Threat Actors Don’t Discriminate

Why SMBs Are Just as Much at Risk of Cyber Attacks
David Morrison
January 11, 2023

Over the past few years, small and medium-sized businesses (SMBs) have become increasingly attractive targets for cybercriminals. Though SMBs may not have the same cybersecurity infrastructure and resources as larger enterprises, they still possess valuable data that can be exploited by threat actors for financial gain. It is more imperative than ever for SMBs to take proactive measures to protect their systems and data. By doing so, they are better able to mitigate the risks and potential impacts of a cyber attack, and ultimately ensure the long-term success of their business.

Cybercrime is Expected to Cost the World $8 Trillion USD in 2023, and SMBs Will Absorb Most of the Hit

In a recent report released by Cybersecurity ventures, cybercrime is expected to cost the world $8 trillion USD this year and rise 15% per year over the next three years. More than half of these attacks will be against SMBs. Attacks against SMBs have been on the rise over the last few years, much of this brought on by the COVID-19 pandemic and businesses rushing to move to the cloud to sustain operations during prolonged lockdowns.

In a report released by Barracuda in March 2022, their researchers found SMBs are three times more likely to be attacked, with companies of 100 and fewer employees receiving 350% more social engineering attacks than employees of larger organisations.

RiskRecon, a Mastercard company, reported that cyber-attacks on small companies surged by more than 150% between 2020 and 2021. The pandemic created an environment where SMBs were particularly vulnerable to attacks

SMBs Are Low Risk, High Reward for Threat Actors

I mentioned in a comment in a LinkedIn post the other day that 20 years ago we didn’t have the reports and statistics we have today. Every year there is more and more information about threat actors and their tactics, techniques and procedures (TTP), vulnerabilities, attack vectors, breach data, and the effectiveness of our controls to combat these issues. All this information makes it far easier to see who is being targeted and how, and make informed decisions to ensure you are on the right track to implementing an effective cybersecurity program.

With all this data it’s easy to see that attacks against SMBs have risen and why. Threat actors understand larger organisations have invested in cybersecurity, financially, and increasing resources and controls. The continually evolving compliance landscape has also helped drive this improvement, especially in certain sectors. On the other hand, smaller organisations don’t have the budgets and resources to invest large amounts in cybersecurity. Many startups are a perfect example, where funds, resources and time are limited, so everything is invested in getting their product or service to market as fast as possible.

In March 2020, a survey of small businesses by CNBC found that only 20% planned to invest in cyber protection.

To threat actors, SMBs present a low-risk, high-reward opportunity as they are less likely to be noticed by authorities or the companies themselves. According to IBM’s ‘Cost of a Data Breach 2022’ report, on average, it takes 277 days, or approximately 9 months, for organisations to detect and contain a breach. For SMBs with limited security measures, this time frame may be prolonged indefinitely. Reducing this breach lifecycle time is critical to reducing financial impact. Just reducing this time to below 200 days has been found to reduce the overall costs by 26.5%.

How Attacks Impact Small Businesses

The scariest statistic I’ve seen to date around the compromise of SMBs is one floating around from 2011 that stated ‘60% of businesses close within 6 months of a cyber attack’. Take this statistic with a grain of salt as it’s been floating around for over a decade and I still haven’t been able to find the paper it comes from. This type of impact isn’t difficult to comprehend when considering other statistics from IBM’s report on the effects of breaches on organisations:

  • 60% of breaches led to increases in prices passed on to customers
  • The average cost of a data breach was US$4.35 million
  • The average cost of a ransomware attack was US$4.54 million. This does not include paying the ransom itself.
  • Breaches related to remote working increased the breach cost by US$600,000.

These stats are pretty damning, and while large organisations will find it easier to recover from these types of financial impacts, damages like these can be an extinction event for an SMB. Furthermore, these statistics don’t factor in other consequences such as reputational damage or increased insurance premiums.

What Can Be Done To Improve Security

I found a recent SMB Cloud Security report from November 2022 to be intriguing as it offers additional statistics that align with my previous discussions with clients and the perspective I held while managing cybersecurity practices on the client side. This is especially true when talking about security with regard to SMBs that have limited budgets and resources.

You don’t need ‘military grade’ security to reduce risk to acceptable levels. You don’t need to have the latest and greatest ‘silver bullet’ technology to be ‘secure’. Your security strategy needs to be commensurate with your business, your risks, and your risk appetite. And often this resolves to not being the worst offender when it comes to security practices.

You will find the vast majority of attacks, especially against SMBs, are opportunistic. Threat actors may target a specific industry, but within that industry, the lowest-hanging fruit will be the easiest target. Unless a specific threat actor is targeting something unique to your organisation, most will not invest the time and resources to compromise you when they can move on to more vulnerable targets that present a higher reward and lower risk. And it’s sad to say, but this equates to SMBs that tend to have less investment in security, and threat actor’s therefore see them as the weakest link.

From the SMB Cloud Security in 2022 report, Sophos found that the more mature an organisation was when leveraging cloud services, not only did the impact of attacks decrease, which would be expected with better controls, but the overall volume of attacks decreased, and so did the complexity of the attacks. It seems logical. When an easy attack vector isn’t found, one will move on to find an easier target. According to the report:

Decrease in the volume of attacks:

  • Cloud intermediate users: 24%
  • Cloud advanced users: 37%

Decrease in the complexity of attacks:

  • Cloud intermediate users: 24%
  • Cloud advanced users: 34%

What actions can be taken by SMBs to enhance security, lower risk, and not be the weakest link in the chain?

  1. Identify critical data – Understand what data you have that is critical to your business success, and also what data is attractive to a threat actor. Ensure that data is documented, including where. This is the most critical step in any security strategy as you can’t protect what you don’t know about.
  2. Put controls in place to protect your critical data – By identifying what is critical and what is not, limited security funds and resources can be allocated to areas where they are needed most, rather than attempting to implement every recommended control throughout the entire organisation.
  3. Ensure critical data is backed up and segregated from your other systems – A common tactic in ransomware attacks is to compromise your backups as well. The basic idea is that if recovery is not possible, paying the ransom is likely to become necessary.
  4. Create response plans and test them – It’s critical that you are able to respond to an attack or breach. Dr Sarah Morrison recently published an article discussing how to prepare for an incident and common pitfalls to avoid.
  5. Educate your employees Building a security culture is more critical in 2023 than ever. Understanding how you can be attacked, the types of attack vectors threat actors use, how to recognise attacks (such as phishing) and reporting incidents is critical to maturing security across your business. Cyber attacks against people are at a record high and remain one of the simplest and most efficient methods of bypassing other security measures.

Cybersecurity isn’t that hard and it doesn’t have to break the bank. We understand our weaknesses. We understand how threat actors leverage these weaknesses, and we understand what controls to put in place. Taking the simple security strategies above into consideration can help business owners and executives understand the risks they face, but of course, leveraging expertise from security professionals that specialise in this area can help you make sure your business is able to identify potential threats and vulnerabilities and get the best possible protection for your critical data.

If you need more advice on protecting your organisation’s infrastructure – contact me. I’m always happy to have a no strings attached chat on how you can help secure your company’s future growth!

David Morrison

David Morrison

David is the Co-CEO of Morrisec. With a wealth of experience spanning more than two decades, David has established himself as a leading cybersecurity professional. His expertise and knowledge have proven invaluable in safeguarding organisations from cyber threats across a gamut of industries and roles.

0 Comments