October is Cybersecurity Awareness Month, and the U.S. Cybersecurity & Infrastructure Security Agency (CISA) organization is calling on all of us to 鈥淪ecure Our World,鈥 with a simple message that calls everyone to action 鈥渢o adopt ongoing cybersecurity habits and improved online safety behaviors.鈥 This month, the 探花大神 blog will focus on helping you empower everyone in your organization to do their part regarding cybersecurity. Tune in throughout the month for more cybersecurity content written specifically for IT professionals.
When we think of cyberattacks, we tend to envision the biggest and most disastrous ones 鈥 ones that involve well-known companies, expose tons of important data, and cause some serious fallout and public mistrust. While these attacks are real and dangerous, they鈥檙e not the only ones out there.
The reality is that cyberattacks affect businesses of all sizes and in all industries. Sometimes, our focus on the big ones can eclipse the less flashy ones that are just as dangerous to small and medium-sized enterprises (SMEs). According to , 43% of cyber attacks are aimed at small businesses鈥 but unfortunately only about 14% feel they have the right tools and resources in place to properly protect themselves from it.
Mounting a viable defense starts with understanding what you鈥檙e up against 鈥 and even understanding the basics of common threats and defense measures can go a long way. The following are six of the most common attack vectors that can hit SMEs.
1. Ransomware
Because the largest ransomware attacks tend to dominate news cycles, many people don鈥檛 realize that ransomware attacks on SMEs are common as well. In fact, are aimed at small businesses.
What Ransomware Looks Like for SMEs
Ransomware generally follows the same basic principles in attacks of all sizes: adversaries seize and lock a company鈥檚 data or assets and promise to return them upon payment of a ransom. For large enterprises, these ransoms can reach into the millions. For SMEs, they are often smaller 鈥 are common. While this may sound like a silver lining for SMEs, there鈥檚 a darker motive at play: adversaries know SMEs will pay them.
For established enterprises with decades of built-up resources, six-figure ransoms and the downtime associated with an attack are painful, but not often a death sentence. For SMEs with tighter resources, this isn鈥檛 always the case 鈥 the downtime and loss of data access alone can be crippling for a tightly run SME. To adversaries, this means SMEs will fight to get their data back 鈥 so they demand a 鈥渞easonable鈥 ransom and can expect with near certainty that the SME will pay it. According to research, of them do.
The Ramifications
The ramifications of a data breach to your employees, customers, partners, and reputation are grave: found that 65% of consumers whose data was breached lost trust in the company that experienced the breach.
What鈥檚 more, paying the ransom doesn鈥檛 guarantee that your data hasn鈥檛 been compromised or shared when under the adversary鈥檚 control. Of the 59% of SMEs who said they had paid a ransom in a survey, got all their data back.
In fact, paying up can endanger your organization further: it tells hackers that you are willing and able to pay ransoms to reclaim your data. And now that they鈥檙e familiar with your defenses and architecture, they鈥檒l have an easier time attacking you again. Unfortunately, repeat attacks are highly likely 鈥 either from the same criminal organization, or from another organization that the attackers sold your information to.
What鈥檚 more, the latest indicates that with the data they have access to, in partnership with the FBI Internet Crime Complaint Center (IC3), it loks as though the amount paid to adversaries may be decreasing鈥 but that the cost to recover from a ransomware attack is in fact trending in the opposite direction. According to this report, the calculated median cost of an attack (for those that reported a loss) more than doubled to over $26,000 (USD), with a range of anywhere from $1 to $2.25 million! It seems that the long term effects of an attack like this are multitudes more damaging than the incident itself.
2. Supply Chain Attacks
Most of us are familiar with supply chain attacks, where an infection starts with a large corporation and spreads as it comes into contact with other businesses through the supply chain. And while we鈥檙e likely to hear about supply chain attacks on large businesses, news sources don鈥檛 always report on their trickle-down effects on smaller businesses in the supply chain.
How Supply Chain Attacks Affect SMEs
In supply chain attacks, SMEs aren鈥檛 usually direct targets, but rather casualties resulting from a larger breach. Thus, large supply chain attacks have ramifications on many of the target organization鈥檚 partners, customers, or vendors. In , for example, many of those impacted were SMEs that used the product. In another example, the famous was originally believed to have affected a few dozen organizations. It actually impacted over 250.
3. Phishing and Its Variants
Some of the most basic and low-effort tactics remain common 鈥 and effective 鈥 infiltration methods. Phishing remains SMEs face, even despite increasing organizational awareness around it.
The reason phishing is still so common is two-fold:
- It is effective for adversaries. From the cybercriminal鈥檚 point of view, phishing is relatively easy to deploy, and it often yields lucrative results. It takes few resources and minimal skill to launch phishing attacks, and yet they continue to dupe employees into sharing credentials, network access, and other sensitive (and, for cybercriminals, profitable) information and assets.
- It preys on human error. Unlike many other attack vectors that leverage vulnerabilities in systems, phishing uses social engineering to take advantage of human nature (and human error) to gain initial entry. It only takes one mistake to allow an attack to take hold 鈥 and the average organization has a .
Targeted Phishing in SMEs
Cybercriminals have refined tactics to mount more targeted and precise attacks with different types of phishing. Spear phishing, for example, involves background research to convincingly target individuals rather than bulk-sending a list to a group of recipients. This personalization and specific targeting makes spear phishing attempts harder to spot 鈥 like the that involves posing as the target鈥檚 boss in a text or email. These messages often use conversational language and use the names of the target and the boss, which can make them quite convincing.
Some adversaries take this type of attack a step further with whaling, which uses spear-phishing tactics to target company executives. Because executives have extensive access to systems and data, whaling is particularly popular 鈥 especially with SMEs, where scarce resources could hamper their ability to adequately train leaders on security and phishing awareness and best practices.
4. Software Vulnerability Exploits
Leveraging software vulnerabilities is a common way to gain access into an organization鈥檚 systems. Often, exploited vulnerabilities are known and even have patches available. In fact, many of the top exploited vulnerabilities were found years ago 鈥 for example, a continues to plague businesses that haven鈥檛 kept up with their patches. In a Ponemon survey, who had experienced a breach said it could have occurred through a known vulnerability that had a patch available, but the organization hadn鈥檛 applied it.
Why SMEs Are Vulnerable
Routine patching is a critical basic cyber hygiene activity, and it is highly effective at blocking this type of attack. However, large-scale organizations are more likely to have formal patch management solutions in place than SMEs, which can make SMEs an easier target. In a 2022 探花大神 survey, only about half of SME respondents said they were confident that their organization鈥檚 patch management strategy was sufficient to protect against known vulnerabilities.
5. Account Takeover
As businesses move to the cloud and dispersed infrastructure becomes the norm, identity has increasingly come to define the new perimeter. Because identity permeates every element of the infrastructure, it has become a common infiltration point. In fact, the number of password-stealing attacks on SMEs around the world from 2021 to 2022, and leverage identity to compromise credentials.
How ATO Attacks Work
In account takeover (ATO) attacks, adversaries gain access to the network by taking over a user鈥檚 account. Account access can be gained through various means, including password-stealing ware, social engineering, and using (often, by purchasing) the credentials of already breached accounts. Once the adversary has taken over the account, they can access resources and move around the network under the guise of a legitimate user. This makes account takeovers difficult to detect.
6. Advanced Persistent Threats
SMEs that work with large enterprises may be more susceptible to advanced persistent threats (APTs), which are sophisticated attacks carried out stealthily over an extended period of time. APTs typically consist of infiltration, lateral movement toward targeted data or assets, and exfiltration. APTs can start from any ingress point, and can enter through methods as simple as a phishing attack or stolen password.
For example, an adversary could gain the credentials of an employee with base-level permissions through a phishing scam, then take over the account to analyze the network and gather permissions, access and store the target data, and finally exfiltrate it to sell for profit.
APTs are harder to detect in sprawled IT environments, which are common in SMEs that have grown quickly. IT sprawl limits the ability to fully carry telemetry data from one element to another, which makes infiltration and lateral movement hard to detect.
Shoring Up SME Security
Because cybersecurity attacks on SME attacks don鈥檛 always make headlines, SMEs often underestimate their vulnerability and underinvest in security. However, adversaries have something to gain from just about any business; SMEs face many of the same threats that enterprises do.
The attacks above are some of the most common, but SMEs face a multitude of threats via many different vectors. And while it鈥檚 impossible for anyone to achieve 100% immunity from threats, it鈥檚 possible for SMEs to develop a strong, reliable security program that deflects most attacks.
What鈥檚 more, SME security isn鈥檛 as cost-prohibitive as many believe. To learn how to strike a balance between supporting your SME鈥檚 security and continuing to invest in business initiatives (without breaking the bank), check out the whitepaper written by 探花大神 and CrowdStrike, How to Secure Your SME with 探花大神 and Crowdstrike.
