Cyber-Criminals and Small Business

On July 21 the Wall Street Journal published a front-page article on the increasing number of hacking attacks on smaller businesses.

The owner of a 2-location newsstand business in Chicago, with annual revenue of about $1 million, began using an internet-based payment software system to process credit card transactions in 2009. In 2010, he received notice from his sales agent that MasterCard had identified “some sort of breach.” After a half dozen more warnings, MasterCard insisted he hire a forensic investigator to review his system. A rogue program was discovered that captured everything entering the payment system before it even reached his normal payment software. It cost the company over $22,000 in investigative costs and security upgrades.

In another case, a car dealership owner in Kansas found out from his bank early one morning that “someone logged into his company’s bank account…added nine new employees to the company’s payroll and transferred $63,000 to them.” The owner promptly froze the accounts, but “three payments had already been withdrawn by the recipients and the cash wired offshore.” This owner also lost about $22,000. According to the WSJ article, the FBI has issued alerts about hackers stealing online banking login details.

A third situation cited was an owner-operated restaurant whose computerized cash register was hacked. Thieves stole customer credit card numbers and used them for fraudulent charges. A credit card company shut down their account and put a hold on incoming payments. The restaurateur, unable to accept credit cards and facing $12,000 of fees and investigation costs, had to close. “It cost me my dream,” he said.

According to the article, “Bigger companies…generally do a better job of protecting themselves.,,Smaller companies are less likely to grasp the security threat.” Security attacks can be difficult to investigate and prosecute as they often originate outside local police authority and even outside the US.

Retailers accepting credit cards are now under obligation from the credit card companies to certify their merchant processing systems are secure, but smaller companies may still have system vulnerabilities.

According to data provided by Verizon Communication’s forensic analysis unit and the US Secret Service, and quoted in the WSJ piece, the percentage of cyber-attacks against businesses with less than 100 employees rose from 27% of total incidents in 2009 to 63% in 2010. “Visa Inc. estimates 95% of the credit card data breaches it discovers are on its smallest business customers.” According to article authors Geoffrey A. Fowler and Ben Worthen, “Hackers are expanding their sites beyond multinationals to include any business that stores data in electronic form. Small companies…have now become hackers’ main target.”