This article is part of a series exploring the cybercrime threat facing small and mid-size organizations (SMBs), and how such organizations can mitigate their risk of compromise. In part 1, we summarize the leading threats to SMBs and associated risks.
Let’s face it – there is nothing fun or sexy about cybersecurity. Small businesses strive to be flexible, creative (unorthodox, even), and out-of-the-box to make their mark on their industry. While large organizations are subject to firm processes and extensive hierarchy, small orgs can fly by the seat of their pants to please customers. Cybersecurity doesn’t fit that bill – quite the opposite – cybersecurity is very rigid, methodical, and doesn’t drive new revenues or profits.
Moreover, cybersecurity is not only mundane and at-odds with typical small business operations, it’s not instinctive. Strategically reviewing and managing cybersecurity standards is about as natural as going house hunting and meticulously inspecting the door locks, alarm systems, and location of fire hydrants. Umm…no thanks, let’s see that stylish kitchen and then check the back patio again. Yet, small businesses must take cybercrime seriously – changing the way they operate to defend against the multi-billion-dollar cybercrime monster – one which profits off small orgs daily.
Here is a summary of the present cybercriminal threat to small and mid-size organizations:
The spoils of war on small business
Most small orgs assume they are “small beans” to cybercriminals, and as a result, don’t invest significant time or capital into cybersecurity measures. Cybercriminals certainly hope this trend continues. Reportedly costing the global economy $600 Billion (or 1% global GDP) annually, cybercrime attacks target small business 58% of the time, according to the 2018 Verizon Data Breach Investigations report.
Damages incurred can include ransom-payments, lost business, reputation damage, employee time spent on recovery, and data loss. Regarding data, that may be where much of the disconnect lies for small org leaders. Even a micro-sized business can be responsible for highly valuable and sensitive records. A 2018 study sponsored by IBM estimates the average cost for each lost record to be $148.
What kind of records might these encompass? Some examples are:
- Customer records
- Intellectual property
- Customer credit/debit card information
- Business correspondence
As you may expect, research shows small businesses are most concerned about the cybersecurity of their customer records. So now that you have an impression of the financial impact, let’s review HOW these cybercriminals compromise small business networks.
How they attack you
While the attack methods are numerous, some are obviously more common than others. For SMBs, there are three such attack vehicles which stand above the rest. According to 2017 research compiled by SCORE, macro malware is the leading cybercrime attack on small business (113,000 recorded), followed by online banking malware (66,000 attacks), and ransomware (54,000).
*Malicious software, or malware, is software intentionally designed to disrupt, damage, or gain unauthorized access to a computer system*
Macro malware – Sent mainly through spam or spoof emails, macro malware hides in attached documents and files i.e. word, pdf, excel (they can also be delivered in ZIP files). Once the infected macro is executed, most variants will then infect other (if not all) documents on the computer, causing damage like inserting/deleting doc text. Furthermore, many macro viruses will self-propagate to the rest of the local network and other networks via hostile takeover of the victim’s email account.
Online banking malware – This attack-type steals banking credentials and/or credit card information and is becoming more prevalent as online and mobile banking gain popularity. Often using trojan techniques, the goal is to infect the computer while remaining undetected so sensitive information and credentials can be gathered. Once desired data is stolen and transferred, the cybercriminal will either A. plunder the associated card/account, or B. sell the info on the Dark Web.
Ransomware – This malware-type has been the poster-child for cybercrime in recent years, and for good reason. Often deployed via email (like macro-based) or compromised web sites, ransomware encrypts files on the victim’s computer and then displays a “ransom note” demanding payment in exchange for the decryption key. Some ransomware variants are “crypto-worms”, which self-propagate to other devices on a network, or to other networks (remember WannaCry?).
These are just the headliners affecting small businesses, with spear-phishing, distributed denial-of-service (DDoS), and brute-force attacks also included in the cyberthreat landscape. Before we touch on how to defend against such threats, it’s important to understand why small business is the favorite target of cybercriminals.
Why cybercriminals love small organizations
When people think of cybercrime, they think of highly-publicized attacks like Yahoo! in 2013, Equifax in 2017, and “Collection #1” in 2019. This is understandable, as these were large-scale attacks on well-known organizations, and highly-publicized due to their impact on consumers. However, for every one of these high-profile attacks, there are nearly a hundred attacks on SMBs. This is because many SMBs are what we’d call “low-hanging fruit”.
Small and mid-size organizations don’t have the same capital and resources that large corporations have – this makes them relatively less susceptible to “sniper-style” attacks by large Blackhats, hacktivists, and state-sponsored actors. However, the same discrepancy which makes SMBs a lower-reward target also makes SMBs a lower-risk target. Why make $10,000 from one fortune-sized corporation (with dedicated departments for IT security and a fat cybersecurity budget) when you can make $100 from a hundred SMBs?
Stated simply, SMBs don’t have the cybersecurity processes, tools, or resources that large corporations possess – this makes small orgs ripe for the picking.
How you can protect your company and not become a statistic
The first step is to acknowledge the threat and take it seriously. Most SMBs don’t need to go purchase bleeding-edge tools and hire a Chief Information Security Officer (CISO); however, all business leaders need to operate with cybersecurity in mind (and in budget). Cybersecurity may not be instinctive, but it doesn’t have to be complicated. Many industry experts break down cybersecurity measures into the “three Ps”: people, processes, and products. With that in mind, start with the fundamentals and work your way up strategically from there.
“How exactly do I do that?”, you ask.
In an effort to help SMB leaders reduce their cyber risk in 2019, we will make this article the first of a five-part series to function as a cybersecurity guide for small business leaders. While there are no silver bullets to implement, following industry best practices can make your organization a “hard target” for would-be cybercriminals. Such best practices will be the focus of this blog series. In the meantime, please check out our user best practices YouTube series!