Tag Archives: smb

Federal court rules SMB — not bank — liable for loss from online theft

Even though Uniform Commercial Code places loss risk with banks for unauthorized transfers, a Federal court ruled against an SMB in Missouri last month and with the larger bank — primarily because the SMB did not implement fraud prevention controls offered by the bank.  This resulted in a $440,000 loss for the SMB.  Here’s the nutshell version:

  1. SMB has business account with bank
  2. Bank offers security (fraud prevention) controls for SMB
  3. SMB declines to implement controls (twice)
  4. SMB computer hacked & SMB’s credentials used to transfer money from its bank to Cyprus bank
  5. SMB sues bank for loss stemming from stolen funds
  6. Federal court rules against SMB and with bank
  7. SMB out $440,000 plus legal expenses

If this indeed sets precedent, this further increases SMB business risk.

Some lessons learned:

  • If your bank offers recommended security services or tools, use them (unless you can show that this directly and materially negatively impacts your business)
  • Use Positive Pay where list of authorized checks are provided to the bank via separate channel (i.e. bank has to cross check against that list prior to paying checks/requests presented to them)
  • Use a dedicated computer for banking transactions
  • Use two-factor authentication where possible
  • If not using Positive Pay or similar service, establish criteria with your bank for when they should alert you that a check or transfer request seems unusual

 More here in this Dark Reading story.

Verizon Data Breach Study & SMB Factors

Verizon just released their 2013 Data Breach Investigations Report (DBIR).  It draws data from work done by several law enforcement agencies, incident-reporting groups, research institutions, and private security firms. It studies over 2,500 confirmed data breaches (representing more than 1 billion records).

Some observations from the report for all company sizes:

  • 75% of attacks were opportunistic, ie a specific company or individual was not directly targeted
  • Attackers consisted of activists, criminals, & spies
  • Of the cases of insider sabotage, 50% came from old accounts or back doors that had not been disabled
  • The vast majority of attacks (68%) were considered “Low” difficulty (meaning basic attack methods with little or no customization required)
  •  ‘Unapproved’ hardware accounted for 41% of misuse
  • It is taking longer to discover breaches, up 10% from 2012.  This means that the bad guy can operate at will for longer periods of time.

Some observations for small and medium sized businesses (employee count < 1000):

  • In companies less than 100 in size, retail had an exceptionally large exposure, followed by food services companies
  • 57% of attacks were from organized crime and 20% were state-affiliated
  • 72% of attacks were from hacking, 54% from malware, and 32% from social media
  • In 86% of the attacks, spyware or keyloggers were installed as a part of the attack
  • SMB’s are at higher risk for ransomware schemes
  • Desktop sharing was primary attack vector for hacking attacks for SMB’s
  • Email was primary vector for social attacks
  • Unapproved hardware contributed to misuse in 52% of cases in small & medium sized companies (compared with only 22% of large companies)
  • Point of Sale devices most often attacked information asset for SMB’s

2013 Data Breach Investigations Report

Executive Summary

 

 

Password management in small & medium sized businesses

Poor password policies and management can be an Achilles heal for any business.  Making it more challenging for small and medium sized businesses is that they often cannot afford to implement or support full Identify Access Management systems.  There is, however, some middle ground.

What Floyd the Barber knew about information risk management

The Mayberry Model

Watch the till and lock the door at night. If you were opening a small business 30 years ago, your major security concerns were probably to keep an eye on the till (cash register) during the day and to lock the door at night.  It reminds me a little bit of the Andy Griffith Show which ran in the 1960’s about a small fictional town called Mayberry RFD in North Carolina.  Mayberry enterprises included Floyd’s Barbershop, Emmett’s Fix-It Shop, and Foley’s Grocery.

mayberry

Floyd didn’t need a risk management program, much less an IT risk management program to run his business.  It was pretty easy to remember — watch the till and lock the door.   He could also easily describe and assign those tasks to someone else if he wasn’t available.    Further, it was fairly easy to watch the till:  Money was physical — paper or metal — and it was transferred to or from the cash drawer. He knew everyone that came into his shop.  Same for Emmett and his Fix-It Shop.  Plus they had the added bonus of a pleasant bell ring whenever the cash drawer opened.  This leads us to the MISRMP (Mayberry Information Security & Risk Management Plan).

cash_register1

Mayberry Information Security and Risk Management Plan:

  • Watch the till 
  • Lock the door at night
  • Make sure the cash register bell is working

Today’s model

Fast forward to a small business today, however, and we have a different story.  Today, in our online stores selling products, services, or information, there is no physical till and probably little to no physical money.  There are online banks, credit cards, and PayPal accounts and we really don’t know where our money is.  We just hope we can get it when we need it.

There are not actual hands in the till nor warm bodies standing near the till when the cash drawer is opened. There is no soft bell ring to let us know the cash drawer just opened.  We don’t know the people in the store and they don’t go away when the front door is locked.  Our customers shop 24/7.

Further, instead of a till with a cash drawer, our businesses rely on very complex and interconnected equipment and systems — workstations, servers, routers, and cloud services — and we don’t have the time to stop and understand how all of this works because we’re busy running a business.  Floyd’s only piece of financial equipment was the cash register (and Emmett could fix that if it broke).

This new way of doing business has happened pretty fast. It is not possible to manage and control all the pieces that make up our financial transactions.  We also have a lot more financial transactions.  While the Internet has brought many more customers to our door, it has also brought many more criminals to our door.  Making the situation even more challenging, we largely don’t have the tools in place to manage our information risks.

Floyd the Barber

Floyd the Barber

What Floyd knew (and we don’t): 

  • who his customers were (knew them by face and name)
  • what their intentions were (wanted to purchased a haircut or shave or steal from the till)
  • where his money was (in the till, in the bank, or in his pocket while being transferred from the shop to the bank)
  • when business transactions occurred ( 9:00 – 5:00 but closed for lunch and closed on Sundays)
  • what was happening in his store after hours (nothing)

That is to say, Floyd had much less business uncertainty than we must contend with today.  He could handle most of his uncertainty by watching the till and locking the door at night. Our small and medium sized businesses today, though, are much more complex, have much higher levels of uncertainty, and need be risk managed to allow us to operate and grow.

As Floyd managed his security and risk to operate a successful business, so must we — ours is just more complicated.

What are the 3 biggest IT & Information Management risks that you see affecting your business?

 

Companies in the long tail & information risk

I contend that at least half of the companies in the US and other industrialized countries are critically overexposed to IT & Information Management risk and that this population of highly vulnerable companies is primarily compromised of medium and small sized companies, aka SME’s (Small and Medium sized Enterprises).

The problem is that the techniques and approaches in the fairly fledgling field of IT risk management usually are developed from or apply to very large companies that differ significantly in scale from SME’s.

Often the IT risk management techniques envisioned for large companies don’t scale down to SME’s. For SME’s, quantities of analytical data, staffing, operational bandwidth are all in short supply.  Also, because of their smaller size, impacts such as total dollar loss from adverse information events such as hacking, malware, fraud, etc are usually lower than that of large companies and compromises, breaches, disclosures can be less newsworthy per event.  However, there are a large number of small and medium size companies.

It turns out that company sizes in industrial countries follow the Zipf distribution where a few very large companies coexist with a lot of much smaller companies.  This is a similar distribution to what Chris Anderson popularized in his Wired magazine article The Long Tail in 2004.  For example, Anderson talks about the record industry historically focusing on the revenue generated from hits (few in number but large in revenue) and missing the fact that there were many non-hit songs generating substantial revenue when viewed in aggregate.  Similarly, there are a few really big companies and a lot of smaller companies.   This high number of smaller companies (like the number of non-hit songs) is the part known as the long tail.  And this is the part suffering the overexposure to information risk because of a lack of tools, methods, and shared approaches between companies.

longtailgraphic3

The challenge is that many of the information risk management techniques and processes used by the relatively few very big companies don’t work well for smaller companies.  This is due largely, but not entirely, to resource constraints of smaller companies.   Staff in smaller companies frequently wear multiple hats and are eyeball-deep in sales, innovation, marketing, infrastructure development, and management of risk is often down the priority list.

As a whole, we end up with part of the population, the few large companies, with reasonable IT risk management capabilities and the other part, the medium and small companies, with poor IT risk management capabilities.

For the sake of argument, say that half the working population is in the few very large companies and the other half is in many small and medium size companies.  Oversimplifying a bit, this means that half of the working population are in companies able to manage risk and the other half are in companies that can’t.

What can be done to enhance the capability of that half that currently can’t manage information risk effectively (or at all)?  What can we do to provide small and medium sized companies risk management tools that are pragmatic and implementable? We need techniques and mechanisms and to share learned experiences in performing risk management in small and medium sized companies.

Do you work in a small to medium sized company? How do you address IT risk management? What other reasons do you see for lack of IT risk management in medium and small sized companies?