SMBs are at higher risk of Cyber Crime

Nick Cavalancia

If you work for a small business, you probably believe you’re not a target for cyber crime, largely because you have little of value to be stolen. You’re not alone. Almost half (44%) of small business management don’t see cyber crime as a priority either.

But with 42% of small businesses experiencing at least one attack in the past 12 months, that thinking needs to be turned around. Phishing, malware, zero-day attacks, application vulnerabilities, and good old-fashioned automated hacking all represent the modern-day threat to the SMB.

Why is the small business such a strong focus for cyber criminal activity?

Cyber-CriminalsSometimes you’re the target
Let’s start by evaluating the target options a cyber criminal has and see what the “criminal ROI” is on attacking each target:

  • Individuals
    Everyday people represent the least secure target for a cyber criminal. They may or may not have some form of Antivirus/malware in place, but they are susceptible to phishing attacks and the like to be fooled into giving up credentials to banks, paypal, etc. However, individuals also have the smallest access to cash and credit. A recent article stated the average savings account balance in the U.S. was a little under $4,000. While the specific amount isn’t important, it represents that there isn’t a lot a cyber criminal will be able to run off with.
  • Small Businesses
    Like individuals, small businesses are focused on operations and not security.  Access to the Internet, email, utilizing inexpensive cloud-based applications—all in the name of keeping the business running with as little expense as is possible.  And one of those areas you don’t spend on is security. The small business has more access to cash and credit than an individual, but it’s still a far cry from the amount one would expect an enterprise company to have.
  • Enterprises
    These businesses have seemingly endless access to cash and credit. They also have dedicated budget and headcount focused on securing their networks, systems, data, and users, making it very tough to make any attack headway.

So which target makes the most sense?

Think like a Small Cyber crime Business
Since you already run one small business, let’s pretend we’re going to start a new business—one that works to deceive customers into giving us money using scams and hacks to get the job done. Like any business, you want the greatest margin possible, which means the lowest investment and the highest return.

So which of the three targets requires the least investment of our time (read: the lowest security), and provides us with the greatest return (read: the most access to cash and credit)?

BINGO! It’s the small business!

You have the least amount of security, a largely wide-open Internet connection susceptible to automated attacks that hit thousands of IP addresses including yours (making you a target of convenience rather than one of espionage), many points of entry (your employees), and the most access to money in various forms, relative to your security.

But believe it or not, sometimes when a small business is hit, they’re not the target.

Sometimes you’re just an asset
In the world of spying, an asset is someone being used for information or access to an even more important target. And in the world of cyber crime, an enterprise, having a security budget larger than the entire operating budget of most small businesses, is too tough to gain access to. So why not access the Enterprise through a less secure partner? By doing so, you unknowingly become an asset.

The infamous Target breach of 2013 wasn’t accomplished by directly attacking Target’s infrastructure, databases, or security. It was initially accomplished by obtaining credentials from a Target vendor who handles their HVAC. In addition, other compromised computer systems through the U.S. were utilized as “drop” locations for the stolen credit card data where it could be accessed later.  See? Asset.

Either way, you’re a target
So we’ve answered the question of “why”, so the next question is “how” is it being accomplished and “what” to do about it.  Let me attempt to do both in one simple list:

  • Think like a Chief Security Officer
    Scrutinize every way employees expose themselves to external influences—email, websites, cloud applications, etc.—and look for the ways credentials and computers can be compromised. Phishing attacks and malware via email, as well as advanced attacks via website access are two major ways criminals get in.
  • Protect Yourself
    Implement the basics from the start: anti-malware, antivirus, and web filtering.
  • Partner Up
    Utilize a solid partner who has dealt with this before. Remember, they do this every day and have been exposed to MUCH more of this than you have.
  • Prepare Yourself
    Statistically speaking, it’s going to happen sometime. Maybe not today, but within the next two years, you may find yourself a statistic. Build at least a rudimentary plan around what actions should be taken to remedy the security breach itself, and then what to do to remedy any reputation or revenue losses.

–––––––––––––––––––––––––––––––––––––––––––––––

Want to know more about security? Then check out the videos serious by our security lead, Ian Trump…