Report: Security threats at small companies can spread to larger organizations

Symantec report on Internet security says attackers use smaller businesses as gateways to large corporations with valuable secrets

Attackers used smaller businesses with less stringent security as gateways to their ultimate targets: large corporations or governments that hold valuable secrets, according to a Symantec report on Internet security.

In addition, adversaries target lower-level employees because they are more likely to open up malware attachments to emails that compromise their machines and then their networks, according to "Internet Security Threat Report: 2011 Trends," put out by Symantec.

[ Prevent corporate data leaks with Roger Grimes' "Data Loss Prevention Deep Dive" PDF expert guide, only from InfoWorld. | Stay up to date on the latest security developments with InfoWorld's Security Adviser blog and Security Central newsletter. ]

BY THE NUMBERS: The impact of data breaches

Half the targeted attacks were directed at companies with fewer than 2,500 employees, the study says, and while they may not own assets that the attackers want, they may represent backdoors into larger businesses that do own such assets.

"It is possible that smaller companies are targeted as a stepping-stone to a larger organization because they may be in the supply chain or partner ecosystem of larger, but less well-defended companies," according to the report.

This was the case with the attack on RSA that resulted in its two-factor token code being stolen. The network of an RSA partner company was compromised and an email sent from that company to an RSA employee contained an attachment that led to the breach. The RSA breach, in turn, led to the breach later last year of Lockheed Martin's network.

SLIDESHOW: The most mortifying moments in IT security history

The individuals targeted are generally not high-level employees with direct access to valuable information, although 25 percent are aimed at executives.

Instead, attackers target a range of those who are likely to open attachments on emails from strangers, such as HR professionals who routinely receive emails with resumes attached that are sent by job applicants, the report says. HR workers are targeted 6 percent of the time, the study says. Shared mailboxes receive 23 percent of the attacks.

Data breaches resulted in the personal information of 232.4 million people being exposed, with each breach averaging the exposure of 1.1 million identities, the Symantec report says. The cost to U.S. companies that lost personal data was $194 per individual.

Health care organizations suffered the lion's share of the breaches -- 43 percent, but computer software and IT companies suffered the greatest percentage of individual identities compromised with 44 percent and 41 percent, respectively.

Other stats from the report:

  • The number of machines compromised by bots shrank from 2010 to 2011 from 4.5 million to 3.06 million.
  • The total number of attacks Symantec blocked jumped 81 percent from about 3 billion in 2010 to about 5.5 billion in 2011. The unique variants of malware jumped from 286 million in 2010 to 403 million in 2011. "Malware authors effectively use toolkits to create new versions of malware," the report says.
  • Mobile vulnerabilities jumped from 163 in 2010 to 315 in 2011. Many of these were spyware that collected information from phones and sent it to attackers, but 24 percent of mobile malware sent premium text messages. These messages are sent without the owner's knowledge, and result in the owner being billed.

Read more about wide area network in Network World's Wide Area Network section.

This story, "Report: Security threats at small companies can spread to larger organizations" was originally published by Network World.