Why Cybercriminals Increasingly Target Small BusinessesCompanies with small security budgets make easy targets
By: Mike Zykowski
Big corporations are obvious targets for cybercriminals. They’re high profile, deal in huge sums of money and have large workforces that are often dispersed across continents. In circumstances like these, potential attack vectors are plentiful making large businesses a natural target for criminals.
This fact has led to a degree of complacency among the small business community. After all, with so many enormous targets to aim for, why would any cybercriminal target a small business like yours?
But if you go beyond the headlines and dive deeper into the threat landscape, you may be surprised to find there is an increasing amount of cybercrime that targets small and medium-sized businesses (SMBs).
Two recent reports corroborate this trend. According to Ponemon Institute, over two thirds of SMBs with 100-1000 employees experienced a cyber attack in 2018. If that has some of you small business owners breathing a sigh of relief, there’s bad news: A recent survey in the UK by market research firm Opinium for an internet service provider had almost identical findings. That survey found that nearly two thirds of all business with 10-49 employees were targeted by cybercriminals last year.
What’s going on?
While the major breaches make headlines, just below the surface there is a constant and increasing level of cybercrime that is targeting smaller organizations. In the physical world, large companies have the resources to use security guards, complex monitoring systems and high tech entry devices. Small businesses are targeted because they often don’t have measures, so thieves can evade detection. The same is true of the virtual world too. Unfortunately for small business, the consequences of compromise can be severe because they are less able to cope with the cost and damage.
Despite the vast number of attack vectors a large corporation offers, many cybercriminals also don’t have the skills, or even the patience, to try and break through the defenses. Small businesses are vulnerable because they often don’t have much budget for security measures and don’t fully appreciate the scale of the risk they face. Many small businesses also overlook the value of the information they store, believing it to be of little interest to anyone.
But smaller businesses can be lucrative targets for malicious hackers. Any personably identifiable information on customers like email addresses, phone numbers, or payment card details, is valuable to hackers who can use it to commit fraud or sell it on the dark web. Some small businesses don’t realize they may be targeted because they are an entry point to the network of a larger company they do business with. It’s also important to consider who is coming in and out of the workspace: just how much do you know about the air conditioning or printer technicians?
Business email compromise is becoming more common too. BEC involves the threat actor using tactics like spear phishing to steal credentials and enter the network disguised as a legitimate user. From there, they spend time observing billing systems, communications with vendors, and even the CEOs communication style and schedule.
All this is done with the goal of using email to impersonate an executive and ask someone in finance or accounts to make a wire transfer to a bogus vendor as soon as possible. After the transfer is made to the criminal’s account, they launder the money to make it difficult to track.
What can be done?
The priority for any business is to make sure the security basics are covered. More than 80% of the recommendations Secureworks makes to organizations after an incident involve security fundamentals. The U.S. Small Business Administration offers a basic online course, while the FTC provides a more robust and comprehensive guide that includes a run-through of the NIST Cybersecurity Framework – an industry standard. The Secureworks® Security Maturity Model is a free and quick assessment that shows how mature your security posture is and benchmarks it against your peers. It draws from best practice security frameworks and Secureworks’ own threat intelligence and expertise to identify areas to improve.
Simple measures like requiring strong passwords, using 2 factor authentication or multi-factor authentication, regularly updating and patching, and staff training can help guard against opportunistic threats. The last is especially important as we’ve found that over 70% of entries into corporate networks come via email.
Firewalls are a must have, but we recommend monitoring them so that any attacks will be picked up early. For a more robust posture companies often use IDS/IPS devices to provide a secondary layer that can catch the threats a firewall will miss. Secureworks Detect & Prevent solution was designed for SMBs and uses our iSensor™ IPS to monitor firewalls, third-party IPS/IDS devices and servers. The solution raises events of interest to the Secureworks Counter Threat Platform™ in our SOC, where our analysts correlate and investigate events if necessary.
For small companies only just turning their attention to security, or operating on a shoestring budget, the basics are the perfect place to start. While even the fundamentals can seem daunting at first, with good planning and prioritization you can build a robust foundation of security on which business can safely grow.