SPECIAL TO THE WEB

Robert Tie, CFE, CFP

Smaller enterprises are increasingly the targets of choice for cybercrooks and no wonder. Their websites and systems might have less to plunder than those of Target and other Fortune 500 giants. But their cyberdefenses are disproportionately weaker than big-company security systems. And that makes them all the more attractive to Internet predators.

The ACFE, in response, is calling attention to the soaring online risk among small-cap businesses.

“As large organizations develop stronger controls over their networks and digital data, attacks on small enterprises have mushroomed,” said ACFE Chairman and founder Dr. Joseph T. Wells, CFE, CPA, at the 24th Annual ACFE Global Fraud Conference. He urged antifraud experts to educate small businesses about this threat and encourage their investment in defensive resources.

EXISTENTIAL RISK

“While a serious attack can significantly harm a large organization, it can force a smaller enterprise completely out of business,” says Joseph Giordano, chairman of cybersecurity programs at Utica College in New York and a former cyber operations specialist in the U.S. Air Force Research Laboratory. 
 
Case in point: CD Universe, one of the first successful online music sellers. In January 2000, a hacker stole up to 300,000 customer credit card numbers from the company’s website and demanded $100,000 in ransom, according to “Thief Reveals Credit Card Data When Web Extortion Plot Fails,” by John Markoff, The New York Times, Jan. 10, 2000. 

When CD Universe’s owner refused to pay, the hacker sold the stolen card numbers over the Internet. As news of the theft spread round the world, consumer confidence in CD Universe’s cybersecurity plummeted, swiftly transforming the once promising e-tailer into a ’Net loser. By year-end, the owner sold CD Universe for a half million less than he had paid for it.

A decade and more afterward, the case’s dynamics remain compellingly relevant but are largely ignored. Why? For the same reason it’s hard to sell insurance: Few people like to spend money on preventing something that might not happen.

And since smaller companies’ cyberattack losses get comparatively little press coverage, their leadership tends to worry more about profitability and other pressing matters than they do about online risk. 

“Cost is the primary criterion many small companies use to evaluate cybersecurity resources,” Giordano says. “Budget limits often force them to view optimal online protection as nice-to-have, rather than must-have.”

For CFEs who serve or seek small-company clients, the challenge is to get them to view online security as a form of catastrophe insurance — something they already embrace as essential protection against enormous losses.

Read the full Special to the Web article on Fraud-Magazine.com.