The Hacking Economy

Warning: A wave of new viruses is targeting small businesses

Constance Gustke, special to

New mutating viruses, like Locky and CryptoLocker, are quickly popping up. And many are infecting small businesses, which are now big targets for hackers.

Undercapitalized and outgunned small businesses are still the weak links in cybersecurity, even though they may have valuable data. Their percentage of IT budget directed to security has been increasing from 4.9 percent in 2010 to 7.9 percent last year, according to Ponemon Institute's annual IT security Tracking study. But spending still lags behind big companies.

Meanwhile, hackers are inventing increasingly sophisticated malware.

Fred Tanneau | AFP | Getty Images

"Small businesses don't believe they're targeted by bad guys," said Larry Ponemon, chairman of the research think tank. "But small businesses are now targets, since big companies have the resources for security."

Small businesses can also offer entry to bigger ones, where there's lots of data to steal. In 2013, Target's data was famously breached. But few people know that the company's vast database was actually hacked through its HVAC vendor. That attack ended up costing Target $39 million in settlements and affecting 40 million customers.

These days, malicious programs are spreading even faster than before. The FBI warns that malware attacks are on the rise. And there are now many mutations of these destructive ransomware viruses, which can infiltrate computers.

Ransomware attacks computer systems through malicious links or websites and then encrypts their files. Pop-up messages appear asking the business to pay a ransom in hundreds or thousands of dollars for systems to be restored. Lately, ransom is asked to be paid in bitcoin, which can't be tracked, adds an FBI advisory.

One ransomware variety, called CryptoLocker, spreads a virus when a malicious email attachment is clicked. Banking data is then stolen and files encrypted so they can't be used.

"Ransomware is brutally malicious and bad for small businesses," said Michael Kaiser, executive director of the National Cyber Security Alliance. "It's also quite effective, since they have data, too, and can be used as stepping stones to bigger businesses."

The upshot is that more big companies are holding small vendors accountable for data breaches, said Ponemon.

These breaches can be devastating, he added. Small business may have access to huge amounts of data, such as email marketing services. So after a breach, small business can find themselves out of business and dealing with big law suits, Ponemon said.

The upshot is that small businesses need tight cybersecurity to protect their lifeblood.

Small businesses are now targets, since big companies have the resources for security.
Larry Ponemon
Chairman, Ponemon Institute

And they shouldn't count on law enforcement to help, said Kaiser. The crimes occur remotely and don't have fingerprints, he noted. So it's hard to track down the bad guys. "So focus on what you can control," he said, "and how you would respond and recover."

The best defense starts with a basic security audit of key assets. Take a step back, Kaiser advised, and know what you need to protect. "Small businesses get overwhelmed by risk," he said. "But what are they at risk for?"

The objective is coming up with a risk-management approach to protect data, he said. That may mean targeting new disruptive technologies like the Internet of Things, such as a video camera that's web connected, which can be a weak link. Or protecting smartphones used for business, which are also targets for a malware that locks them down and then demands ransom, said the FBI.

"The Internet of Things is happening so quickly," said Ponemon. "If you don't control access to one part, you can corrupt the whole chain." Wi-fi networks also need to be secure.

Do a risk audit

Regularly backing up data and storing it in a secure cloud is another good defense. "It can mitigate the attack," said David Burg, PricewaterhouseCoopers cybersecurity leader. "In a highly connected world, it's especially important." If the system is infected, it can be restored.

Kaiser advised using multifactor authentication, since it's stronger than just passwords. Devices can also be encrypted for extra protection.

Security leaks are most apt to happen in the cloud, added Ponemon. So experts advise finding a reputable cloud service that's secure and can hold system information.

"Read the reviews," said Kaiser. "And do your homework, such as finding out how the cloud services are maintained. Outsourcing can save money over time."

Ultimately, malware attacks may begin with simple employee error, such as clicking on a malicious link. So Ponemon suggests that small businesses create a culture of security. That means training employees on how not to share passwords or open suspicious emails.

"Good protection starts at the computer," he said.

— By Constance Gustke, special to