An overarching theme of the report reveals that SMBs around the world (and particularly in North America) believe they are too small and pose too little value to hackers to be worth their time, but recent trends in hacker and cybercrime activity reveal that’s just not the case.

In reality, SMBs’ limited resources, inadequate security, and lack of technical expertise make them more vulnerable to cyber attack, and hackers are taking notice.

Jeff Green, Senior VP of McAfee Avert Labs confirmed, “High profile attacks [on larger enterprises] are becoming less frequent because they are often detected quickly. Attackers are favoring stealth attacks that quietly infiltrate systems [of small and medium businesses].”

To change this trend, small and medium-sized organizations will need to make significant shifts in their fundamental values and budgetary allocations.

Today:

• 52% of SMBs believe they are not well known enough to be a target for cybercrime
• 46% believe hackers could not make any money by accessing their information
• 45% of SMBs think they hold little value to hackers
• 44% believe cyber crime is an issue for larger organizations
• 35% of SMBs are not concerned about being a target of cybercrime
• 34% don’t think their information has value outside the organization

As a result, an alarming number (74%) of  SMBs allocate three hours or less each week to IT security, and half of all SMBs surveyed feel adequately protected by default settings on the IT equipment. The effects of these lax standards are dire resulting in stolen data, downtime, decreased productivity, non-compliance, lost sales, and a tarnished reputation.

Businesses in this space typically experience a week of downtime trying to recover from a cyber attack, and real, out of pocket costs hover around $41,000 per incident.

So what’s a small business to do?

“Get ahead of the hackers. Take every step you can to prevent security breaches by partnering with organizations that specialize in security for small business,” advises FireHost Founder and CEO, Chris Drake. “We provide resources and expertise required to do business securely online, and FireHost helps SMBs achieve higher security levels for less money than they might spend taking on the challenge alone.”

The RideMatch.info flaw provides inadequate scrutiny of user-generated text entered in search boxes and fields throughout the website. Hackers exploit the SQL injection vulnerability by passing commands directly into the back end database.

The vulnerability was identified and reported in August by Kristian Hermansen, a security researcher who was required by his employer to sign up for the service. His report to The Register stated, “The reason I am bringing this to your attention is that the issue is not being fixed by the admins and most companies don’t even know that their employee’s personal and corporate information may be been compromised.”

To date, the exploit has exposed hundreds of employees’ sensitive information across several organizations in S. California, including at least one military entity.

The Ride Match website is a joint project between five regional transit authorities. The service pairs commuters based on home and office destinations as well as departure times. The Riverside County Transportation Commission, an agency responsible for the website, reported to have reached out to the Trapeze Group (a Canada-based development company that designed the software) right after the vulnerability was reported.

Once identified, SQL injection vulnerabilities can often be patched by changing a line or two of code, but The Register spoke to a Trapeze spokesperson on 9/8, and at that time she was unaware of any security bugs being reported on the software. She promised that any vulnerabilities brought to their attention would be investigated and resolved.

The decrease is fueled by a decline in the number of traditional banks. Researchers speculate  that this trend could be fueled by the financial crisis, or perhaps improved security measures when users login to “real” banks online is playing a role. Make no mistake however, hackers aren’t slowing down. They seem instead to be targeting Online Payment institutions instead as reflected in the rise of attacks over the last 18 months.

To further reinforce the movement toward Online Payment institutions, PayPal is mentioned in two of the top five subject lines from this year. (PayPal is included four times if you extend the list to the top ten slots.)

• Attention! Votre compte PayPal a ete limite!, 24%
• Important Information Regarding Your Limited Account, 7%
• PayPal® Account Review Department, 2%
• Account Security Measures, 1%
• Citibank Alert: Additional Security Requirements, 1%

Along with the change in volume, phishing attack origins have shifted dramatically this year. Russia takes the top spot, and they weren’t present on the list last year; Turkey, Ukraine, and India are new as well. Spain and Italy sat in the top slots last year, but Spain has completely disappeared along with Israel, France, and Germany who were smaller yet valid players in ’08.

The top 10 for 2009 include:

The net of these changes lay the groundwork to support foundational changes to the cyber community ecosystem are coming. Researchers are concerned that the decline in phishing attempts simply means that hackers are redirecting resources to other methods that obtain the same (or better gains) that phishing once achieved.

Websites that made the list represent the “worst of the worst” based on the number of threats detected by Norton Safe Web. Without downloading or clicking on anything in particular, you risk exposing your computer to infection and revealing your personal and financial information into the hands of cyber criminals. Simply visiting one of these websites could infect your computer, so we don’t recommend you actually visit any of the websites that made the list.

So what makes these websites so dirty? Malware, security risks like phishing, and browser exploits top the list. In fact, the average number of threats found on the top dirtiest sites is… (ready for this?) 18,000, and 40 of the top 100 dirtiest websites have more than 20,000 unique threats each lurking in the shadows waiting to exploit unknowing visitors.

Symantec found the dirty websites by crawling the web using web forensic techniques like file scanning, IDS (intrusion detection systems), behavioral detection, and install/uninstall analysis to find security risks. In addition, Symantec has more than 20 million active contributors in the Norton Community Watch program. You can see dirty site submissions in real time by visiting http://safeweb.norton.com/safety.

While Norton can help you detect which websites are bad, FireHost can help keep your website off the bad list. We help keep hacker activity at bay by providing application level firewall protection, proactive vulnerability monitoring, and much more as a standard part of every secure web hosting package.

A lack of threat awareness is not the problem. The study shows that almost all businesses in this category have installed anti-virus programs and kept security systems up to date, but a large number of SMBs still become victims of cyber crimes. When disaster strikes, viruses (41%) followed by spyware (26%) are most often the cause.

In a conversation with SC Magazine, Luis Corrons, PandaLabs technical director suggested, “these companies often lack the in-house staff and resources to fight off increasingly sophisticated and exponentially more targeted Internet attacks.”

The study’s results support Mr. Corrons claim that SMBs are not or able (or willing) to allocate the appropriate resources to close vulnerabilities and properly secure their environment.

• 52% of survey respondents have no web filtering solution
• 39% are untrained/unaware of IT threats
• 29% have no anti-spam solution
• 22% are without anti-spyware technology
• 16% do not have a firewall

So what should small and medium size business owners do?

Network vulnerability scans provide extremely high value. A thorough scan of your website(s), database(s), and application(s) can identify disasters waiting to happen. With a starting pricepoint around $100 each, vulnerability scans provide SMBs an affordable way to identify open ports, SQL injections, cross-site scripting (XSS) attempts, holes in JavaScript and web forms, and much more.