Make SMB Cybersecurity a Priority in 2017

In October, Nearly 6,000 eCommerce sites were recently compromised by credit-card theft, after attackers injected malicious JavaScript code into their websites to steal payment card data. While compared to the 500 million user details breached at Yahoo it may seem but a small number, however, this hack has highlighted the significant risk that cybercrime poses to small businesses. What SMB businesses should do to improve their cybersecurity?

Small vs Big eCommerce sites, is there a cybersecurity difference?

Small vs Big #eCommerce sites, is there a #cybersecurity difference? Click To Tweet

In October, nearly 6,000 eCommerce sites were recently compromised by credit-card theft, after attackers injected malicious JavaScript code into their websites to steal payment card data. Hackers have installed skimming scripts on more than 6,000 online stores and are adding 85 each day in a wide-scale active operation that may have compromised hundreds of thousands of credit cards. The malware was infecting stores by running vulnerable versions of the Magento eCommerce platform.

While compared to the 500 million user details breached at Yahoo it may seem but a small number, however, this hack has highlighted the significant risk that cybercrime poses to small businesses.

The latest Government Security Breaches Survey has underlined the fact that small businesses are at increased risk from cyber-attacks, with nearly 75% of small businesses reporting a security breach in 2016. And, according to the National Cyber Security Alliance, one in five small businesses falls victim to cyber crime each year. And of those, some 60 percent go out of business within six months after an attack. What is the reality behind these numbers?

Small business, fewer security risks?

Small #business, fewer #security risks? Click To Tweet

While most small businesses understand the need for a comprehensive cybersecurity solution, many still believe hackers are only interested in going after big companies, and therefore may not take all the precautions that they should.

A breach or attack can result in a significant loss of income, particularly if the SMB involved lacks cyber liability insurance. If news of the breach goes viral, the damage to the business’s brand may be catastrophic.

And just because a company is small, that doesn’t mean it can not lead to a huge payoff for attackers. Often, a breach against a small fish can yield useful data for attackers seeking to target bigger fish. A series of easy attacks against vulnerable small businesses can ultimately enable hackers to orchestrate a much bigger attack elsewhere.

As SMBs don’t consider their business to be vulnerable, cybersecurity processes are reduced to simple anti-virus software or a traditional firewall, ignoring some of the key threats that web-facing organizations are exposed to.

In most cases, many of the retailers affected were small and simply did not have access to the necessary resources to determine whether their website was secure. Web application attacks account for over 40% of incidents which result in a data breach, according to the Verizon Data Breach Investigation Reports 2016, and are the single biggest source of data loss.

Hackers are leveraging the fact that small firms are typically not staying on top of the need to patch their eCommerce platform. Often, both commercial (Shopify, Magento) and community free versions (WordPress) of popular eCommerce platforms have patches that are available to address the vulnerability. So whilst the publishers of the software appear responsive to providing secure patches, these are simply not being applied or are just ineffective.

What can businesses do to improve cybersecurity?

What can #businesses do to improve #cybersecurity? Click To Tweet

Hackers are constantly looking for vulnerable code in software to exploit for malicious gains. Meanwhile, software companies are constantly providing updates and patches to remediate malicious code as soon as it is identified, stopping cybercriminals in their tracks.

Organisations should regularly analyze their eCommerce platform to ensure that their code does not contain common exploits, such as SQL injection (SQLi) or Cross-Site Scripting (XSS). These vulnerabilities, which have been listed in the OWASP top 10 list of prolific flaws for the best part of the past decade, can have severe consequences for eCommerce sites as we predicted in our last article: 8 predictions for eCommerce cybersecurity in 2017.

To protect your eCommerce site and detect if you are vulnerable to such attacks, I strongly advise you to begin with a free scan of your site. With the reports you will get, detailing the criticality of each vulnerability, it should be easy for you to take a decision.

Régis Rocroy

Engaged in IT security at the beginning of the Internet revolution, I’m acting as security consultant and security architect for accounts in banking and eCommerce.