Rowena Pagarigan - IS499 !

Small and Midsize Businesses: Risk Assessment and Cyber Threat Fortification

by

Rowena Pagarigan

for IS499: Capstone

Spring 2019

CUNY: School of Professional Studies


Rowena Pagarigan - IS499 !2

Contents

Contents 2
Abstract 3
1. Introduction 4
2. SMB Definition 5
3. Small Business Profiles 6
3.1 Non-employer Profile 6
3.2 Employer Profile: Less Than 20 Employees 7
4. Risk Assessment 7
4.1 Formjacking 8
4.2 LotL and Fileless Attacks 9
4.3 Ransomware 11
5. Challenges 13
5.1 Insufficient Personnel and Budget 13
5.2 Decentralized Information 14
5.3 Shadow IT and Insider Threat 15
6. Plan of action 17
6.1 Framework and Guidelines 17
6.2 Talent and Training 18
6.3 Budget 20
6.4 BYOD and IoT 21
6.5 Continuous Education 21
7. Conclusion 22
References 24
Rowena Pagarigan - IS499 !3

Abstract

Small to medium businesses (SMBs) are increasingly faced with enterprise-size cyber threats.

Cyber attacks are not limited to sophisticated hackers anymore with the rise of cybercrime-as-a-

service platforms in the dark web. Amateur cybercriminals with no coding experience can

simply purchase services in prepackaged kits and deploy them at chosen targets with less than

optimal security infrastructures and policies in place. This research defines two types of small

business profiles (employer and non-employer) in order to maintain the scope and clarity of the

overall impact that an incident and breach can have on these establishments. In order to support

the hypotheses that SMBs, in general, do not feel that they are a target for cybercriminals and

that both SMB profiles share similar challenges with minimal situational variations, the research

performed within this paper uses statements and data from a variety of sources: mainly, recent

existing white papers and surveys on the subject of SMBs and cybersecurity. This study also

provides general recommendations or plan of action that profiled businesses can implement to

improve their current state of cyber hygiene.


Rowena Pagarigan - IS499 !4

1. Introduction

Cyber threats are often associated with attacks on larger companies, easily recognizable

not only in brand but also in reputation. This can be attributed to the amount of media attention

these data breaches receive in respect to the sheer amount of affected individual accounts

impacted as a result. A large-scale data breach could result in multiple layers of damage to the

target organization — from having to recover from a tarnished reputation, losing the trust and

confidence of all stakeholders, and the financial burden of containing the incident as well as

reestablishing a more secure infrastructure afterwards while maintaining operational

functionalities. Depending on the sector and industry affected, another consequence could be

penalties and fines.

As an indirect result, small and medium-sized businesses might not feel that they are

likely to be the targets of a cyber attack since the perceived pay-off for the attacker would not be

as lucrative in comparison to a larger enterprise.

"Thirty-five percent of employees and 51 percent of leaders are convinced their business

is not a target for cybercriminals" (Switchfast, 2018, p. 3) according to a report which surveyed

600 full-time small business employees and 100 C-Suite leaders.

In truth, small businesses are just as susceptible to cyber attacks, if not more. The EMEA

(Europe, Middle East, and Africa) Chief Strategist for Symantec, Sian John, stated that "nearly

forty-three percent of cybercrime targets small business" (Thompson, 2019a) more specifically

"small enterprises with less than 250 employees" (Thompson, 2019b).

Rowena Pagarigan - IS499 !5

One of the key findings from the Internet Security Threat Report by Symantec (2018)

was "the US was the most targeted country in the past three years, accounting for 27 percent of

all targeted attack activity.”

2. SMB Definition

The terms SMB (Small and Midsize Business) and SME (Small and Medium-sized

Enterprises) are often interchangeable. Definitions for small business can vary depending on the

source. For the purpose of this paper, the definition will be further narrowed down and redefined

in an effort to not only remain within the scope but also to provide greater value in terms of

possible solutions to common challenges.

There are 28.8 million small businesses in the US as reported by the Office of Advocacy

in the United States Small business Profile conducted by SBA.gov. This translates to 99.7% of

US companies. The United States Small Business Administration uses a comprehensive

classification system using codes (North American Industry Classification System Codes) that

groups industries and subindustries (SBA.gov, 2016). Each category has a predefined

requirement either based on number of employees of a firm and / or average annual receipts.

This system was designed in order to give smaller firms an opportunity to compete with larger

corporations. For example, these standards are used as a basis to qualify for loans as well as

determine eligibility for government contracts.

Office of Advocacy defines a small business as “an independent business having less than

500 employees” (US Small Business Administration Office of Advocacy, 2016). That qualifier

number does not make it seem like a small business at all. It is safe to assume that the term small

business still elicits the image of an old-fashioned mom and pop type of operation — typically
Rowena Pagarigan - IS499 !6

family operated and definitely composed of less than 500 employees. In New York State, small

business is defined as “one which is resident in this state, independently owned and operated, not

dominant in its field and employs one hundred or less persons” (NYState.gov, n.d.). According

to the last recorded small business survey results from 2016, almost 25 million small business

establishments had non-employer status (US Census Bureau, 2018). For those with employer

status, “firms with fewer than 20 workers made up 89.0 percent” (SBE Council, n.d.) based on

data gathered from the latest Annual Survey of Entrepreneurs.

3. Small Business Profiles

This research will focus mainly on the cybersecurity vulnerabilities and challenges facing

small businesses with less than 20 employees as well as those who have non-employer status.

My initial assumption and hypothesis is that each segment will have both common and varying

(yet closely related) sets of obstacles based on key factors unique to each one. Mainly, lack of

resources in terms of adequate staffing and ample financing to support critical security operations

and maintenance as well as recovery efforts following an actual cybersecurity incident. Another

hypothesis is that small businesses assume that they are targeted less than larger corporations by

cyber criminals. For the remainder of this paper, the segmented businesses will be referred to as

Employer Profile, Non-Employer Profile, or Profiles (when referring to both).

3.1 Non-employer Profile

Simply put, non-employers are any small business with no paid employees. Based on

data from the Non-employer Fact Sheet (SBA.gov, 2018a), the typical non-employer firm is

owned by a woman (40%), with a third owned by minorities. 16% are under 35 years of age.

15% are over 65 years of age. 9% are veterans.

Rowena Pagarigan - IS499 !7

It has also been reported that one-third of non employers surveyed did not need any startup

capital and for those remaining two-thirds that did, 79% used their “personal or family

savings” (SBA.gov, 2018b). Lastly, “non-employer firms typically earn around $47,000

annually" (SBA.gov, 2018c).

3.2 Employer Profile: Less Than 20 Employees

Exact data pertaining to small businesses with less than 20 employees are more

fragmented. For this reason, the data set to be used for this profile will be based on the Babson

College Report, The State of Small Business in America 2016. The answers to the survey were

based on a respondent pool consisting of 1,679 small businesses across the United States with

the following qualifiers: participants must be “in business for two or more years, a minimum of

four employees, and annual revenues of $150,000 to $4 million” (Babson College, 2016, p. 40).

The majority of small business employer firms utilize financial institutions as their

primary source of capital. On average, the requested loan amount equates to $100,000. Actual

received funding is only typically $40,500. Another popular method of securing capital is via

credit cards even with its credit size limitations and the risks associated with high interest rates.

The typical business owner profile for this data set are as follows: Caucasian male, over

50 years of age.

4. Risk Assessment

According to the 2018 Data Breach Investigation Report, out of 53,000 incidents and

2,216 confirmed data breaches, 58% of the victims were small businesses (Verizon, 2018, p. 5).

An article published by Tech Republic identified ransomware, cryptominers, and exploitation of

Microsoft Office programs and Windows-based applications as the basis of SMB attacks in the
Rowena Pagarigan - IS499 !8

last 12 months (Bayern, 2018). Cyber attack methods typically go through its own lifecycle and

evolve quicker than most businesses can protect themselves. Certain attacks tend to reach its

peak and is replaced with a newer, more sophisticated way of reaching the same end-game. This

is a logical way of progression since once a cyber threat reaches a point of becoming

mainstream, companies (both large and small) are more willing to and are able to combat this

specific type of attack. This means that cyber criminals either need to move on to their next

strategy or target less sophisticated and more vulnerable victims.

4.1 Formjacking

Formjacking occurs when bad actors inject a code on a website (typically an e-commerce

site) which captures payment information from unsuspecting customers. From the customer’s

perspective, it looks just like a normal transaction. By the time the user realizes their personal

data has been compromised, the damage has already been done.

"Smaller businesses are a target because they're less likely to have the more sophisticated

protections that larger sites have” (Rash, 2019a). Common entry points for these type of attacks

are compromised third-party add-ons, surveys and chatbot features that are placed on the website

with the purpose of helping the customers. Another way in would be through server

vulnerabilities or unauthorized access using the web admin's credentials. It is important to note

that formjacking is not restricted to credit card info theft. It is also used for stealing anything

that requires forms to be filled out, such as user log-in credentials and other forms containing

personally identifiable information (PII) such as health and financial forms.

Website owners can combat this by using SRI (Subresource integrity) tags. This method

is meant to check the integrity of the site when viewed from the customer's browser. If anything
Rowena Pagarigan - IS499 !9

has been altered during transmission of the message from point A to point B, it would be

identified. A hash is a cryptographic algorithm function that serves as a type of unique signature

for a text or a data file. It appears as a string of alphanumeric combination. The SRI tag reviews

that the original hash generated from the source matches the hash that is generated when it is

received by the intended viewer, which in this case is the customer. If the user's browser detects

any anomalies, "the browser must refuse to execute the script or apply the stylesheet, and must

instead return a network error indicating that fetching of that script or stylesheet failed" (Mozilla,

n.d.).

Other ways of mitigation that can be performed by small businesses include being

mindful about which third-party features they are implementing on their site. Regular

maintenance should be scheduled and performed which includes website code reviews, web

server security analysis, keeping operating systems up to date and patched, and implementing

staff training in regard to privileged user access. Outbound traffic should also be monitored to

ensure that messages are going to the proper destination rather than be rerouted to an

unauthorized party.

Unfortunately, the business owners themselves can be the main reason for not addressing

this type of cyber threat. "Website owners are reluctant to take measures to prevent formjacking

because they're concerned that it might disrupt revenue flow” (Rash, 2019b).

4.2 LotL and Fileless Attacks

A rising trend in cyber attack techniques involve fileless malware. It has also been

referred to as a zero-footprint attack as well as Live-off-the-Land (LotL) attack due to its ability

to enter a machine undetected. This method uses trusted out-of-the-box tools such as macros and
Rowena Pagarigan - IS499 !10

various scripts to carry out an attack. It has the ability to remain in the infected system in order

to execute malicious payload using native Microsoft functionalities such as XML, Dynamic Data

Exchange (DDE), PowerShell, Windows Scripting Host, and Windows Management

Instrumentation (WMI) then move laterally to other machines within the network to duplicate the

same process. “In 2018, Microsoft Office files accounted for almost half (48 percent) of all

malicious email attachments, jumping up from just 5 percent in 2017” (Symantec, 2019, p. 17).

Based on LotL attack’s method of delivery, one could say that a logical mitigation tactic

would be to simply disable these native Windows functions. The issue is that while in theory,

this would be effective in reducing the occurrence of fileless attacks, many of the executable

functions are necessary to conduct Windows-based operations.

For instance, DDE protocols “sends messages between applications that share data and

uses shared memory to exchange data between applications” (Kennedy & Satran, 2018). Used

by commonly accessed applications such as Microsoft Word, Excel, and Visual Basic, this

protocol “can be used to implement a broad range of application features that include linking to

real-time data such as stock market updates, scientific instruments, or process

control” (TrendMicro, 2017).

Another Windows-native tool that has seen a significant spike in being utilized in first-

stage malware is PowerShell. This tool grants administrators a wide-range of access controls to

manage enterprise networks. Disabling this functionality would disrupt business operations and

therefore is not a viable option.

A successful campaign would play out as follows: Using spear phishing (emails that

target specific individuals or departments) techniques, a bad actor sends Microsoft Office lure
Rowena Pagarigan - IS499 !11

documents to multiple targets. Upon opening the email, one of the recipients is prompted to

enable content. The user enables content which then activates the DDE protocol. The DDE

protocol works remotely to run commands and tools on memory, with each action invoking

another executable designed to either collect information (e.g., credentials) or create a backdoor

entry that can be reused to access that workstation again. This is a typical characteristic of an

Advance Persistent Threat (APT) which is “a prolonged and targeted cyberattack in which an

intruder gains access to a network and remains undetected for an extended period of

time” (Rouse & Rosencrance, 2018).

It has proven to be an effective mode of entry that starts with a first-stage malware,

unleashing a second-stage payload using native tools. The threat is magnified due to its ability to

hide in plain sight. Having tasks and scripts run on memory obfuscates the actual exploits

running in the background making it more difficult to detect.

4.3 Ransomware

Another cyber threat that remains persistent despite reports of it declining is

Ransomware. While recent articles state that ransomware attacks have decreased and being

replaced by newer methods, it is important to note that such articles are likely referring to the

instances that occur within larger enterprises.

Ransomware is malware designed to deny access to data, divulge sensitive data (or both)

unless a ransom is paid. This can affect mobile devices, individual systems or workstations, or

an entire network and all of its interconnected assets. The point of entry for ransomware varies,

meaning whatever means necessary to get the payload delivered. It can be delivered as a

secondary attack via LotL techniques. 79% of the participants in a Ponemon Institute report
Rowena Pagarigan - IS499 !12

(2018) cited phishing and some type of social engineering as the source of entry for their

company's ransomware attack. Another common method of unleashing ransomware is through

Remote Desktop Protocol (RDP) passwords. RDP is a Microsoft specific protocol that enables

remote connection to a workstation within the same network. It is a commonly used feature in

office settings for routine maintenance, troubleshooting, virtual desktops and applications.

Attackers could either brute-force their way through, use purchased stolen credentials, or

manually steal credentials in systems that have weak passwords by using open-source tools such

as MimiKatz.

All three techniques have been used to deploy the SamSam variant of ransomware on

organizations of all sizes. One of its larger victims is the IT Systems of the City of Atlanta in

which the group behind SamSam demanded $51k in bitcoin to restore essential and critical

services to the city. The City of Atlanta did not pay the ransom, but in order to regain control of

the hijacked system as well as to fortify it against similar attacks, it cost $2.7 million dollars with

an additional $9.5 million requested to aid with recovery.

With larger organizations' ability to invoke additional resources to respond to attacks,

nefarious groups and individuals have turned their attention to SMBs. "About 70 percent of

ransomware attacks in 2018 targeted small businesses, with an average ransom demand of

$116,000" (Davis | Health IT Security, 2019). Just recently, Michigan-based Brookside ENT &

Hearing Services became "the first health care provider in the nation to shut its doors for good

because of a ransomware attack” (Carlson, 2019). The two doctors who ran the clinic refused to

pay the $6,500 ransom to unlock their data which rendered their business inoperable. They have

since reported the incident to the FBI. While cybersecurity experts think their data might still be
Rowena Pagarigan - IS499 !13

recoverable, reputable data forensics experts and recovery team will need to access the infected

systems in order to determine how much of it can be salvaged.

5. Challenges

The challenges faced by both employer and non-employer profiles are similar to large

enterprises — mainly constraints on resources as well as human error. However, these issues

pose an even greater threat to small businesses.

The participants in the 2018 Ponemon Institute Study were asked what they thought were

the challenges that kept their organization's IT security from being fully effective. The top three

answers given were:

• Insufficient personnel (74%)

• Insufficient budget (55%)

• No understanding how to protect against cyber attacks (47%)

5.1 Insufficient Personnel and Budget

The SMEs that fall under the smaller range will typically have employees that wear many

hats and perform multiple and oftentimes overlapping roles. The smaller the number of

personnel is, the chances of each one being responsible and accountable for multiple processes

increases. Insufficient staffing is directly related to insufficient budgets. Employer Profiles will

more than likely only have one individual handling all IT-related duties or outsource the task

when needed, while Non-Employer Profiles will have no other option but to handle it themselves

or outsource if the budget allows. Cybersecurity job salaries typically fall in the higher-end of

the spectrum, far beyond what the profiles are able to compensate. “Instead, they assign these

responsibilities to an employee who works on these issues on a kind of part-time basis” (US
Rowena Pagarigan - IS499 !14

Senate: Committee on Small Business and Entrepreneurship, 2018, p. 5-6). As a result, these

personnel will not only experience obstacles related to overallocation but will also be lacking the

knowledge and expertise necessary to adequately maintain a good cybersecurity hygiene.

Employees that are delegated cybersecurity duties on a part-time basis will not have the incentive

to obtain cybersecurity certifications that require both time and financial commitments.

According to Maryland Cybersecurity Association, Inc.’s (CAMI) Chairperson, one of

the common reasons given by small businesses for not having a dedicated cybersecurity plan or

staff is “Cybersecurity is expensive and I cannot afford it” (Abate, 2018, as cited in US Senate:

Committee on Small Business and Entrepreneurship, 2018, p. 27). Cybersecurity expenses take

up a larger percentage of the Profiles’ operational budget compared to larger firms since they do

not have the economies of scale that a large organization have in terms of acquiring technology

solutions per user or in bundles. Larger organizations have the advantage of volume-based

discounts.

5.2 Decentralized Information

Besides lacking qualified cybersecurity personnel, another factor that compounds the

challenge is not fully understanding what needs to be done. Unfortunately, seeking answers

online only results in too much fragmented information that is very difficult to find or too vague

to translate into practical activities. Before the Main Street Cybersecurity Act was signed into

law on August 14, 2018, the cybersecurity framework provided by National Institute of

Standards and Technology (NIST) was the main resource available for small and large businesses

alike. The amount of information that the typical Profile business owner or part-time

cybersecurity staff would have to sift through was cumbersome and impractical. Other resources
Rowena Pagarigan - IS499 !15

are also prone to poorly organized information that can be overwhelming to gather, synthesize,

and convert into organizational practices. For instance, the US Small Business Administration

(SBA) site mostly provides resources which leads to a handful of external links leading to other

organizations such at Federal Trade Commission (FTC), Federal Communications Commission

(FCC) or NIST instead of creating their own internal resource library.

Currently, the cybersecurity page on the FCC site is difficult to find form the home page

and can only be found by searching for the term “cybersecurity” in the search box, which lists it

as the fourth result on the page. The FCC page also provides a downloadable Cybersecurity Tip

Sheet which contains inaccurate advice such as — hiding your router’s SSID helps secure your

Wi-fi network. An SSID is merely an identifier for the access point and is not a security feature.

A determined hacker can easily discover a hidden SSID by utilizing a network analyzer. “A non-

broadcast network is not undetectable. Non-broadcast networks are advertised in the probe

requests sent out by wireless clients and in the responses to the probe requests sent by wireless

APs” (Davies, 2007). This means that depending on your device and settings, hiding your

network name on the router will inadvertently expose your network name since your device will

attempt to broadcast and ping for your router wherever you may be. A more practical advice

could be — ensure that your router is set to a WPA2 encryption and not a WEP which can be

cracked in a matter of minutes.

5.3 Shadow IT and Insider Threat

While the term shadow IT has an ominous, clandestine ring to it, it does not necessarily

refer to a secret band of personnel who are intentionally wreaking havoc on a company’s

network. It simply refers to any technological hardware or software used in an organizational

Rowena Pagarigan - IS499 !16

setting which has not been approved for use or is beyond the scope of control of the IT

department. Cisco (n.d.) defines it as “the use of IT-related hardware or software by a

department or individual without the knowledge of the IT or security group within the

organization. It can encompass cloud services, software, and hardware.”

These can include the use of physical storage devices (USB drive), messaging apps

(WhatsApp, Facebook Messenger), personal devices (mobile phone, tablet), as well as IoT

devices (Amazon Echo). If an organization’s staff brings in a mobile device and jumps on the

company’s wifi to minimize data charges, this is considered unauthorized unless the IT or

security department has an Acceptable Use Policy (AUP), a Mobile Device Management

(MDM), or a Bring Your Own Device (BYOD) Policy in place that specifically addresses it. It is

safe to assume that if most larger firms do not have a detailed mobile device management plan

established, then small businesses will certainly not have one in place.

Shadow IT services and devices do offer obvious benefits in terms of increased

productivity and collaboration, but these technologies add an attack layer that bad actors can

exploit and exfiltrate data out of. There is often a trade-off between convenience and security

which must be carefully managed within an office setting.

Insider Threat can refer to both malicious intent or human error. 60% of company data

breaches have been attributed to negligent employees or contractors (Ponemon Institute, 2018, p.

4). A secure workstation and network means nothing if an employee writes their user credentials

on a sticky note and adheres it on their monitor for any passerby to see. Accessing work email or

documents via mobile device connected to a public wifi at a coffee shop is another example of

unintentional insider threat. “70% of SMB respondents have logged onto public wifi using their
Rowena Pagarigan - IS499 !17

work devices at places such as airports, airplanes and coffee shops” (AppRiver, 2019). Public

wifi allows cybercriminals to carry out man-in-the-middle (MitM) attacks in which they position

themselves between the user (victim) and the open network (access point) and use tools to sniff

out the transferred data between the public wifi and your device. In short, they are

eavesdropping and capturing the transmission that occurs between user and access point to

obtain passwords, personal information, and other useful data.

6. Plan of action

6.1 Framework and Guidelines

Profiles need to make every effort to create a framework that is suitable for their

organization. There is a misconception that cybersecurity falls only within the purview of the

person responsible for IT duties when in actuality the entire firm and all of its personnel have to

be accountable. Profiles with an existing cybersecurity policy can use the following resources to

update their current framework. Those who do not have one in place can use any of the

following suggested resources as a starting point in a long-term continuous effort to mitigate

cyber-related risks.

Profiles should create a cybersecurity policy or update an existing one. NIST has a Small

Business Cybersecurity Corner page with planning guides that can serve as templates. The page

also contains up-to-date documentation on various topics.

The DHS: Stop. Think. Connect.™ Toolkit located in the Publications Library currently

has a list of PDF guides organized by Cyber Topic on the bottom of the page. These provide a

good starting point for those with minimal IT experience who are seeking general information

since the format is easily digestible and not overwhelmingly technical. On the top of the page,
Rowena Pagarigan - IS499 !18

materials are also divided based on its target audience. Clicking on the small business link takes

the user to another page with a short list of additional resources, both internal and external links.

The National Cybersecurity and Communications Integration Center’s C3VP Page has a

Cybersecurity Resources Road Map with a helpful infographic divided in tiers containing links

to resources that address specific cybersecurity questions.

National Initiative for Cybersecurity Careers and Studies (NICCS) has a Cybersecurity

Workforce Development Toolkit, a downloadable PDF with “resources and information you need

to plan, build, and advance your cybersecurity workforce” (NICCS, 2016, p. 1). This

Stakeholder Engagement and Cyber Infrastructure Resilience one sheet works well in

conjunction with it.

The National Cyber Security Alliance’s CyberSecure My Business™ page has well-

organized multimedia resources such as a Technology Checklist with relevant, accurate, and

actionable practical information. The same site has a Resources Library with helpful tip sheets

such as the Digital Spring Cleaning SMB Checklist.

Better Business Bureau (BBB) has a useful page with a list of resources for small

businesses including a 5-Step Approach quick guide (PDF).

Lastly, Profiles should explore additional cybersecurity resources provided by their state

government and local jurisdiction to supplement the ones mentioned above. As a general rule,

knowledge seekers should look for recency within the resources. Outdated and undated

resources could give out inaccurate or obsolete information.

6.2 Talent and Training

Rowena Pagarigan - IS499 !19

Employer Profiles with dedicated IT personnel should review their current cybersecurity

health by performing a self-audit of assets, data, risks, resources, mitigation and recovery tactics

with stakeholders. Leadership must ensure that they have personnel who is accountable and

responsible for cybersecurity-related tasks only. Threat prevention is not a static effort in which

occasional software updates or virus scanning is deemed as sufficient. Cyber threats are

constantly evolving and in order to mitigate potential risks, organizations must exercise vigilance

in their efforts.

This places a greater onus on Non-employer Profiles who already have the burden of

handling multiple responsibilities. Non-employers can outsource these tasks to Managed

Security Service Providers (MSSP) who specialize in monitoring and management of systems

and devices. Owners of non-employer businesses can also take this challenge as an opportunity

to educate themselves on cyber protection since they have an advantage of having a less complex

process and systems due to their business size.

If hiring a dedicated cybersecurity professional is not a feasible option, an Employer

Profile can also choose to go with the outsourced MSSP route or invest in training an employee

with entry-level standard industry certifications.

The fortification of both Profiles is not limited to having access to a security expert to

oversee operations. It also means collaborating with all departments to ensure that a layered

security approach is implemented. A network with good defenses is still vulnerable if an

employee falls victim to social engineered techniques which exploits human behavior. Profiles

should strive to educate themselves and their staff with current and ongoing threats, if nothing
Rowena Pagarigan - IS499 !20

else just to create a sense of awareness. Cybersecurity is only as strong as the weakest link, and

in a work setting, the weak link can be the employees.

6.3 Budget

Profiles lack the sufficient budget to allocate towards a security initiative but it should not

prevent them from implementing best practices for systems hardening. Even large enterprises

“spend less than 10 percent of their IT budget on infosec” (Fruhlinger, 2018). Both employer

and non-employer profiles must learn how to use the tools that they currently have at their

disposal. Profiles might not be able to afford or have the personnel to manage an IDS (Intrusion

Detection System) / IPS (Intrusion Prevention System) but even a commercial off-the-shelf

firewall and antivirus solutions is better than nothing. A Business.com article stated “the

majority of small businesses have invested in antivirus software and firewall protection (81 and

76 percent, respectively)” (Rinaldi, 2019). Companies such as Symantec have affordable small

business solutions which covers workstations as well as mobile devices on both major platforms

(Android and IOS).

Another simple system hardening practice is proper configuration of the router including

passwords (many users still leave the default password), guest wifi setup and management, as

well as adding Virtual Private Network (VPN) services for businesses that utilize remote access.

Performing timely updates on operating systems, browsers, and applications on all

devices in order to have the most recent security features and patches is another good habit to try

and ingrain into the company culture.

Rowena Pagarigan - IS499 !21

Opting in for multi-factor authentication when available is recommended to verify user

identity, usually for logins or other transactions. Encrypting hard drives and emails are also good

practices that can be implemented for low to no cost.

For Profiles who deal with accepting credit cards / digital payments such as e-commerce

operations, or those who store confidential or sensitive customer information including but not

limited to medical or financial data, investing in cybersecurity insurance is highly recommended.

In the case of an incident, data loss, theft or breach, this will at least give some type of assistance

for recovery as well as minimize the overall impact.

6.4 BYOD and IoT

It is advisable that Profile security policies address a common trend in the work place —

Bring Your Own Device (BYOD), which is an umbrella term that can also include IoT devices.

Personal devices brought in to the workplace not provided by the company adds on to the

company’s attack surface with potential entry points. BYOD also contributes to the shadow IT

phenomenon. A comprehensive mobile device management strategy will need to balance

security without sacrificing the full potential and value that BYOD technologies might bring into

the organization. This will include user education in how to operate their mobile devices

responsibly both during and outside office hours. Creating an on-boarding process for BYOD

should be one of the primary objectives. “66% of IT professionals don’t know how many

devices employees bring into work, while an estimated 84% of companies have experienced an

IoT-related breach” (InfoSec Institute, 2018). An invisible device cannot be managed in the

network.

6.5 Continuous Education

Rowena Pagarigan - IS499 !22

Employer Profiles can integrate cybersecurity awareness within the company culture by

conducting dedicated meetings on the subject or allocating a portion of every meeting to review

relevant and recent topics. Internal newsletters can also be utilized to deliver information

containing news, tips, videos, and infographics. Informational one sheets can be posted

throughout the establishment as well and updated with fresh content on a scheduled release.

Employer Profiles who have the budget for Pen Testers (Penetration Testers), should consider

acquiring their services to test the security of their organization through ethical hacking

practices, simulated social engineering scenarios, and simulated phishing.

7. Conclusion

As the cyber threat landscape continues to evolve faster than businesses can keep up, it is

crucial for Profiles to take these imminent threats seriously and its total impact on their

organization. Small businesses assume that they are less of a target since they represent less of a

financial gain to cyber criminals. This assumption can give Profiles a false sense of security and

a lax attitude towards security in general. The most recent Q2 CyberIndex Threat survey

published by AppRiver revealed a pattern between larger SMBs (150-250 employees) and

smaller SMBs (1-49 employees) — “SMBs could be underestimating their real cyberthreat risks”

(2019). In truth, they are in just as much of a risk as larger enterprises with the added obstacle of

resource constraints.

Moreover, both Profiles share common sets of obstacles in terms of constraints in both

personnel and budget as well as not knowing where to start and how to go about fortifying their

businesses. To make matters worse, resources and organizations that are designed to assist
Rowena Pagarigan - IS499 !23

SMBs are difficult to navigate and often give vague and convoluted advice that is difficult to

synthesize.

Improvements have been made to reliable sources of information such as NIST and SBA,

but it is nowhere near where it should and can be. Small business owners will need to be

proactive and do their due diligence in order to remain vigilant. Persistent and dynamic threats

must be dealt with in an equally persistent and dynamic approach. 


Rowena Pagarigan - IS499 !24

References

AppRiver. (2019). Cyberthreat index for business Q1 2019. Retrieved from https://

www.appriver.com/files/documents/cyberthreatindex/AppRiver-Cyberthreat-Index-for-

Business-Survey-exec-summary_FINAL.pdf

AppRiver. (2019). Cyberthreat index for business Q2. Retrieved May 6, 2019, from https://

www.appriver.com/files/documents/cyberthreatindex/Q2-2019-AppRiver-Cyberthreat-

Index-for-Business-Survey%20Report.pdf

Babson College. (2016). The state of small business in America. Retrieved from http://

www.babson.edu/media/babson/site-assets/content-assets/images/news/announcements/

goldman-10ksb-report-2016.pdf

Bayern, M. (2018, August 21). SMBs at higher risk of sophisticated cyberattacks: here are the

top threats. Retrieved from https://www.techrepublic.com/article/smbs-at-higher-risk-of-

sophisticated-cyberattacks-here-are-the-top-threats/

Carlson, J. (2019, April 6). All of records erased, doctor's office closes after ransomware attack.

Retrieved from http://www.startribune.com/all-of-records-erased-doctor-s-office-closes-

after-ransomware-attack/508180992/

Cisco.com. (n.d.). What Is shadow IT?. Retrieved May 6, 2019, from https://www.cisco.com/c/

en/us/products/security/what-is-shadow-it.html

CISO Mag. (2019, February 25). Cyber criminals cash in on millions with formjacking: ISTR.

Retrieved from https://www.cisomag.com/cyber-criminals-cash-in-on-millions-with-

formjacking-istr/
Rowena Pagarigan - IS499 !25

Davies, J. (2007, April 19). Non-broadcast wireless networks with Microsoft Windows.

Retrieved from https://docs.microsoft.com/en-us/previous-versions/tn-archive/

bb726942(v=technet.10)#EDAA

Davis | Health IT Security, J. (2019, March 27). 71% of Ransomware attacks targeted small

businesses in 2018. Retrieved from https://healthitsecurity.com/news/71-of-ransomware-

attacks-targeted-small-businesses-in-2018

Fruhlinger, J. (2018, May 29). The state of IT security, 2018. Retrieved from https://

www.cio.com/article/3274588/the-state-of-it-security-2018.html#slide7

InfoSec Institute. (2018, August 23). Security issues in edge computing and the IoT. Retrieved

from https://resources.infosecinstitute.com/security-issues-in-edge-computing-and-the-

iot/#gref

Kennedy, J., & Satran, M. (2018, May 30). About Dynamic Data Exchange. Retrieved from

https://docs.microsoft.com/en-us/windows/desktop/dataxchg/about-dynamic-data-

exchange

Mozilla. (n.d.). Subresource integrity. Retrieved from https://developer.mozilla.org/en-US/docs/

Web/Security/Subresource_Integrity

NICCS. (2016). Cybersecurity workforce development toolkit. Retrieved from NICCS / DHS

website: https://niccs.us-cert.gov/workforce-development/cybersecurity-resources/

cybersecurity-workforce-development-toolkit

NIST - CSRC. (2018, March 29). Access control policy and implementation guides.

Retrieved May 7, 2019, from https://csrc.nist.gov/Projects/Access-Control-Policy-and-

Implementation-Guides
Rowena Pagarigan - IS499 !26

NYState.gov. (n.d.). Section 131: Definition of a small business. Retrieved from https://

www.nysenate.gov/legislation/laws/COM/131

Ponemon Institute. (2018, November). 2018 State of cybersecurity in small & medium size

businesses. Retrieved from https://keepersecurity.com/assets/pdf/Keeper-2018-Ponemon-

Report.pdf

Rash, W. (2019, February 27). You need to protect your website against formjacking right now.

Retrieved from https://www.pcmag.com/article/366770/you-need-to-protect-your-

website-against-formjacking-right-n

Rinaldi, A. (2019, January 14). The Role of IT in smb cybersecurity. Retrieved from https://

www.business.com/articles/its-role-in-cybersecurity/

Rouse, M., & Rosencrance, L. (2018, July). What is advanced persistent threat (APT)?.

Retrieved May 9, 2019, from https://searchsecurity.techtarget.com/definition/advanced-

persistent-threat-APT

SBA.gov. (2016, February 26). Small business size standards. Retrieved from https://

www.sba.gov/sites/default/files/files/Size_Standards_Table.pdf

SBA.gov. (2018, August). Nonemployer fact sheet. Retrieved from https://www.sba.gov/sites/

default/files/advocacy/Nonemployer-Fact-Sheet.pdf

SBE Council. (n.d.). Facts & data on small business and entrepreneurship. Retrieved from http://

sbecouncil.org/about-us/facts-and-data/

Stewart, B., & Charlton, D. (2019). Cyber attack inevitability: the threat small & midsize

businesses cannot ignore. Retrieved from https://www.chubb.com/us-en/_assets/doc/

Rowena Pagarigan - IS499 !27

2019_01.31_cyber_whitepaper_chubb_r3.pdfen/_assets/doc/

2019_01.31_cyber_whitepaper_chubb_r3.pdf

Switchfast. (2018). Cybersecurity mistakes all small business employees make, from entry level

to the c-suite. Retrieved from https://cdn2.hubspot.net/hubfs/1747499/

Content%20Downloads/Switchfast_SMB_Cybersecurity_Report.pdf

Symantec. (2018). Internet security threat report (23). Retrieved from http://

images.mktgassets.symantec.com/Web/Symantec/%7B3a70beb8-

c55d-4516-98ed-1d0818a42661%7D_ISTR23_Main-FINAL-APR10.pdf?aid=elq_

Symantec. (2019). Internet security threat report (24). Retrieved from https://

www.symantec.com/content/dam/symantec/docs/reports/istr-24-executive-summary-

en.pdf

Thompson, M. (2019, January 24). Why cybercrime targets small business. Retrieved from

https://smallbiztrends.com/2016/05/cybercrime-targets-small-businesses.html

TrendMicro. (2017, November 22). DDE: What it is, what it does, and how to defend against

attackers who may exploit it. Retrieved from https://www.trendmicro.com/vinfo/us/

security/news/threat-landscape/dde-what-it-is-what-it-does-and-how-to-defend-against-

attackers-who-may-exploit-it

U.S. Census Bureau. (2018, June 21). U.S. 2016 nonemployer statistics. Retrieved from https://

factfinder.census.gov/faces/tableservices/jsf/pages/productview.xhtml?

pid=NES_2015_00A1&prodType=table

U.S. Senate: Committee on Small Business and Entrepreneurship. (2018). Preparing small

business for cybersecurity success (S. Hr. 115-300). Retrieved from Committee on Small
Rowena Pagarigan - IS499 !28

Business and Entrepreneurship website: https://www.govinfo.gov/content/pkg/

CHRG-115shrg30630/pdf/CHRG-115shrg30630.pdf

U.S. Small Business Administration Office of Advocacy. (2016, June). SBA: Frequently asked

questions. Retrieved from https://www.sba.gov/sites/default/files/advocacy/SB-

FAQ-2016_WEB.pdf

Verizon. (2018). Data breach investigations report. Retrieved from https://www.researchgate.net/

publication/324455350_2018_Verizon_Data_Breach_Investigations_Report