Why criminals pick on small business

Does the size of your enterprise really matter to cybercriminals? Well, yes and no.

Most experts would agree with Jody Westby, CEO of Global Cyber Risk, when she says, "it is the data that makes a business attractive, not the size -- especially if it is delicious data, such as lots of customer contact info, credit card data, health data, or valuable intellectual property."

But, most experts also say the reality is that small and midsized enterprises (SME) are more attractive targets because they tend to be less secure and because automation allows modern cyber criminals to mass produce attacks for little investment.

That means a small business owner's assumption that he or she would be too insignificant to attract the interest of cyber criminals may have been true in the past, but not now.

[ Your business can't afford the cost of cyber crime ]

Greg Shannon, chief scientist at the CERT Division of the Software Engineering Institute at Carnegie Mellon, said he believes that size is, "somewhat of a red herring. It's more about scale."

But, he added that, "small business is a huge target because attacks are automated. The criminals don't care who they're attacking, and while any given business isn't worth much, they have viruses or ransomware that allow them to attack thousands or millions."

Those victimized by automated attacks tend to fall into what experts call the "low-hanging fruit" category. And SMEs tend to be in that category much more than larger enterprises.

Security vendor Kaspersky has noted that, "larger enterprises have become better defended so cybercriminals are moving down the business food chain."

Jason Healey, director of the Cyber Statecraft Initiative of the Atlantic Council, said that, "smaller companies are generally more vulnerable, as only the best companies can afford the best defenses."

David Burg, global and US advisory cybersecurity leader at PwC, said that problem is getting worse, since smaller companies are cutting their security spending. He said in PwC's recent Global State of Information Security Survey 2015, "we found that small firms, with annual revenues less than $100 million, cut security spending by 20% in 2014, while medium -- those with revenues of $100 million to $999 million -- and large companies increased security investments by 5%."

That study also found that compromises of mid-size firms rose 64% from 2013 to 2014. "We think threat actors are beginning to target medium-tier businesses because they typically cannot match the sophisticated cybersecurity technologies and processes of the largest companies," Burg said.

And the Verizon Communications 2013 Data Breach Investigations Report found that close to 62% of data breaches that year were at the SME level.

Among the weaknesses that make SMEs attractive to criminals, cited by multiple experts are:

  • Lack of time, budget and expertise to implement comprehensive security defenses.
  • No dedicated IT security specialist on the payroll.
  • Lack of risk awareness.
  • Lack of employee training.
  • Failure to keep security defenses updated.
  • Outsourcing security to unqualified contractors or system administrators
  • Failure to secure endpoints.

Shannon agrees with the items on that list, but notes that, "those were all true five or 10 years ago."

What is different now, he said, is that SMEs are "much more interconnected" than in the past. Instead of having just a simple website or email account, they are involved in much more complex networks that involve on-premise, mobile and cloud and interactive connections with customers and partners.

The data generated by all that, "is much more valuable to criminals," he said, noting that "losing a few emails in the past was an annoyance, but now it's critical."

Another reason SMEs have become more attractive is that they are viewed as an entry point into a larger, more lucrative, target.

Alex Moss, CTO and managing partner at Conventus, said he thinks many SMEs are more a means to an end than the ultimate target.

"As the B2B digital world continues to become more entwined, large companies are requiring their vendors to interact with internal systems including procurement, logistics, marketing, human resources, payroll, and even into environmental and maintenance," he said. "These relationships and requirements create access into the parent organization -- the ultimate target."

That is also the message from Symantec Security response, which in an email to CSO said, "attackers often use SMBs as stepping stones to gain access to larger corporate networks."

PwC's Burg agrees, noting that, "smaller organizations increasingly serve as vendors, contractors, and business partners of bigger firms, and as such may have trusted access to the networks and data of these partners." And when they are cutting spending on security, their vulnerability increases.

"There is a very clear correlation between the amount of money spent and the effectiveness of a company's security program," Burg said.

In spite of those grim realities, experts say there are ways SMEs can improve their security without breaking their budget.

Healey said he thinks things could improve this year, "as more SMEs outsource to the cloud, giving them orders of magnitude better resilience and security."

Shannon also recommended moving to the cloud, and said another way to become less vulnerable is to, "diversify a bit -- don't put all your eggs in one basket. Have one system for personnel and one for production. Use different hard drives or different OSs. It will make you more resilient."

Regulators are also paying closer attention to SMEs. In the retail world, the latest version of the Payment Card Industry Data Security Standard (PCI DSS), which took effect Jan. 1, requires more rigorous security standards for third-party vendors or contractors, which have been a weak point for major companies -- illustrated in a high-profile way by the catastrophic Target breach a little more than a year ago.

Throughout the business world, Moss said it is not realistic or fair to require SMEs to have, "the same complex controls and monitors that large enterprises leverage. However, it should be expected that they have basic controls, while the large enterprise is focused on tightly limiting, managing, and monitoring their vendor access," he said.

All this does not mean that large enterprises are no longer major targets. Burg notes that two of last year's high-profile retailer breaches, "yielded more than 50 million payment card records each. You're simply not going to find that level of payoff with smaller companies.

"Big companies also tend to have more high-value intellectual property and trade secrets that may not provide immediate financial gains but may be significantly more valuable in the long run," he said.

Symantec noted that in 2013, "targeted attacks increased by 91 percent and lasted an average of three times longer. Organizations, be they small or large, hold valuable information that will remain attractive for all types of criminals."

And Healey noted that, "it's easier to rob a house than a museum and easier to rob a museum than the Louvre. Yet heists will still target the Louvre because that is where the real treasure lies."

Join the CSO newsletter!

Error: Please check your email address.

Tags cyber attackscyber criminalsespionagesecuritySME

More about AtlanticCSOKasperskyMellonSymantecVerizon

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place