It’s encouraging to see that a growing number of SMBs (small and medium businesses) are getting wise to the fact that they are as much at risk in cyber space as are larger organisations like Sony. More and more of our clients are asking us to carry out penetration testing projects on their networks and websites. I hope they are in the vanguard and that penetration testing becomes as standard a cyber defence tool as strong passwords.
There are a number of reasons why SMBs are increasingly hunted as cyber prey:
- Their cyber defences are usually inadequate – poorly written web applications, loopholes in their network defences, out-of-date patching, default security configurations, and so on;
- SMBs also have valuable information – credit card data, personal information, intellectual property, and so on – and stealing an aggregate 10,000 records from 100 SMBs is likely to be easier than a single theft of 10,000 records from a larger, better defended organisation;
- Infecting hundreds of SMB websites with malware is an inexpensive way of creating pharming sites, or Trojan downloader sites, which have the added advantage of legitimate URLs;
- Controlling hundreds of SMB network servers in an SMB ‘bot net’ can be more effective for a hacker than controlling 1,000s of domestic PCs.
The cost of recovery from a successful cyber attack can be significant; the damage done to clients and credibility can be even more significant. Most smaller organisations shy away from penetration testing because it seems arcane, technical and expensive. It doesn’t have to be.