I just wrote about a study that found SMBs lacking in security training.  As if underscoring just how vulnerable small and medium businesses are in terms of security, I came across a report on how hackers are targeting the VoIP systems belonging to these companies.

Hacking into VoIP systems is easier than you might imagine, and the proliferation of easy-to-use tools and abundant instructions on the Internet mean that perpetuators have plenty of help when going about their shenanigans.  Of course, the fact that most VoIP systems either uses the open source VoIP Asterisk, or are based on a variant of it, also means that new vulnerabilities can be replicated across many systems.

In addition, such installations are generally not protected against brute-force attacks, which rely on software to repeatedly attempt different password combinations.  In an earlier blog highlighting the need to protect e-mail accounts, I suggested using throttling techniques or an automatic lockout to defend against such an attack vector.

Security is Not a priority

Despite the relatively simple way to defend against brute-force methods, the root of the problem is that many SMBs do not make security a priority, notes Network World.  In the same article, Rodney Thayer, CTO with VoIP security company Secorix was quoted as saying:

People care way more about whether their conference calls are going to have decent phone quality.

So what is the objective of hacking into such systems in the first place?  In this instance, it was to use it to make phone calls to perpetuate scams.  Where Internet phone systems are concerned, another problem could be phone charges that could be chalked up from these unauthorized calls.

Cost of a Security Breach Can be High

I recall how my wife's handbag was once stolen. Amid the frenzy of canceling credit cards and filing a police report, we didn't think about an additional SIM card tucked away in a corner of the bag.  It came to mind the next day, and we prompted canceled the phone line. Unfortunately, it was already too late.

Up until then, I would never have imagined it possible to chalk up a couple of hundred (U.S.) dollars in pay-phone charges within the span of just 30 minutes, as the billing record showed.  The perpetuator apparently used the SIM card to make calls to a number of local pay lines.  Upon investigating further, I was shocked to learn there are no limits to the amount that can be chalked up by such calls.  Of course, your liability might differ depending on where you live.

So why am I sharing this?  I wanted to highlight the fact that the cost of even one security breach could be far higher than you imagined.  SMBs typically put off implementing security measures or training due to the "high cost."  In the event of a breach though, the final bill could well be much, much more than the cost of some preventive measures.

For myself, I am just grateful that the price of my "lesson" wasn't any higher.  Can you say the same for the state of security in your SMB?