Details about cyberattacks on small-and-medium-sized businesses (SMBs) may not make it to the headlines, but numerous industry reports and surveys have highlighted the grim reality of the SMB cybersecurity landscape. Even before the COVID-19 pandemic, SMBs were largely targeted by adversaries. 45% of SMBs that own, operate, or support various United States’ critical infrastructure, including energy and water supply, experienced a breach in the past year, according to a USTelecom 2021 cybersecurity survey. The report also found that the SMBs that were hit by a cyberattack took more than seven months to fully recover and had to spend upwards of $170,000 (approximately R2,400,000) on average to get back on their feet.
In this blog, we’ll reason out why SMBs are being increasingly targeted by threat actors.
SMBs think they’re too small to attract the attention of cybercriminals
According to a recent survey by Malwarebytes 32% of SMBs that have been in operation for over ten years believe they won’t be targeted by cyberattacks. The same survey also revealed younger SMBs are more ignorant to the possibility of a breach. Adversaries got hold of Target’s data by compromising one of their third-party vendor’s gateway server using stolen credential. The breach of that SMB lead to a large-scale attack.
In 2019, a small medical practice based in California decided to shut down as they couldn’t afford to rebuild patient medical records that they lost to a ransomware attack.
Old and recent cyberattacks show that threat actors don’t discriminate based on the size of an organisation.
SMBs are adopting cloud-based services and applications at a rapid pace
The sudden increase in remote work caused by the COVID-19 pandemic led to a mirrored increase in the adoption of cloud services by SMBs, with 86% stating that their cloud usage and adoption has increased as a result of the pandemic. While the cloud has been a saviour with regard to business continuity for SMBs, hasty adoption, poor security hygiene and misconfiguration of cloud environment have lead to serious security loopholes and invite attackers to compromise the network and data. Ensuring only the right people have access to the right resources is now more difficult than before for SMBs.
Take for instance, Software as a Service (SaaS) applications. According to a recent survey, SMBs with over 250 employees use close to 100 different SaaS applications, while those with less than 50 employees use 25-50 different applications. Without effective password practices in place, these applications might become entry points for attackers. It’s certainly difficult for someone to remember “strong” passwords for every application they use; instead they may create easy to remember passwords and record them in places like a notebook, their favourite note taking app, or a spreadsheet. Even worse, some may reuse the same password for every application. Compromising one account residing behind a weak password is all an attacker needs to intrude into the organisation’s network.
Lack of specialized security personnel
The shortage of personnel and resources is an old problem that continues to affect SMB cybersecurity. IT staff in an SMB are likely to juggle multiple responsibilities. Someone who takes care of IT operations such as backups may also be managing the desktops and laptops of the staff along with ensuring the cybersecurity. When they have to spend most of their time ensuring there’s as little downtime as possible for any system, focusing on security is difficult.
However, some government organisations and think tanks understand that SMBs can’t approach cybersecurity the same way as their enterprise counterparts do and have created some guidelines specific to SMBs.
In a recent webinar, ManageEngine unpacked four of these guidelines, including those created by the US Federal Communications Commission, the UK’s National Cyber Security Centre, and the Australian Cyber Security Centre. They broke down cyberattacks targeting SMBs, identified common areas that all four guidelines want SMBs to focus on, and discussed what tools can help implement the recommendations on offer.