Does the size of your enterprise really matter to cybercriminals? Well, yes and no.
Most experts would agree with Jody Westby, CEO of Global Cyber Risk, when she says, "it is the data that makes a business attractive, not the size -- especially if it is delicious data, such as lots of customer contact info, credit card data, health data, or valuable intellectual property."
But, most experts also say the reality is that small and midsized enterprises (SME) are more attractive targets because they tend to be less secure and because automation allows modern cyber criminals to mass produce attacks for little investment.
That means a small business owner's assumption that he or she would be too insignificant to attract the interest of cyber criminals may have been true in the past, but not now.
Greg Shannon, chief scientist at the CERT Division of the Software Engineering Institute at Carnegie Mellon, said he believes that size is, "somewhat of a red herring. It's more about scale."
But, he added that, "small business is a huge target because attacks are automated. The criminals don't care who they're attacking, and while any given business isn't worth much, they have viruses or ransomware that allow them to attack thousands or millions."
Those victimized by automated attacks tend to fall into what experts call the "low-hanging fruit" category. And SMEs tend to be in that category much more than larger enterprises.
Security vendor Kaspersky has noted that, "larger enterprises have become better defended so cybercriminals are moving down the business food chain."
Jason Healey, director of the Cyber Statecraft Initiative of the Atlantic Council, said that, "smaller companies are generally more vulnerable, as only the best companies can afford the best defenses."
David Burg, global and US advisory cybersecurity leader at PwC, said that problem is getting worse, since smaller companies are cutting their security spending. He said in PwC's recent Global State of Information Security Survey 2015, "we found that small firms, with annual revenues less than $100 million, cut security spending by 20% in 2014, while medium -- those with revenues of $100 million to $999 million -- and large companies increased security investments by 5%."
That study also found that compromises of mid-size firms rose 64% from 2013 to 2014. "We think threat actors are beginning to target medium-tier businesses because they typically cannot match the sophisticated cybersecurity technologies and processes of the largest companies," Burg said.
And the Verizon Communications 2013 Data Breach Investigations Report found that close to 62% of data breaches that year were at the SME level.
Among the weaknesses that make SMEs attractive to criminals, cited by multiple experts are:
- Lack of time, budget and expertise to implement comprehensive security defenses.
- No dedicated IT security specialist on the payroll.
- Lack of risk awareness.
- Lack of employee training.
- Failure to keep security defenses updated.
- Outsourcing security to unqualified contractors or system administrators
- Failure to secure endpoints.
Shannon agrees with the items on that list, but notes that, "those were all true five or 10 years ago."
What is different now, he said, is that SMEs are "much more interconnected" than in the past. Instead of having just a simple website or email account, they are involved in much more complex networks that involve on-premise, mobile and cloud and interactive connections with customers and partners.
The data generated by all that, "is much more valuable to criminals," he said, noting that "losing a few emails in the past was an annoyance, but now it's critical."
Another reason SMEs have become more attractive is that they are viewed as an entry point into a larger, more lucrative, target.
Alex Moss, CTO and managing partner at Conventus, said he thinks many SMEs are more a means to an end than the ultimate target.
"As the B2B digital world continues to become more entwined, large companies are requiring their vendors to interact with internal systems including procurement, logistics, marketing, human resources, payroll, and even into environmental and maintenance," he said. "These relationships and requirements create access into the parent organization -- the ultimate target."
That is also the message from Symantec Security response, which in an email to CSO said, "attackers often use SMBs as stepping stones to gain access to larger corporate networks."
PwC's Burg agrees, noting that, "smaller organizations increasingly serve as vendors, contractors, and business partners of bigger firms, and as such may have trusted access to the networks and data of these partners." And when they are cutting spending on security, their vulnerability increases.
"There is a very clear correlation between the amount of money spent and the effectiveness of a company's security program," Burg said.
In spite of those grim realities, experts say there are ways SMEs can improve their security without breaking their budget.
Healey said he thinks things could improve this year, "as more SMEs outsource to the cloud, giving them orders of magnitude better resilience and security."
Shannon also recommended moving to the cloud, and said another way to become less vulnerable is to, "diversify a bit -- don't put all your eggs in one basket. Have one system for personnel and one for production. Use different hard drives or different OSs. It will make you more resilient."
Regulators are also paying closer attention to SMEs. In the retail world, the latest version of the Payment Card Industry Data Security Standard (PCI DSS), which took effect Jan. 1, requires more rigorous security standards for third-party vendors or contractors, which have been a weak point for major companies -- illustrated in a high-profile way by the catastrophic Target breach a little more than a year ago.
Throughout the business world, Moss said it is not realistic or fair to require SMEs to have, "the same complex controls and monitors that large enterprises leverage. However, it should be expected that they have basic controls, while the large enterprise is focused on tightly limiting, managing, and monitoring their vendor access," he said.
All this does not mean that large enterprises are no longer major targets. Burg notes that two of last year's high-profile retailer breaches, "yielded more than 50 million payment card records each. You're simply not going to find that level of payoff with smaller companies.
"Big companies also tend to have more high-value intellectual property and trade secrets that may not provide immediate financial gains but may be significantly more valuable in the long run," he said.
Symantec noted that in 2013, "targeted attacks increased by 91 percent and lasted an average of three times longer. Organizations, be they small or large, hold valuable information that will remain attractive for all types of criminals."
And Healey noted that, "it's easier to rob a house than a museum and easier to rob a museum than the Louvre. Yet heists will still target the Louvre because that is where the real treasure lies."