News headlines tend to highlight only wide-scale attacks against large enterprises. However, most attacks target small and midsize businesses (SMB). In relative terms, these attacks often are much more costly to smaller targets.
Targeting small and midsize businesses makes more sense than it might seem. Cybercriminal groups are ruthlessly efficient. They want the biggest bang for their buck, which often means the SMB segment. The following sections outline five reasons that make these businesses inviting targets.
No. 1: Your data is valuable
Most companies have information they want to keep secret: customers’ credit card numbers, employees’ personal data, or it could be something as valuable as the keys to the business banking account.
A New York mannequin maker learned that lesson the hard way in 2012 when it lost $1.2 million within a matter of hours through a series of fraudulent wire transfers. Cybercriminals breached the firm and got its online banking credentials. The company’s anti-virus (AV) software never detected anything amiss.
Sarah E. Needleman (The New York Times). “Cybercriminals Sniff Out Vulnerable Firms.” July 2012.
In addition to having valuable data of their own, most SMBs do business with larger companies. Often this includes ties into partners’ computer systems or access to their sensitive data and intellectual property. Even if you are not the ultimate target, only a few hops separate you from a valuable target.
“It might not be your data they are after at all,” the Verizon Data Breach Investigations Report states. “If your organization does business with others that fall within the espionage crosshairs, you might make an excellent pivot point to their environment.” You might think of yourself as a small fish, but you are connected to bigger fish.
No. 2: Attacks offer high returns for criminals with minimal risks
The Internet connected the globe in ways barely conceivable just a few decades ago. It has opened up outside markets, uncovered lucrative niches to serve, and created brand new ways of doing business.
The dark side of this progress: the Internet has also made attacks possible from anywhere in the world. Attackers are rarely caught, let alone punished. Advanced malware typically resides in infected systems for weeks, even months, before conventional security tools detect it. Some malware quietly cleans up after itself after exfiltrating data to make a clean getaway. Moreover, in some cases, attackers are even sponsored by their home government.
Those factors are amplified when it comes to SMBs, which are usually less able than their larger counterparts to detect and counter advanced threats. With much to gain and little to lose, cyber attackers have strong incentives to attack.
No. 3: SMBs are an easier target
SMBs face the same threats as large enterprises but have a fraction of the budget to deal with them. More than 40 percent do not have an adequate IT security budget, according to a survey by the Ponemon Institute: “The Risk of an Uncertain Security Strategy Study of Global IT Practitioners in SMB Organizations.”
Unlike big corporations—with dedicated roles for chief information security officer, chief information officer, and the like—the general IT director at a small or midsize business wears many hats. Only 26 percent of small and midsize companies in the Ponemon survey were confident their firm has enough in-house expertise for a high-security posture.
Likewise, many smaller companies lack strong security procedures and policies. According to a September 2013 survey sponsored by Bank of the West, only 36 percent of small business owners have data security policies.
Most cyber attackers follow the path of least resistance. In many cases, this means targeting the very businesses that can least afford to be hit.
No. 4: SMBs have their guards down
The statistics are clear: a small or midsize business is more likely—not less—to face an attack compared with large enterprises. Nearly 60 percent of small and midsize businesses in the Ponemon survey do not consider cyber attacks a big risk to their organization and forty-four percent do not find high-security a priority.
Despite a growing tide of cyber attacks, 77 percent of SMBs believe that their company is safe from cyber attacks, “showing that some small businesses are operating under a false sense of security.”
Many businesses assume that they do not have anything worth stealing. Others are unaware of the volume and sophistication of today’s attacks. In either case, the effect is the same: the business remains vulnerable. As the Verizon Data Breach Investigations Report puts it:
“Am I a target of espionage? Some may already know the answer to this question by firsthand experience. Many others assume they are not or haven’t thought much about it. Despite the growing number of disclosures and sometimes alarmist news coverage, many still see espionage as a problem relevant only to the Googles of the world. Unfortunately, this is simply not true.”
No. 5: Most SMBs use security tools that are no match against today’s attacks
The defenses most SMBs have in place today are ill equipped to combat today’s advanced attacks. Firewalls, next-generation firewalls, intrusion prevention systems (IPS), AV software, and gateways, remain relevant security defenses. However, they are woefully ineffective at stopping targeted attacks.
These technologies rely on approaches such as URL blacklists and signatures. By definition, these methods cannot stop powerful attacks that exploit zero-day vulnerabilities. If an IPS or AV program does not have the signature of a new exploit, it cannot stop it. When highly dynamic malicious URLs are employed, URL blacklists do not cut it.
Most defenses stop known attacks. But they are defenseless against unknown advanced targeted attacks or zero-day threats.
Recommendations: Here are two key steps toward shielding your business from the growing scourge of data breaches.
Targeting small and midsize businesses makes more sense than it might seem. Cybercriminal groups are ruthlessly efficient. They want the biggest bang for their buck, which often means the SMB segment. The following sections outline five reasons that make these businesses inviting targets.
No. 1: Your data is valuable
Most companies have information they want to keep secret: customers’ credit card numbers, employees’ personal data, or it could be something as valuable as the keys to the business banking account.
A New York mannequin maker learned that lesson the hard way in 2012 when it lost $1.2 million within a matter of hours through a series of fraudulent wire transfers. Cybercriminals breached the firm and got its online banking credentials. The company’s anti-virus (AV) software never detected anything amiss.
Sarah E. Needleman (The New York Times). “Cybercriminals Sniff Out Vulnerable Firms.” July 2012.
In addition to having valuable data of their own, most SMBs do business with larger companies. Often this includes ties into partners’ computer systems or access to their sensitive data and intellectual property. Even if you are not the ultimate target, only a few hops separate you from a valuable target.
“It might not be your data they are after at all,” the Verizon Data Breach Investigations Report states. “If your organization does business with others that fall within the espionage crosshairs, you might make an excellent pivot point to their environment.” You might think of yourself as a small fish, but you are connected to bigger fish.
No. 2: Attacks offer high returns for criminals with minimal risks
The Internet connected the globe in ways barely conceivable just a few decades ago. It has opened up outside markets, uncovered lucrative niches to serve, and created brand new ways of doing business.
The dark side of this progress: the Internet has also made attacks possible from anywhere in the world. Attackers are rarely caught, let alone punished. Advanced malware typically resides in infected systems for weeks, even months, before conventional security tools detect it. Some malware quietly cleans up after itself after exfiltrating data to make a clean getaway. Moreover, in some cases, attackers are even sponsored by their home government.
Those factors are amplified when it comes to SMBs, which are usually less able than their larger counterparts to detect and counter advanced threats. With much to gain and little to lose, cyber attackers have strong incentives to attack.
No. 3: SMBs are an easier target
SMBs face the same threats as large enterprises but have a fraction of the budget to deal with them. More than 40 percent do not have an adequate IT security budget, according to a survey by the Ponemon Institute: “The Risk of an Uncertain Security Strategy Study of Global IT Practitioners in SMB Organizations.”
Unlike big corporations—with dedicated roles for chief information security officer, chief information officer, and the like—the general IT director at a small or midsize business wears many hats. Only 26 percent of small and midsize companies in the Ponemon survey were confident their firm has enough in-house expertise for a high-security posture.
Likewise, many smaller companies lack strong security procedures and policies. According to a September 2013 survey sponsored by Bank of the West, only 36 percent of small business owners have data security policies.
Most cyber attackers follow the path of least resistance. In many cases, this means targeting the very businesses that can least afford to be hit.
No. 4: SMBs have their guards down
The statistics are clear: a small or midsize business is more likely—not less—to face an attack compared with large enterprises. Nearly 60 percent of small and midsize businesses in the Ponemon survey do not consider cyber attacks a big risk to their organization and forty-four percent do not find high-security a priority.
Despite a growing tide of cyber attacks, 77 percent of SMBs believe that their company is safe from cyber attacks, “showing that some small businesses are operating under a false sense of security.”
Many businesses assume that they do not have anything worth stealing. Others are unaware of the volume and sophistication of today’s attacks. In either case, the effect is the same: the business remains vulnerable. As the Verizon Data Breach Investigations Report puts it:
“Am I a target of espionage? Some may already know the answer to this question by firsthand experience. Many others assume they are not or haven’t thought much about it. Despite the growing number of disclosures and sometimes alarmist news coverage, many still see espionage as a problem relevant only to the Googles of the world. Unfortunately, this is simply not true.”
No. 5: Most SMBs use security tools that are no match against today’s attacks
The defenses most SMBs have in place today are ill equipped to combat today’s advanced attacks. Firewalls, next-generation firewalls, intrusion prevention systems (IPS), AV software, and gateways, remain relevant security defenses. However, they are woefully ineffective at stopping targeted attacks.
These technologies rely on approaches such as URL blacklists and signatures. By definition, these methods cannot stop powerful attacks that exploit zero-day vulnerabilities. If an IPS or AV program does not have the signature of a new exploit, it cannot stop it. When highly dynamic malicious URLs are employed, URL blacklists do not cut it.
Most defenses stop known attacks. But they are defenseless against unknown advanced targeted attacks or zero-day threats.
Recommendations: Here are two key steps toward shielding your business from the growing scourge of data breaches.
- Assume you are a target: Your data is valuable. And you likely have ties to bigger, high-profile business partners. Given that today’s advanced attacks can easily bypass most security tools, you may have been breached and not yet know it. By assuming that you are in cyber attackers’ crosshairs, you can better prepare yourself against the inevitable attack.
- Deploy a security platform for today’s attacks: SMBs must take a radically different approach. They need to implement a security platform that can detect and block both known and unknown threats with real-time, coordinated security. Today’s attacks exploit previously unknown, zero-day vulnerabilities, easily bypassing signature- and reputation-based defenses. Even with constant updates, standard security products cannot keep up with today’s fast-moving, ever-evolving threats. By the time most products can update their databases of known malware and high-risk Web addresses, attackers have fashioned new and undetectable attacks.
- Know your risks: Be aware of the latest security risks and partner with a security specialist to better help your SMB to combat any threat to sensitive information.
Contributor
Mr. Tomas Santos-Alejandro is Advent Service’s VP of Operations. He can be reached at info@adventsvcsllc.com or (850) 441-2915. Advent Services (www.adventsvcsllc.com) specializes in Information Technology and Security services for government and private sector organizations.
