June 10, 2013

Small Firms at Greater Risk From Cyberthreats

Smaller firms can be perceived by hackers as easier targets

While cybercrime is a risk for firms of all sizes, small firms may find themselves particularly vulnerable, according to a white paper issued by First Clearing in May.

In “Getting Serious About Cyber Crime,” First Clearing noted that as transactions are increasingly conducted online, the incentives for criminals to exploit that trend also grows. “Our computers often contain the tools to access client accounts with the click of a mouse, and smaller financial firms make an attractive target for fraudsters hunting an easy mark,” according to the paper.

In January 2012, the FBI teamed with the Internet Crime Complaint Center and the Financial Services Information Sharing and Analysis Center to issue a guide on preventing fraudulent wire transfers. The guide noted that as of December 2011, the attempted fraudulent requests totaled approximately $23 million and actual losses were about $6 million.

Hackers are looking for a quick, easy payout, so it doesn’t matter how big your firm is—if you leave yourself vulnerable to attack, you could be a victim. However, smaller firms are inherently easier to attack, according to the paper.

Employees at financial firms have direct access to client data and assets, according to the paper, and many have tools to initiate transfers on their personal computers. Even if a hacker gains access to only one or two computers, that’s often enough.

Small firms also lack extensive physical security, which the paper noted can be taken as a “’tell’ into the organization’s overall security discipline.”

Without the resources of larger firms, some smaller firms have less complicated technology security. Again, the physical size of a firm is an indicator of a potential target to a hacker, as the size of a network often correlates with the complexity, according to the paper.

Human vulnerabilities, which could endanger firms of any size, could be a problem at smaller firms if they don’t train employees on information security and how to recognize a threat.

Regardless of whether these vulnerabilities actually exist at a small firm, the paper noted that if hackers believe they do, they could attempt to breach the firm’s security.

Sometimes it’s not the money hackers are after, but personally identifiable information (PII), the sensitive client data you work so hard to protect (and that the SEC expects you to protect).

The paper referred to a calculator created by Information Shield, an information security firm, that measures the impact a security breach has on a firm. The calculator takes into account several factors, including the time it takes to determine an attack has occurred, to identify and notify affected clients, and the cost of managing the fallout when the attack becomes public. A breach affecting 500 clients could end up costing more than $4 million, according to the calculator.

In fact, that reputational cost may be unlimited, according to the paper. A separate report from Willis Group, a global risk advisor, insurance and reinsurance broker, released Monday found loss of reputation was the second biggest overall cyber risk among Fortune 500 firms (followed by loss of confidential information).

The white paper suggested that the best way for firms to protect themselves is not with a single technological tool, but with a series of barriers that incorporate technological tools and security policies and procedures. “Encountering the first obstacle, the attacker may dismount; at the next, they may shed some of their supplies. Each barrier slows the attack and increases your opportunities to detect them before they reach your perimeter,” according to the paper.

Contracting with a third party to assess where hackers could find opportunity to steal data or assets is another solution. A third-party risk assessment will show which parts of the business are vulnerable to attack. Firms should also review their security programs at least annually, including technological solutions and policies and procedures.

Page 2 of 2
Single page view Reprints Discuss this story
This is where the comments go.