For the first time since the Verizon Data Breach Investigations Report began tracking cyberattack techniques, threat patterns affecting small and medium businesses began to closely align with the patterns affecting large firms.
This year, 80% of breaches in SMBs and 74% of breaches in large businesses were born of system intrusion, basic web application attacks, and miscellaneous errors (like distributing a file unintentionally), according to the 2020 Verizon DBIR released Thursday. External hackers comprised 57% of SMB and 64% of large business incidents.
For both SMBs and large firms, hackers acted with financial motives around 90% of the time, espionage motives around 5% of the time.
"If there's value to be extracted from the target, and they can do it efficiently, they're going to do that," said Gabriel Bassett, senior information security data scientist at Verizon Security Research. "If you've built up all these great tools to use against large organizations, there's no reason for you not to use those tools in small organizations."
The Verizon DBIR is a compendium of statistics based on the experiences in the field of more than six dozen vendors and government agencies.
Part of the reason SMB and large business threats started to match patterns was the patterns themselves. Verizon overhauled the category system, including removing crimeware as its own attack pattern. While it had been a leader for large businesses, those breaches became system intrusions and web application attacks. But not all of the change was categorical. A rise in "miscellaneous errors" made that a new leading pattern for large firms.
The DBIR found miscellanious errors a leading pattern in attacks in arts and entertainment, education and public administration sector breaches and the top form of breach in the health care and financial services sector.
Though the threats and mistakes may be similar, there is still often a feeling among smaller companies that the dangers faced by the biggest firms never translate to them. This is increasingly proving to be false, Basset said.
"Small organizations, just by way of being on the same internet as the larger organizations, are subject to the same attacks."