Why Don’t Small-Network Operators Take Cybersecurity Seriously?

Security Awareness and Concerns

What is cybercrime risk? It’s the probability that hackers or cyber attackers will use advanced software techniques to get into your data or disrupt your business or personal devices.

Security awareness and concern among microbusinesses

Given the uncertainty and concern that cybercrime produces, you’d expect a good amount of security-related awareness and concern among all businesses. But you’d be wrong. When it comes to microbusinesses, there’s little awareness and concern in the U.S.

Several of our guides have focused on the IT operations of families, solo practitioners, microbusinesses, and smaller professional practices. These groups include 10 or fewer people and operate small networks connected to the internet. In our lexicon, that makes them SNOs.

Statistics show that SNO security concerns differ from those of larger companies. There’s a lot of cybercrime activity, but there’s far less concern in smaller companies.

For example:

• Only 45% of small business owners with fewer than ten employees have increased cybersecurity-related investments in time, money, or human capital. Meanwhile, 80% of companies with more than ten employees have invested more resources in cybersecurity since stay-at-home orders began.
• Just 22% of companies with fewer than 10 employees have provided more cyber training; only 37% have updated cybersecurity policies.

Source: FCC

This odd indifference to security awareness and concern reflects unusual circumstances and belief in security-related myths.

Odd circumstances and myths make SNOs ignore cybersecurity risk

During the height of the pandemic, Google blocked as many as 18 million pieces of COVID-themed malware and phishing emails every day. It takes just one virus or bit of bad email to get through the filters and convince a remote worker to click a link. And voila! An organization of any size must deal with the prospect of a crippling ransomware outage.

Also, most micro-businesses and individuals don’t realize they are cybercrime targets. It’s easy for small-network operators to assume that they are safe from attack because their business uses antivirus software and other security controls.

This mistaken idea is part of strange mythology, which includes ideas such as:

• Our network is too small to be at risk of a cyberattack. No network is too small to be noticed by cybercrooks. Originally, the idea behind this myth was, “The value of information on my network is too small to interest cyberattackers.”

  If that were ever true, it isn’t now. Changes in technology and cyberattack methods have changed this. Everyone with a credit card or healthcare program can contribute to cybercrime returns. Cyber attackers can make money from hacking individuals whose user credentials are a primary target. When individuals are compromised, attackers can access corporate systems, hijack computers and web servers for botnets, and commit fraud using stolen online identities.
  Our research into dark web market prices released that he most-often sold items are those of individuals or small businesses.

• Newly purchased IoT devices are “secure enough” right out of the box. On the contrary, default passwords of internet-connected devices are so weak and easy to identify that they support a global industry of exploits and data breaches. Every log post under the sun that advises network security begins with, “Use strong passwords to reconfigure your router and other internet-connected (IoT) devices…”
• I can hide my network’s identity from attackers. Many network users believe that by not broadcasting a wi-fi network name or service set identifier (SSID), attackers will not notice their network. Nice try, but this doesn’t work. The SSID is sent in every packet of signals transmitted on wi-fi networks.
• MAC filtering prevents unauthorized access to wireless networks. Not true. The biggest myth about wireless MAC filtering is that it protects your network from hackers. If you use MAC filtering, hackers can easily break the filter to access your wireless network. To secure your network against hackers, it’s not your best choice (Other options such as WPA-2 are available.).

Cyberattackers view SNOs as attractive targets

There are many reasons why cybercrooks view SNOs as easy pickings. They include:

• A bad case of denial. One of the leading causes of cyberattacks is the denial of danger from individuals or SNO business leaders. They often claim that their firms are too small or insignificant to warrant attacks. This hands-off attitude puts these businesses at serious risk.
• Personal data is worth more than ever. Cybercrime involves more than personal data theft. Stolen personal data can be used for identity theft and fraud. Cybercriminals can use this information to open bank accounts, credit cards, and more. Because personal data is so valuable (and small businesses have a lot of it), SNOs have become a target.
• SNO employees get little or no security training. Employees are often the biggest threat to company security, and cyber crooks know it. Inadequate employee training in security best practices is a glaring problem for businesses of all sizes.
• A feeling of resource scarcity. Many small businesses feel they can’t afford to protect their data and networks. However, a single hack can cost a small company up to $250,000. The effect of a cyberattack on business can be great, so it makes sense to invest a fraction of that amount in security measures.
• SNO dependence on legacy software. The reliance of smaller businesses on legacy software and gaps in updates makes them an easy target. For example, almost all computers affected by the WannaCry ransomware attack ran legacy software. Approximately 98% of the computers used the Microsoft Windows 7 operating system! Legacy software often provides fewer security measures, enable unsecured devices to access networks, and supports out-of-date employee training.
• IT resources are limited. SNOs are more likely than larger companies to conduct their IT ops on shoestring budgets and make difficult decisions on allocating limited resources. Many smaller businesses rely on one person to run the entire IT department. (Indeed, in SNOs, one person probably is the entire IT department!) So, expect less attention and planning to occur in SNOs before situations become problems.
• A better chance of cybercrime success. Given the feeling of resource scarcity and a lack of faith in security training and investment, it’s safe to say that the bad guys have the upper hand.

Technology also plays a role in tipping the balance of modern cybercrime in favor of the bad guys.

Fast-changing technology changes cybercrime reality

Two quiet but significant changes in IT changed the security landscape for SNOs. These include the following:

• Ability of IT to gather small financial returns from many transactions.
• Use of inbound and outbound cyberattacks to monetize IoT device control.

Big data speed and volume. Several years ago, when companies commercialized big data analytics products and services, the ability of internet-connected devices to process huge volumes of data was a big part of the sales pitch.

Now, cybercriminals use high-speed, high-volume processes in a new way: to quickly gather valuable assets such as credit card numbers and healthcare data from many locations. Given the increasing value of the data—not to mention the higher information processing volume and speed—it all adds up. Before you know it, you’re talking serious money.

Monetizing via device control. But where does the money come from? Cyberattackers engage in inbound attacks when they breach a home or micro business network to target connected devices such as desktop computers, baby monitors, security cameras, and game consoles via the internet.

In outbound attack scenarios, bad actors use an inbound attack to control any number of home-based, internet-connected devices. Then, the cyber crooks use these devices to remotely put the captured IoT devices to work—for themselves. The exploit can be a DDoS, malware, or Trojan attack. The goal: overpower an asset that can generate cash or perform a task such as overpowering a utility grid.

In each case, the devices (bots) capture and automate the ability to obtain sensitive information, intercept communications, or launch attacks against other external targets, hundreds and thousands of devices at a time. And did I mention that AI often guides the process to ensure smooth command and control? Does it sound like science fiction? I thought so too, until Princeton IT security researchers simulated an army of botnet devices attacking a power grid.

Why do these trends matter to small network operators?

Cybersecurity attacks have always mattered to their victims, whoever they might be. They are real events that cause real pain and business damage. But now, statistics show that cyberattacks are getting personal—they involve small businesses and individuals. These losses include personal identity theft, lost proprietary information, business recovery costs, and business reputations.

What happened? Why do cyber attackers bother with the little guy? Until recently, the financial gain wasn’t worth the effort of dealing with small “accounts.” The ability to operate high-speed, high-volume data searches for personal and business information has become a new type of data analytics operation.

When analysts reviewed home network activity in 2017, there was a 3:1 ratio of outbound attacks to inbound attacks. Three times more home devices were being used to attack the internet.

Helps to finance cybercrime infrastructure. This is the main reason why SNO-level cybercrime matters. It’s possible to combine the returns of many small exploits to finance larger cybercrime operations such as ransomware and crypto mining (the shady if not illegal practice of using other people’s electronic assets to generate cryptocurrency).

Reducing Small-Network Cybercrime Risk

Is it possible to reduce the risk of cybercrime in a truly small business? After all, SNOs have ten or fewer employees. It’s where money doesn’t hang on trees, and resource allocation decisions are often hard to make. Usually, the “IT Manager” also wears one (or more) hats. IN other words, there’s only so much time, effort, and money to address a problem that might turn out to be high-quality guesswork.

What It takes to reduce cybersecurity risk

There is an answer to the question, “What does it take to protect my business from cyberattacks?” If you regard security as absolute (reducing risk to zero), you’re out of luck. Risk will never go away. But what if you want to minimize the risk to a point where cybercrooks give up on your network ops and look elsewhere for easier pickings? Yes, you can do that. In general, your message would have to say:

“Go away. Despite my network’s small size, I run serious security operations here. Find someone who isn’t as determined, consistent, and security-savvy as I am.”

It’s difficult to say exactly what would work because best practice recommendations for SNOs, hardware tools, and software are changing. But generally, a persuasive approach would include:

• The right tools. Familiarize yourself with the latest cybersecurity trends to discover what the bad guys are up to. Then look for tools that counter their moves. If your budget is thin, look for low- or no-cost security tools available on the internet.
• The right attitude. This is where the words, determined and consistent come into play. Setting up to-do tasks in a relevant, consistent way (scheduled monitoring for example) goes a long way to communicate how effective your SNO can be.

Setting up and maintaining even a modest security effort will take more time, effort, and cash than you would like. There is an alternative, however—a third-party security service. (We will take a detailed look at this possibility next time.)

Reducing cybercrime risk at home and the microbusiness office

When you read the following list of cyberthreats, don’t be discouraged. Yes, the list is long, but so is the list of ways to reduce that risk. When I write about cybersecurity, the same recommendations repeatedly show up (I bet you’ve noticed that.) So, here’s a list of preventive measures which will cut the risk of most SNO cyberattacks:

• Stay educated about phishing techniques. New phishing scams are being developed all the time.
• Slow down! Think before you click. It’s fine to click links when you’re on familiar, trusted sites. However, clicking links that appear in unfamiliar emails and instant messages isn’t such a smart move.
• Install an anti-phishing toolbar. Most popular Internet browsers can be customized by adding anti-phishing toolbars, some of which are free.
• Verify a site’s security. Before submitting any information, make sure the site’s URL begins with https and includes a closed-lock icon near the address bar.
• Keep your browser up to date. Popular browsers and applications release security patches (updates) all the time. Use them to fill gaps in security coverage.
• Use firewalls. Consider using two different kinds of firewall for layered security coverage: desktop firewalls (software) and a network firewall (hardware). They drastically reduce the odds of hackers and phishers getting into your devices or network when used together.
• Be wary of pop-ups. The best policy is to leave pop-ups alone. Just say no.
• Never share personal information. As a general rule, never share personal or financially sensitive information over the Internet.

Notice that most of these guidelines involve behavior—yours. The others (firewall and phishing toolbars are available at no cost online. But let’s review the major network cyber threats and what it takes to reduce the risk of each of them specifically:

• Phishing. This social engineering method gathers sensitive data such as passwords, usernames, and credit card numbers by mimicking legitimate people and organizations. It tricks email recipients into opening a malicious link, which leads to the installation of malware on your computer.

  Reduce phishing risk by following the general guidelines above, especially phishing toolbars.

• Computer viruses. Computer viruses are software designed to spread from one computer to another. They’re often sent as email attachments or downloaded from specific websites.

  Reduce virus risk by following our general recommendations listed above.

• Rogue security software. This type of malware (malicious software) misleads users like you to believe there is a computer virus installed on your computer or that your security measures aren’t working properly.

  Reduce the risk of fake antivirus software by following the general guidelines listed above. In addition:

  • Only buy genuine, favorably reviewed security software from vendors with established reputations.
  • Never download pirated software. Using free products might sound like a good deal. Just remember that folks who upload this stuff are not always trustworthy. They might want to compromise your system or sell your information to other cybercrooks.
• Trojan horse. A Trojan is malware that tricks users like you into running it willingly by hiding within a legitimate program. Once inside your computer, a Trojan can record your passwords by stealing sensitive data that you might have anywhere on your computer.

  Ensure that you’re leaving no gaps in your security protection by:

  • Cleaning out your computer’s Temporary folder.
  • Locating malicious entries in the registry and manually deleting them while your device is in Safe Mode. (If you use high-quality antivirus software, this task is run automatically.)
• DDOS attacks. When a website’s server gets overloaded with traffic and crashes, the problem might be a breaking news story—or a website experiencing a distributed denial of service (DDoS) attack.

  The burly, big brother of denial of service (DoS) exploits, DDoS attacks use up to thousands of internet-connected devices (bots) to carry out complex attacks on everything from e-commerce sites to utility grids. They create damage directly by stopping service to online users or by providing cover for other types of damaging attacks.

  Reduce the risk of DDoS attacks by following our general guidelines. Then, consider increasing your network bandwidth and signing up for cloud-based network support services.

• Man-in-the-middle attacks. These exploits eavesdrop on communications between two targets in a communication that should be private. Using deception to hijack private information is the name of the game. The list of man in the middle attacks is long: wi-fi hacking, IP spoofing, DNS spoofing, and HTTPS spoofing are just a few examples.

  Reduce risk of man in the middle attacks by following our general guidelines, especially the recommendation of acquiring a good VPN.

• Rootkits. These collections of software tools enable remote control of and administrator-level access to a computer or computer network. Rootkits hide in legitimate software.

  Often, when you allow the software to change your OS, a rootkit installs itself on your computer and waits for a malicious actor to activate it. Then cyberattackers can log keystrokes, steal passwords, and disable antivirus software, usually with users unaware that malware is present.

  Reduce rootkit risk by avoiding their underlying causes—phishing emails, malicious links, suspicious files, and downloading software from suspicious websites.

Summary and Conclusions

So, why don’t SNOs take potential disruption and damage to their small-networks operations more seriously? They probably haven’t been confronted with examples of the disruption and costs of microbusiness cybercrime.

Most of what we read and hear tells the story of someone else’s problem. Well, that’s changed. Now, it’s time to remember that:

• It’s time to engage in risk-conscious computing. There will always be some level of cybersecurity risk for companies of all sizes. That was true in the days of enterprises, SMBs, and now SNOs. Everyone’s internet-connected devices have become lucrative targets to cybercrooks. The wolf is at the door. It’s time to take the threat seriously.
• SNOs have been slow to respond to cybersecurity risk. Consumers and microbusinesses have been slow to become concerned and aware of cybercrime. As a result, they’re not keeping up with cybercrime trends and mitigation methods.
• Although there are many cyber threats, there are many mitigation methods, too. Cybercrooks haven’t stopped their search for easy-to-exploit web sites. But, no one has stopped commercializing cybersecurity hardware, software, and services, either. Low-cost and no-cost tools are available, and cloud-based security services are always a fallback alternative for those who lack time, experience, or IT savvy.

If you hear someone claim, “But I don’t have the time, money, or staff to secure my MNO,” remember you don’t have to be a cybersecurity victim. Energy and resourcefulness can fuel a successful SNO security program.