Because they don’t see themselves as targets, small-to-midsize businesses (SMB) have for a long time believed that their security programs are good enough. They have a firewall, antivirus, maybe they even use two-factor authentication.
The mistake is believing that this is enough because they have nothing of value to an attacker. While they may have a smaller attack surface, they are no less vulnerable than a major enterprise.
Not only are small businesses growing as the favored targets for ransomware attacks, they are also the most impacted, with 60 percent shutting down within six months of a breach, according to the US National Cyber Security Alliance.
This increase of attacks on SMBs could in part be attributed to a false sense of cybersecurity confidence within small businesses. The reality is, when ransomware comes in, it can ruin a small company.
Sam McLane, head of security operations at Arctic Wolf Networks said that a recent survey they conducted showed, “95 percent of IT professionals at small businesses believe their cybersecurity posture is above average. However, 100 percent of the same respondents also said they could improve their systems.”
Not paying attention to the little things can destroy a company in either cost of recovery or loss of reputation. “If they don’t test their backup and they aren’t sure that they can recover the data, it doesn’t help them,” McLane said.
That’s why it’s so important to do recovery tests. “Take a critical server on a weekend and recover it. Patch everything you can. If someone mentions the internet is not working a couple of times, something there is not right,” McLane said.
John Kronick, director of cybersecurity for the advanced technology group of PMC, said that in 2016 “Half of the organizations targeted by cyber attacks fell victim to it. Of those that were victims, a third of those reporting said that their security had been bypassed.”
The key takeaway for SMBs in those statistics is that, “Many companies need to get back to the basics of security. In most of these cases, they had tools, but they didn’t execute well," Kronick said.
Whether they have the budget and the process, “If they don’t have the execution, then they get breached,” Kronick said.
Given that social engineering has a 50 percent success rate, SMBs need to also focus on proper execution as well as incident response and security awareness training. In addition, Kronick said, “Many of the breaches happen because of an insider issue. SMBs also need to be attentive to the patching of systems and adequate scanning of their systems depending on criticality."
Instead of following established best practices, so often SMBs, “Don’t patch systems behind the firewall. In one case, a company had all its FTP systems behind the firewall and they didn’t patch them because they assumed they were fine. When they got affected, they were out of business for a couple days.”
There seems to be a time warp between the Fortune 100 companies and today's SMBs. Casaba Security's Chris Weber said that what SMBs can learn from enterprises can be summed up in one word: Everything.
“Enterprises are the major targets of attack and the ones dealing with the forefront of all issues around cyber security from social engineering to application security,” Weber said.
This fact matters when it comes to informing the security programs of SMBs because, “They release information and talk openly about their cybersecurity,” Weber said.
SMBs can then implement some of the same tools and processes to reduce their vulnerability, and they are most vulnerable to phishing campaigns. That means that email is a major vulnerability.
“They are less often targeted by sophisticated adversaries, but there are a number of attackers with a variety of intentions. An attacker is going to want to extract some sort of value from a company,” Weber said.
It is well known in security that defenders have the tougher job. All the attackers need to do is find just one crack and they can get in. “Enterprises have lots of different systems, integration with partners, and mobile devices. SMBs have similar stuff on a smaller scale, but they are generally more capacity constrained,” said Weber.
If there is an IT person, that individual is usually wearing many hats. “It’s highly unlikely for SMBs to have a full time security staff or person, so their best bet is to outsource to things like Office 365 for business applications or other cloud services,” Weber said.
Archie Agarwal, ThreatModeler's founder and CTO, said, “Almost all enterprises are now investing a lot of money and resources in protecting their applications." That was not the case a decade ago.
For major enterprises, the third-party vendors they use are often SMBs, and now those vendors need to provide a guarantee that they are providing some sort of security.
It used to be that if a small company got hacked, nobody cared about it, said Agarwal, but now they can have a big impact on a large enterprise. It’s incumbent upon those SMBs to be thinking about how to improve their cybersecurity posture.
Then there are those Business-to-Consumer (B2C) SMBs, which are in an even more precarious situation because they cannot withstand a cyber attack, said Agarwal. “They are going to go out of business. For a hacker who got an automated tool and was able to do a DDoS attack, they need to be thinking about how to protect their brand from that kind of a situation.”
Whether they are a Business-to-Business or B2C, their reputation is a critical factor that should also inform their security programs. “They need to be taking notice to at least ask questions of what they can do to protect their business from a huge impact,” said Agarwal.
They also need to protect the intellectual property of their business. “The trade secrets. We had an SMB that got hacked by China and their IP was stolen. Now the Chinese company has it and is selling it for half the price,” Agarwal said.
Many SMBs accept this truth but don’t have the time and resources to dedicate to building a stronger security posture. “What they have started to do is build threat models to understand where the threats lie. That way they can start to prioritize in order to protect only against the threats that are specific to them,” Agarwal said.
Threat modeling helps them look at the big picture and understand the threats and then focus on where to mitigate those threats, Agarwal said. “Once they understand the big picture, they can look at a list of maybe 100 threats, and see that only 30 of those are critical.”
The traditional way was to use tools even though they didn’t know what threats the tools were protecting against. “With threat modeling, they can focus on protecting against the threats applicable to their business and business risk,” Agarwal said.
Assuming that an attacker has nothing to gain from an SMB can be the death of the business. “Cybersecurity has to be taken seriously,” Agarwal said.