Evolving Security Threats: Is Your SMB Ready?

A mix of common sense, employee education, and security tools can help SMBs identify and prevent social engineering scams and other emerging threats.

10 Companies Driving Mobile Security (click image for larger view and for slideshow)
The bad guys keep evolving. Are your security practices keeping pace?
While indiscriminate malware and other types of untargeted security risks are nothing new for small and midsize businesses (SMBs), the notion that they wear a bullseye on their backs for social engineering scams and targeted malware attacks might come as more of a surprise. The
security headlines
, after all, tend to be dominated by big business and government hacks--creating the false impression that smaller organizations are too, well, small to worry about that kind of breach.
True, maybe your SMB isnt on the
Anonymous hit list
. But that doesnt mean it cant be a target on a different stage. For example, data from Symantecs Skeptic system found roughly 85 instances of targeted malware--as in, malware written specifically to attack a particular network or company--delivered daily via email. Not exactly a huge number, but of those firms that were targeted at least once, more than half were SMBs with fewer than 500 employees
SMBs should not think that targeted attacks will not impact them, said Anne ONeill, senior director of Symantec SMB and Symantec.Cloud, in an interview.
[Learn
How SMBs Can Minimize Denial-of-Service Risks
.]
At the same time, elements of social engineering have made untargeted threats more sophisticated. Symantecs September intelligence report, for example, noted a recent surge in email-borne malware with a social engineering component. Thats intended to make the email appear to be from a trusted source such as a
smart printer/scanner
, a parcel delivery service, or a known contact whose account has been spoofed or taken over.
With a click and a few keystrokes, an unwitting employee can turn over network credentials, bank account access, and other vital info--as in
this case
, when an executive forwarded an email that appeared to be from the companys bank to the corporate controller, who in turn followed a link and entered the SMBs account info. Hackers used those credentials to lift nearly $2 million from the companys coffers.
It is really important for SMBs to protect themselves by educating their employees on the types of attacks they should be looking for, ONeill said.
In addition to taking
basic security steps
, the right combination of common sense, employee education, and tools can help mitigate risks. Enterprising crooks can and do use something as simple as an out-of-office message or information gleaned from the company website to their advantage.
Symantecs recent research shows, for example, a rise in socially engineered emails that masquerade as a
smart printer scan
forwarded by a colleague in the same office. In that scenario, an executable malware file is delivered as .zip attachment--but the senders domain is spoofed to match the recipients and may even appear to be from a fellow employee. Symantecs report points out that many smart printers with scan-to-email functions dont support .zip files--those should be a red flag. The report also noted pornography, tax debt, IRS correspondence, and company contracts as common subject headers for malware-delivery emails with social engineering components.
ONeill recommended SMBs educate--or, at firms with strong security fundamentals, refresh--employees on best practices and the current threat landscape. There shouldnt any real impediments to good training--it doesnt have to cost much more than time.
Education is something that is really just about dedicating yourself to doing it, ONeill said. Its a low-cost thing that can protect your business from a lot of damage.
-- When in doubt, throw it out.
If an email or link looks odd, somethings likely amiss--even if it appears to be from a trusted source. Dont click on suspicious links or download attachments--its not worth the risk. You can always contact the apparent source--such as a fellow employee or vendor, to confirm the messages authenticity.
-- Phishing hasnt gone away.
In general, remind employees that phishing scams--though decidedly boring in the current threat landscape--have not gone away. Any emails that include links, attachments, or request specific information should treated cautiously. If its from an unknown source--delete it.
-- Dont get careless with sensitive data.
The rise of social media, among other things, means there are more ways than ever for employees to unwittingly share data with the outside world. And dont forget that your physical office can be vulnerable, too:
This expert advises
treating your office like any other threat vector and sweeping it for vulnerabilities: Post-it notes on a desktop monitor with usernames and passwords, open LAN cables or other network connections, and so forth.
Of course, the need to underpin smart employee practices with good security tools--including, but not limited to antimalware protection, persists. ONeill said it doesnt so much matter whether you prefer a software, hardware, or cloud approach--just that the tools update continuously to stay current with evolving threats.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps