Small firms more susceptible to cyber crime

-- Deborah L. Cohen covers small business for Reuters.com. She can be reached at smallbusinessbigissues@yahoo.com --

Deborah L. Cohen

CHICAGO (Reuters.com) - A couple years ago a crippling cyber attack on one of Nanette Lepore's haute couture boutiques served as a wakeup call for the fashion retailer to get serious about its online security.

In 2007, Nanette's Las Vegas store had its router hacked by a cyber criminal and confidential point-of-sale information was accessed, potentially impacting hundreds of the company's well-heeled patrons. The sensitive data was then transferred to Italy, where it was used to create phony credit cards that were subsequently distributed in Spain.

After a meeting with FBI and local crime officials, the Caesars Palace store was shut down during crucial Saturday shopping hours, but the company gained a valuable lesson about protecting its data.

"If they can gain access to your network routers, you're pretty much an open book," said Jose Cruz, Nanette Lepore's director of information technology, who has since developed a Fort Knox-like security protocol for the confidential information flowing through the company's 10 boutiques and its New York headquarters. "The first thing I did was lock it all down."

Unfortunately Nanette Lepore is not alone among small and medium-sized businesses for its lack of planning for a cyber attack. A new study issued by the National Cyber Security Alliance and software company Symantec confirmed that small businesses are among the most vulnerable to Internet crime due to their unstructured approach to online security.

The study found only 28 percent of small businesses have formal Internet security policies, despite the fact they store valuable data such as credit card information, financial records, intellectual property and other sensitive content online. Only 35 percent of the small businesses polled provided any training to employees about Internet safety and security, according to the study, which surveyed 1,500 firms across the United States. At the same time, 86 percent of respondents had no single individual focused on IT issues.

"Small businesses are increasingly vulnerable to cyber attacks," said Michael Kaiser, executive director for the National Cyber Security Alliance. "We know from evidence we hear when we talk to people in law enforcement and others about cyber crime that small businesses are pretty robust targets."

Kaiser said he was particularly concerned about the study's disclosure of the lack of Internet protocol and employee training on the part of small companies, a trend that could be exacerbated in a recessionary environment, where budgets are strapped.

"If you're not engaging your employees, saying this is how you protect the data you have, how you protect your customers, the employees that work here, our important financial information, it creates a pretty significant vulnerability," he said. "That's the one that jumped out at me."

Beyond attacks that steal confidential data, is the increasing threat of malware - software programs that infiltrate a computer unbeknownst to the user and perform illegal tasks such as sending out spam email or crashing a network, noted Kaiser.

PREVENTIVE STEPS

Kaiser pointed to simple, preventive steps that small companies could take with little additional cost to their bottom line. These include regularly updating the software already purchased, ensuring that virus protection programs are installed, and keeping Web browsers current.

In addition, Kaiser urged management to talk to employees about changing their passwords on a regular basis and making them more complex. Internet service providers (ISPs) as well are becoming more concerned about protecting their small business clients' data and can serve as a valuable resource.

"We obviously want to see a more proactive approach," said Kaiser, whose organization is a public-private alliance between the Department of Homeland Security and technology companies such as Cisco and Microsoft. It operates a Web site (www.staysafeonline.org) that includes Internet security resources for small companies.  Continued...