These are challenging times for small- to-midsized businesses (SMB), even without the added complications of cyber crime. In an economy struggling to gain momentum, many SMBs are operating on razor thin margins, with as few employees as possible, waiting for an upturn in consumer demand or at least a downturn in economic uncertainty. In this context, the news that SMBs are increasingly being targeted by cyber criminals can feel like adding insult to injury. The natural tendency to beat up the messenger is understandable, so the least a security expert can do is explain why this is happening.
The short answer is that SMBs represent a “sweet spot” for cyber criminals. These criminals are taking aim in two quite different ways, but driven by the same factors. I have diagramed the sweet spot in the accompanying chart.
- More money: An SMB is likely to have more money in its bank accounts than a consumer, and more likely to be moving money around (think wire transfers, vendor payments, customer payments). While there might not be a lot of profit left at the end of the month, the amount of money circulating through an SMB is greater than for the average consumer.
- Less security: An SMB is likely to have fewer security resources with which to protect its networks and systems than a large enterprise, meaning more chance of an attack succeeding and less chance of criminals being detected, identified, and prosecuted.
SMB targeting strategy
There are two main strategies by which the bad guys target SMBs. Think of them as the rifle and the machine gun. The machine gun strategy will be more familiar because it is has been around longer and is the same strategy used to target consumers: Randomly target as many victims as possible and hope to make money off as many people as possible. You could call this “spray and pray,” and it is reminiscent of spam – mass emails in which the same message is sent to millions of people in the hope that to make a profit enough of the recipients will receive and act on the email. The spammer has no knowledge of the target, but is prepared to act if he gets a “hit.” The mass infections and mega-botnets of recent years use the same strategy (some of them in the furtherance of spamming activities).
The rifle strategy is to go after fewer targets of higher value. That value might lie in a specific bank account or specific intellectual property, data that is helpful to a competitor. The attacker might be a criminal or a nation- state, a competitor or someone hired by a competitor. The value could also come from compromising an SMB system that offers a gateway to an enterprise system – for example, when an SMB is a supplier to a larger company. In other words, unauthorized access to the SMBs' systems is not the ultimate goal, although that hardly diminishes the potential for negative fallout if such an attack succeeds.
Reliable statistics on the number and type of cyber attacks experienced by SMBs over the years are hard to come by, but every indication we have from talking to SMBs is that the attacks, both rifle and machine gun, are on the rise. We have previously written about how the industrialization of malware has been enabling this trend. The message is clear: We need to do more to defend SMB systems and fight back. That might sound like a daunting prospect, but I would say I am cautiously optimistic.We are seeing the federal government take the fight to the bad guys. That increases the risk to criminals, and there is a basic risk/reward calculation at the heart of most criminal activity. We can all play a role in reducing the reward by reducing the success rate of attacks. That process starts, in my opinion, at the level of the system user, the SMB employee. Why not take advantage of the fact that October is National Cyber Security Awareness Month in America, and direct your employees to the many free security education resources available, including ESET training modules (only accessible in North America). Remember, a security-savvy workforce is the first line of defense for SMBs.