Smaller Business, Bigger Risk

By: | December 1, 2013

Ara Trembly is founder of The Tech Consultant and The Rogue Guru Blog. He can be reached at [email protected].

More and more hacking incidents and identity thefts are reported in the mainstream media, and most of us are thus uncomfortably aware of the fact that such attacks are increasing. What may not be as obvious, however, is that more and more cyber criminals are targeting smaller enterprises — because they tend to have fewer defenses and because they may provide a gateway to larger, more profitable targets.

In its 2013 Internet Security Threat Report, Symantec Corp., a provider of security software, found that the largest growth area for targeted data attacks in 2012 was businesses with fewer than 250 employees (31 percent of all attacks targeted them).

“This is especially bad news because based on surveys conducted by Symantec, small businesses believe they are immune to attacks targeted at them,” the report noted.

Indeed, the same may be said for smaller insurers and a plethora of insurance brokers. As the report pointed out, however, “While small businesses may assume that they have nothing a targeted attacker would want to steal, they forget that they retain customer information, create intellectual property and keep money in the bank.”

Confidential customer and industry data ripped from smaller enterprises are just as valuable to identity thieves as information stolen from larger systems.

And while some may argue that larger enterprises present more profitable targets, it could also be said that smaller operations — with smaller operating budgets — will tend to have less sophisticated defenses, and thus be easier to attack, the report added.

“Criminal activity is often driven by crimes of opportunity. With cybercrimes, that opportunity appears to be with small businesses,” stated Symantec.

“Even worse, the lack of adequate security practices by small businesses threatens all of us. Attackers deterred by a large company’s defenses often choose to breach the lesser defenses of a small company that has a business relationship with the attacker’s ultimate target, using the smaller company to leapfrog into the larger one.”

This last point cannot be sufficiently emphasized. A large insurer’s system defenses may be adequate to deal with direct attacks from unknown sources, but what about things that seem to walk in the door from an agency or broker that does business with the insurer on a regular basis?

It is certainly conceivable that a cyber criminal would be able to steal the email addresses and other information about legitimate employees of an agency or brokerage — then use those addresses as a safe entry into the insurer’s systems. Once past the insurer’s “palace guard,” the intruder could then plant malware to take control of the network, or simply begin stealing information.

But would a cyber crook really go to all that trouble? If the end reward is sufficient, the answer is most certainly in the affirmative. From a larger insurer’s or broker’s point of view, then, the key is to make certain that the defenses of our smaller business partners are up to snuff. That may mean making site visits to evaluate the security profile of those partners (and of vendors, for that matter), or it may mean investing in commercial systems defenses that are then given to our partners — truly a win-win, since it protects both insurer and business partner.

Should a larger insurer or broker be forced to help fund defenses for its smaller partners? Probably not, but the investment certainly seems worth it.

More from Risk & Insurance