Small businesses are increasingly victims of ‘Crime as a Service’

(This post originally appeared on The Washington Post)

Ask most any business executive and you’ll find that they rely heavily on Software as a Service (SaaS) applications to run their companies. Thanks to these cloud-based services, owners can more efficiently and accurately manage their businesses and their employees are able to access their data remotely from almost any device.

But unfortunately there’s a dark side. The rise of SaaS has also created something else: CaaS . . . or Crime as a Service.

That’s the opinion of cybersecurity expert Larry Johnson, the chief strategy officer of a company that provides cyber incident response to Fortune 500 clients and government agencies. Writing last month on Entepreneur.com, Johnson warns small business owners that CaaS is fast becoming a significant issue.

Crime as a Service, Johnson believes, is the reason half of all small companies in the United States have been breached by hackers and are the top target of “spear-phishing” (fake email attacks), which have doubled since 2011.

CaaS owes its rise to the “Dark Web,” a place on the Internet that is only accessible by means of special software, allowing users and website operators to remain anonymous or untraceable. On the Dark Web, hackers have created a different type of “sharing economy.” Instead of taxi rides and vacation rooms, the villains of the Internet are borrowing each other’s malicious code, tools and software to help them launch their own attacks on unsuspecting small businesses.

What kind of tools are being shared? According to Johnson, there’s pre-written malware, ready-to-go “phishing kits” and “exploit kits” that can lure users to malicious websites via email and make it easier for hackers to gain access to a company’s network. Amazingly, today’s hackers are also using CaaS to share call center services and their own servers and networks for launching attacks.

Unfortunately, there aren’t many weapons at the disposal of small business owners. But Johnson recommends thinking ahead and creating strategies for not only preventing attacks but containing them after they happen.

“Crime-as-a-service will increase the risks of financial fraud, cyber extortion and data theft for all types of businesses,” Johnson writes. “But smaller companies are at the greatest risk. By planning ahead for a network breach, the company can minimize the damage.”