Part 3: Security Blind Spots: The Fallacy of SMB Cyber Invulnerability
The SolarWinds and Microsoft Exchange attacks carried out by nation-state hackers have lately commanded the headlines. With all the attention on the large organizations compromised by these attacks, it’s possible SMBs have become complacent about cyber security, or even dismissive of the threat posed by hackers. SMB survey data indicates this would be a terrible mistake. A survey by Keeper and the respected Ponemon Institute indicates 66% of U.S. SMBs had experienced an attack within the past year and 63% had suffered a breach where the attacker was successful. With over 31 million SMBs in the United States, this finding suggests an alarming number of attacks. For VARs servicing the SMB market, this data presents an opportunity to adjust customer perceptions and expose this cyber security blind spot. In this article, we’ll describe the real threats faced by SMBs based on hard data collected from organizations with less than 1,000 employees. We’ll provide you with concrete steps you can take to position your firm as an expert advisor to SMB customers.
What are the cyber security risks for SMBs?It’s not illogical that some fraction of SMB managers could consider their organizations too small to be worth the attention of hackers. They might say “With so many deep pocketed targets available to them, why would hackers spend any time trying to get into my relatively small business?” In fact, attack statistics can be interpreted in a way that supports this misperception. The 2020 Verizon Data Breach Investigations Report records 20 times more security incidents for large organizations than SMBs and "breaches are more than twice as common in the larger companies than in the small ones,” according to the report. This reporting disparity may be due to SMBs having a lower level of cyber detection capability than large organizations. Perhaps they are being attacked and breached just as frequently as large organizations, but they don’t know it, or the data is under reported. In any case, the numbers show they are being attacked and the risk is not zero. Looking at the data on a relative basis can only lull SMBs into a false sense of security. The 2019 Keeper/Ponemon survey of 2,176 SMBs reports the average total cost for a cyber security breach exceeds $3.1M per organization, including the cost of remediation and lost business activity. These losses can be an existential threat to many SMBs.
Ransomware attack puts medical practice out of businessA 2019 ransomware attack put a medical practice in Battle Creek, Michigan, out of business. According to reports, hackers froze all the office files at Brookside ENT and Hearing, including appointment schedules, payment and patient information. Instead of paying the $6,500 ransom demanded by the hackers – with no assurance they would get their files back or wouldn’t be hit for more money – the two-doctor practice decided to shut its doors. Healthcare providers, like many other business types, are subject to regulations that may further increase the cost of a breach. As reported by ISMG Network, HIPAA regulations require providers to report data breaches and the organization may be liable for negligence and unfair business practice penalties.
Financial profits are the primary motivation behind SMB attacks. According to the Verizon DBIR, 83% of SMB incidents were financially motivated. Cyber criminals can use simple “smash and grab” tactics to generate a high ROI from attacks on SMBs. Ransomware and fraud attacks can be quickly initiated with little effort using readily available tools. This lowers the cost of an attack and generates a handsome ROI even when the payout is modest. In addition, most SMBs don’t have the sophisticated defenses of a large organization, making them attractive targets. Criminals can replicate their tactics across many SMBs to create scale. Recently, ransomware attack tools have become commoditized services. Industry researcher Group-IB reports as much as two-thirds of attacks in 2020 use ransomware as a service (RaaS), which makes cryptography algorithms available for hire by criminals through the dark web in exchange for a cut of the profits.