The headlines are often filled with data breaches and cyberattacks that target large enterprises, yet small and medium-sized businesses are no less susceptible to malicious attacks.
In fact, small businesses are likely to have fewer resources to devote to cybersecurity and less staff to monitor potential threats to critical IT systems, according to experts.
A June 2016 study, sponsored by Keeper Security and conducted by the Ponemon Institute, found that more than 50 percent of SMBs were breached in the previous 12 months. The study also found that only 14 percent of the companies surveyed rated their ability to mitigate cyberattacks as “highly effective.”
Recent research in the United Kingdom yielded similar results. According to a U.K. government survey released last week, 52 percent of small businesses (10-49 employees) and 66 percent of medium-sized businesses (50-249 employees) reported identifying a cybersecurity breach in the past 12 months.
Why are SMBs targeted so much?
One is that, for criminals, cyberattacks against SMBs offer both low risks and high rewards. That’s largely because, according to the United Nations Office on Drugs and Crime, only 10 percent of cyber crimes reported to police by SMBs result in a conviction.
“Advanced malware typically resides in infected systems for weeks, even months, before common security tools detect it,” according to a FireEye white paper on the topic. “Some malware quietly cleans up after itself after exfiltrating data to make a clean getaway. Other malware makes sure to leave few traces in the first place, running solely in computer memory so that no artifacts are left on the compromised machine’s storage.”
And those factors are usually heightened with SMBs, “which are usually less able than their larger counterparts to detect and counter advanced threats. With much to gain and little to lose, cyberattackers have strong incentives to attack.”
SMBs are also easier targets, since, according to the U.N. data, 65 percent of them have no data security policy, FireEye notes. Similarly, the U.K. survey found that only around a third of firms have a formal policy on cybersecurity. FireEye notes that, unlike large firms, SMBs typically have IT directors wearing many hats.
Many SMBs “cannot afford the layered, ‘defense-in-depth’ security employed by large enterprises. And even if they could, most of these defenses are futile anyway,” FireEye says.
That’s because of the third reason SMBs are targeted: Their cybersecurity defenses are ill-equipped to deal with today’s advanced threats. “Firewalls, next-generation firewalls, intrusion prevention systems (IPS), antivirus (AV) software and gateways remain important security defenses,” the white paper notes. “But they are woefully ineffective at stopping advanced attacks.”
According to a real-world study conducted by FireEye, attackers bypassed multiple layers of security in 96 percent of deployments. “These traditional technologies rely on approaches such as URL blacklists and signatures. By definition, these approaches cannot stop advanced attacks that exploit zero-day vulnerabilities,” the white paper says.
FireEye adds: “If an IPS or AV program does not have the signature of a new exploit, it cannot stop it. When highly dynamic malicious URLs are employed, URL blacklists do not cut it. Furthermore, many advanced attacks are a blend of email and network exploits, making it even more difficult for these technologies as standalone solutions to stop them. Most defenses can stop known attacks but are defenseless against unknown, advanced attacks.”
Despite these risks, SMBs are attacked because of a lack of awareness around the importance of cybersecurity. According to the Ponemon Institute, 58 percent of SMBs don’t consider cyberattacks a big risk to their organization, and 44 percent don’t consider strong security a priority.
Finally, SMBs are attacked because their information is valuable. Small businesses have customers’ credit card numbers, their employees’ personal data and, depending on the business, access to financial data. For example, FireEye notes, in the case of a real estate firm, “it might be something as valuable as the keys to the business banking account.”
According to Ponemon’s 2016 “Cost of Data Breach Study,” the average consolidated total cost of a data breach grew from $3.8 million in 2015 to $4 million in 2016.
What can SMBs do to fight back? FireEye lists five key priorities: