Skip to content

Part 3: Security Blind Spots: The Fallacy of SMB Cyber Invulnerability

Part 3: Security Blind Spots: The Fallacy of SMB Cyber Invulnerability
The SolarWinds and Microsoft Exchange attacks carried out by nation-state hackers have lately commanded the headlines. With all the attention on the large organizations compromised by these attacks, it’s possible SMBs have become complacent about cyber security, or even dismissive of the threat posed by hackers. SMB survey data indicates this would be a terrible mistake. A survey by Keeper and the respected Ponemon Institute indicates 66% of U.S. SMBs had experienced an attack within the past year and 63% had suffered a breach where the attacker was successful. With over 31 million SMBs in the United States, this finding suggests an alarming number of attacks. For VARs servicing the SMB market, this data presents an opportunity to adjust customer perceptions and expose this cyber security blind spot. In this article, we’ll describe the real threats faced by SMBs based on hard data collected from organizations with less than 1,000 employees. We’ll provide you with concrete steps you can take to position your firm as an expert advisor to SMB customers.
cyber security

What are the cyber security risks for SMBs?

It’s not illogical that some fraction of SMB managers could consider their organizations too small to be worth the attention of hackers. They might say “With so many deep pocketed targets available to them, why would hackers spend any time trying to get into my relatively small business?”  In fact, attack statistics can be interpreted in a way that supports this misperception. The 2020 Verizon Data Breach Investigations Report records 20 times more security incidents for large organizations than SMBs and "breaches are more than twice as common in the larger companies than in the small ones,” according to the report. This reporting disparity may be due to SMBs having a lower level of cyber detection capability than large organizations. Perhaps they are being attacked and breached just as frequently as large organizations, but they don’t know it, or the data is under reported. In any case, the numbers show they are being attacked and the risk is not zero. Looking at the data on a relative basis can only lull SMBs into a false sense of security. The 2019 Keeper/Ponemon survey of 2,176 SMBs reports the average total cost for a cyber security breach exceeds $3.1M per organization, including the cost of remediation and lost business activity. These losses can be an existential threat to many SMBs.

Ransomware attack

Ransomware attack puts medical practice out of business

A 2019 ransomware attack put a medical practice in Battle Creek, Michigan, out of business. According to reports, hackers froze all the office files at Brookside ENT and Hearing, including appointment schedules, payment and patient information. Instead of paying the $6,500 ransom demanded by the hackers – with no assurance they would get their files back or wouldn’t be hit for more money – the two-doctor practice decided to shut its doors. Healthcare providers, like many other business types, are subject to regulations that may further increase the cost of a breach. As reported by ISMG Network, HIPAA regulations require providers to report data breaches and the organization may be liable for negligence and unfair business practice penalties.  

Hackers profit Financial profits are the primary motivation behind SMB attacks. According to the Verizon DBIR, 83% of SMB incidents were financially motivated. Cyber criminals can use simple “smash and grab” tactics to generate a high ROI from attacks on SMBs. Ransomware and fraud attacks can be quickly initiated with little effort using readily available tools. This lowers the cost of an attack and generates a handsome ROI even when the payout is modest. In addition, most SMBs don’t have the sophisticated defenses of a large organization, making them attractive targets. Criminals can replicate their tactics across many SMBs to create scale. Recently, ransomware attack tools have become commoditized services. Industry researcher Group-IB reports as much as two-thirds of attacks in 2020 use ransomware as a service (RaaS), which makes cryptography algorithms available for hire by criminals through the dark web in exchange for a cut of the profits.

Hackers profit from SMB vulnerabilities


Hackers leverage enterprise tactics against SMBs

The Verizon 2020 DBIR notes strong similarities in the attack actions used against SMBs and enterprises and hypothesizes this may be due to the increasing trend toward to use cloud-based service models. As a result, SMBs may be getting caught up in the same dragnet criminals use against larger organizations. Cloud services are increasingly the way organizations of all sizes and types purchase their IT. SaaS, PaaS and myriad other services can be purchased on a pay-as-you-go basis. Criminals have recognized this trend and are adapting their tactics accordingly. The DBIR indicates phishing, stolen credentials and password dumper are the top three actions against both organization segments. All these actions are effective in breaching cloud-based services that are password protected.

Three steps VARs can take to help their SMB customers

You can improve your position as a trusted advisor to your SMB customer by helping them better understand and calibrate the risks they face from cyber criminals. Through education and awareness, you can help them allocate appropriate time and resource to mitigating their risks. Here are three steps you can bring to your customer: Advocate using case studies – You can raise your customer’s cyber security awareness using case studies, similar to Brookside ENT and Hearing. Case studies deliver information in a way that is relatable for your customer. To maximize impact, look for case studies that are in the same industry as your customer. Suggest cyber security training – The U.S. Small Business Administration offers a wide range of cyber security courses specifically designed for SMBs, available free and accessible online. Help tap into a professional network – Suggest your customer join a local cyber security interest group or connect them with other like-minded customers to learn how others are mitigating cyber risks. You can leverage social media groups (Google, Linkedin, Facebook) and this cybersecurity industry associations list.

Compelling data

Compelling data provides a call to action

Sensational cyber-crime headlines featuring recognized corporate brands as victims can lull SMBs into thinking they aren’t the targets of cyber criminals. The data from multiple recent surveys, plus real case studies, tell a different story. SMBs are being hacked in large numbers by criminals motivated by easy money.  You can help your SMB customers leverage a range of resources to educate and encourage them to take appropriate action.  These simple steps position you as a trusted advisor and advocate for the customer’s interests.