Last year, hackers used an internet-connected security camera in a Colorado laundromat to spread Mirai, a powerful computer virus. Eventually, Mirai infected 600,000 devices and took down major websites like Paypal, Twitter, Amazon, Netflix and others, according to the Wall Street Journal.
But the laundromat was only one of many small businesses that were used as hosts to spread the virus. Kyle York, chief strategy officer of Dynamic Network Services Inc., a domain name service that hosts thousands of websites, tells WSJ that Mirai exploits a weakness in internet-connected devices to form a botnet of infected machines to wage attacks on other sites. In Oct. 2015, Mirai successfully hit Dynamic Network Services with a denial-of-service attack, which kicked 1,200 other web domains offline.
Emy Donavan, head of cyber and tech at insurance company Allianz Global, says that many internet-of-things devices are vulnerable because manufacturers did not build the devices with robust security measures in mind. Now that business owners rely on many of these insecure internet-connected devices, a perfect storm has been created, Donavan says.
"It's as if we built a robot army with the ability to take us all down without first installing the proper security solutions," says Donavan.
Every small business needs to take security seriously and be careful about which devices are connected to the internet, Donavan says. She suggests that business owners only buy IoT devices that can receive software updates to patch vulnerabilities.
"Take patch management seriously, if the company says there is a security update, there's a reason for it," says Donavan.
Steve McGregory, a researcher at security firm Ixia, told WSJ that devices without proper security can be infected within seconds of being turned on for the first time. He also says the problem will get worse.
Donavan says the typical response she hears from business owners is that they don't have valuable data. But she says if you're a business with customers, you have data that hackers want.
"I think the main thing most companies don't realize is that your company doesn't need to be a household name to be a target," says Donavan. "You become a target by being a business that uses internet-connected devices."