestine nuclear operations against attack, surely the millions of businesses with a small fraction of the information technology resources, and with servers that have to be internet-attached, are several times more vulnerable.

But if anything, the Stuxnet tale serves as a lesson in how they can safeguard themselves against breaches that could bring down their operations.

Train everyone

The first lesson is that "it’s always about training, and don’t be oblivious and don’t be naïve," says Walid Hejazi, a professor at the University of Toronto’s business school who co-authors an annual report on IT security in Canada with researchers at telecommunications company Telus. Any staff member can be the unwitting entry point for malware into their organization, and so everyone needs to be savvy about cyber threats.

Hejazi points to the cyber attacks on the federal government that forced the Treasury Department and Finance Ministry to shut down employees’ internet access for more than a month earlier this year. The virus was spread via simple emails from senior ministry officials. Many of those messages contained infected attachments, while others conned departmental IT staff into providing passwords unlocking access to government networks.

"So you always want to be aware of what you put in writing. Email and all of that is vulnerable," Hejazi said.

He adds that every employee needs to exercise caution about what attachments they open and what information they send out.

USB vigilance

Another weakness is companies’ tendency to let workers take files home, and bring them back to the office, particularly on USB keys. Experts think Stuxnet penetrated Iran’s systems either via emails to state employees or through an infected USB flash drive.

Who dunnit?

Organizations don't just face threats from outside — many data leaks come from within. A joint study published in November 2010 by Telus and the University of Toronto's business school, based on surveys of companies with 100 or more employees as well as governments, found that as many as one-third of IT breaches were the deliberate work of an organization's insiders. 

Inside jobs (% of total IT breaches) 2010 2009
Private company 19% 28%
Publicly traded 30% 19%
Government 33% 33%

Source: 2010 Rotman-Telus Joint Study on Canadian IT Security Practices

"The whole thing about USB keys and encryption, this is critical. Very often someone wants to go home and they put their work on a USB key, and they don’t put a password on it," Hejazi said.

And often people don't have proper firewall settings, anti-virus software and other security measures on their personal computers. When they work on a file at home, or send it back and forth between home and work via e-mail, it can get infected and transfer that infection to their work systems.

This extends to outside workers, including consultants, contractors, temporary employees or anyone else who might have access, with or without authorization, to a company’s computers. In the Iranian case, several experts have speculated that the Stuxnet worm infected the country’s computers via workers from Russia’s state atomic energy company, which was helping to build Iran’s first civilian nuclear reactor.

Robert Beggs, CEO of Burlington, Ont.-based IT security firm Digital Defence, said he’s seen cases where a small company hires an outsider to come in and do legitimate work, but leaves them alone long enough to copy customer lists, technical diagrams or info on contracts the company is bidding on. The visitors also have the opportunity to install malicious software and "back doors" into a company's servers, which is as simple as following a tutorial on YouTube and devastating enough to compromise an entire network.

Rethink trust

Perhaps the toughest security step for small businesses is that, as Beggs says, they need to rethink their entire operating philosophy of trust – in other words, how much trust they give suppliers, employees and customers.

"The strength of small business is trust. They base their decisions on trust: I met you, I trust you, I’m going to hire you. But the con man is taking advantage of that trust. How do you train someone who’s distinguishing themselves by their trust to be suspicious?"

Beggs said the answer is that small businesses need to think like big corporations when it comes to IT security. That means doing background and reference checks on people being given access to the network, including a criminal-record check.

Small businesses also need to mimic large enterprises' policies around software updates, says Brian Bourne, president of CMS Consulting and co-founder of Toronto's annual SecTor computer-security conference. 

Bourne says that "by far the most common" security gap in small companies' IT is the failure to update operating systems with the latest software patches.

"Particularly with servers, where people won’t automatically update them the way they do workstations because they don’t want them restarting," Bourne said. "It's a stunningly simple thing to fix."

What small companies can do

Digital Defence CEO Robert Beggs says small businesses can quickly tighten their IT security with the following steps:

  1. Introduce an acceptable use policy: "The biggest risk that we see is that companies don’t tell employees what they should do and shouldn’t do on a computer, and how to recognize an attack ... and that’s only going to happen when you have them sufficiently educated, and tell them what to watch for and why."
  2. Implement forensic accountability: Employees should never share a common password to access a server or file, nor should they choose easy-to-crack passwords. "If I’ve got 15 people using the same password, I can’t manage the network, let alone know what’s happened" when diagnosing and countering an attack, Beggs said. He recalled the case of a 40-person financial firm he was hired to help, where several employees’ password was the word "password."
  3. Purchase legitimate, clean software: "We had one client — it was a graphics company — and a co-op student had downloaded graphics software off the internet using BitTorrent. We went through and 70 per cent of the software had backdoors that allow a hacker to access the company’s network."
  4. Maintain physical security: Often the best attack vector is direct access to a company’s computers or files. An attacker who gains access to business premises can easily place software on a machine that opens a backdoor into the company’s systems. Beggs says he’s conducted 300 "penetration tests" over the years in which he attempts to get into an office and use computers there, including at a power company, and has been stopped only five times. "The vast majority of times, no one will stop you if you walk quickly and look like you know where you’re going." Attackers might also send free USB keys or even entire free computer systems to a company, with malware hidden on the devices.

Confident, but incoherent

It’s hard to pin down exactly how much IT breaches cost Canada’s small businesses. A survey this year by anti-virus maker Symantec found that cybercrime costs the country as a whole $840 million in financial losses and $4.7 billion in lost time.  

Hejazi’s first report with Telus, in 2008, tracked cyber attacks on small enterprises, but the "data were all over the map, so we jettisoned it for the following year," he said. "With small businesses, many companies were reporting no formal budget for IT, no consensus on the number of breaches, no formal structure on how to deal with security."

Despite that, many companies are confident — arguably over-confident — about their imperviousness. A national survey earlier this year of businesses with fewer than 500 employees, conducted for the Canadian branch of computer security company Trend Micro, found that more than 60 per cent of respondents felt they had adequate or better IT security. Only 12 per cent of the 502 companies polled reported falling victim to a breach.

One problem is that those companies tend to only consider the toll of a cyber attack in terms of the cost of eliminating viruses and the downtime due to hacked servers. But the full cost, which could be many times more, needs to factor in lost revenues from the leak of sensitive corporate data.

If a competitor can hack into the personal web email of a company’s salesperson — often an easy feat, since many users have easy-to-crack passwords for Gmail and Hotmail accounts — they might glean leads on potential new clients and then go out and snare them. Or the competitor could learn how much the company is bidding on a contract, then undercut it.

"Lots of companies do small email. They just email and say, ‘Here’s a lead.’ But say I’m working in a company with five salespeople, and they’ve canvassed 500 homes in the last week and I’ve got all this info in a spreadsheet, and then I lose that and someone else picked it up," Hejazi speculates.

"If I’m a salesperson, I can go door to door, or I can simply hack into someone’s email and it’s easier."