Yes, small to mid-sized enterprises (SMEs) continue to prove a fruitful target for cybercriminals.
The Allianz Risk Barometer reported that cyber risks are the largest concern for companies globally in 2022. And the number of cyberattack attempts per week reached an all-time high in Q4 of 2021.
Many hacking attempts — such as spam containing malicious links — are general in scope, not discriminating against the company’s size or sector. But the hit rate for small and medium businesses is as high as 42%, and the damage to SMEs can often be far worse than when a large corporation is hit.
In this article, we will review the major cybersecurity risks that SMEs face, why they are as prone to attack as larger firms, and how they can protect themselves from the onslaught of cyberattack attempts.
Smaller budgets and limited resources make SMEs a prime target for cybercriminals. Whether through oversight or because security isn’t high on the priority list, SMEs tend to have more security gaps compared to large corporations.
The reasons for these gaps are usually due to one or more of the following:
Organizations should consider implementing robust security controls to improve their overall security posture and cyber resilience.
Through a combination of automated software, botnets, and billions of scam emails, organized criminals operate primarily on a hit-and-miss strategy that “hits” enough times to be profitable. Coupled with targeted attacks, such as CEO email impersonations, organized cybercrime is big business. SMEs need to be prepared for the scenario of being targeted and potentially being compromised.
Here are the biggest types of cybersecurity risks faced by SMEs.
Phishing is a type of email attack where cybercriminals impersonate a legitimate business, but the email in fact contains malicious links. These links can lead to malware, ransomware, or to a fraudulent website designed to steal login credentials.
Spam emails typically also contain malicious links, although they do not always attempt to impersonate a known entity as phishing emails do.
Phishing attacks were at an all-time high in Q1 2022, topping one million total attacks, according to a report by the Anti Phishing Working Group (APWG). The primary driver for the rise in attacks was an increased focus on “smaller accounting and insurance firms.”
Twenty-four percent of the attacks were levied against the financial sector.
Adware is malicious software that runs in the background of your computer and displays intrusive adverts that typically lead to shady websites, such as pornographic sites, dark web marketplaces, and “drive-by” websites that can install further malware on your machine without you being aware of it.
Adware can be extremely sophisticated, such as the AdLoad malware that has plagued macOS computers since 2017. The malware developers recently managed to find a way to completely bypass Apple’s inbuilt malware scanner for as long as 10 months.
AdWare tops the list of mobile malware in 2021, at 42.42%.
SME websites can be notoriously easy to compromise. Due to a lack of budget, many companies will go with a system like WordPress which powers 43% of the world wide web, but which accounts for an enormous portion of all website hacks.
The same is true of custom-designed websites. “Budget” website development can leave many unpatched security holes, resulting in crippling data breach fines that can put many small companies out of business — the average cost of a data breach for a small and medium business is over $100,000.
A compromised site often sends malicious spam emails from your domain name. This can have catastrophic effects on your domain’s reputation, tanking it completely in the search results.
CEO Fraud is a type of business email compromise (BEC) attack where an attacker compromises the account of a high-level executive and then uses that account to send fraudulent emails that impersonate the executive. Because an email comes from a “CEO,” it is far more likely to be acted upon.
This type of attack is particularly effective at the SME level because it is unlikely that the CEO of a large multinational corporation would directly email someone lower down on the command chart.
Overall, BEC attacks resulted in the highest financial losses than any other crime in 2021, according to the FBI.
Botnets are a network of computers that contain malware that allows them to be controlled by a malicious actor. These botnets often send spam that contains malicious links. Almost any internet-enabled/IoT device can be turned into a member of a botnet if malware can be installed on it.
SMEs that haven’t properly invested in the right security training are more likely to have a computer or device turned into an unwitting member of a botnet. Users may not know enough to spot a malicious link in a phishing email or avoid a drive-by website that installs malware on their computer.
Large-scale botnets are often known by name, such as the prolific Emotet botnet that infected over 1 million computers before a global crackdown managed to hinder its growth. The hackers behind the botnet are reportedly trying to get around the limitations imposed by the crackdown by upgrading the malware’s code.
Ransomware famously made headlines when Colonial Pipeline was hacked on May 6, 2021. But this type of attack is far more prevalent against smaller businesses — 82% of all ransomware attacks are targeted at small businesses, reported tech.co.
According to Lexico, ransomware is “a type of malicious software designed to block access to a computer system until a sum of money is paid.”
Why are SMEs such a common target? As a ransomware gang member interviewed in the above article says — “You can hit the jackpot once, but provoke such a geopolitical conflict that you will be quickly found. It is better to quietly receive stable small sums from mid-sized companies…”
In other words, SMEs are a consistent source of income for hackers with a relatively low downside. SMEs pay ransoms and are unlikely to have additional budget to thoroughly investigate who was behind the attack.
Personally Identifiable Information (PII) is a hot item on the black market. Knowing someone’s Social Security Number can open the door to countless types of fraud such as identity theft. Protected Health Information (PHI) is even more valuable, with criminals paying up to ten times as much for medical data. This is because possession of such data makes high-stakes insurance fraud possible.
Poor passwords, badly coded websites, stolen credentials, poorly secured devices, and dozens of other factors can lead to a data breach that can result in heavy fines for the SME.
According to data from Verizon, data breach attacks against small and medium businesses are on the rise, accounting for nearly half of all data breaches in 2021.
Despite all the above, the costs of implementing a complete security solution might be far out of reach for many smaller businesses.
A robust security posture requires that so many different elements are considered that the only choice an SME seemingly has is to hire a dozen vendors to cover all bases.
The solution to this lies in hiring a modern Managed Security Service Provider (MSSP) that can bolster every aspect of an SME’s security posture without breaking the bank.
Modern managed security providers offer the full gamut of security services — including security awareness training to reduce human error — under one umbrella, and at an enormously reduced cost.
An MSSP will typically provide coverage in the following areas:
Each tool in itself does not constitute a full solution. But together they provide a comprehensive combination of protection, detection, and response that minimizes the success of attacks as well as nullifies them quickly if they do occur. Fast response minimizes business impact.
Contact SolCyber to find out how we can help your SME improve its security posture easily and affordably.
For those of you who are just joining us, I’m retired Marine and security expert Scot Hutton and I’ve been invited by my friends at SolCyber to write a blog series on security that matters. So far, I’ve covered why ransomware has forever changed the security landscape for small and mid-sized businesses (SMEs) and explained […]
Venture Capital (VC) and Private Equity (PE) firms take on a lot of risk when investing in a new startup or operating business. Although it is vital to perform all necessary due diligence on any new investment, VC/PE firms shouldn’t ignore their own risk. Rather, they need to take a hard look at their own […]
Remember the good old days when ransomware wasn’t so rampant across industries and all types of companies, large and small? Us too. Unfortunately, the way in which hackers are using ransomware has changed significantly in the last several years, leaving every company vulnerable. So, many companies have turned to cyber insurance to protect their bottom […]
By subscribing you agree to with our Privacy Policy and provide consent to receive updates from our company.
