top of page
Search

Too small to be targeted? Think again.

  • FOCAI
  • Mar 2, 2020
  • 4 min read

Updated: May 3, 2020

Many businesses wrongly assume that they are too small to be a target for cyber attack, but the truth is that they're the ones most likely to be targeted.

Data breaches are running at a record pace. The first 6 months of 2019 saw over 3800 publicly disclosed breaches and more than 4.1 billion records exposed according to a recent report. This is a 54% increase from the same period in 2018 and this growth trend is expected again in 2020. The overall volume of cyber attacks is increasing, thanks in part to the growing number of bot armies for hire, which means it's almost guaranteed that your business will suffer a breach at some point if it hasn't already.


Never too small to be a target

Many businesses wrongly assume they are too small to be a target for cyber attack, but the truth is that they're the ones most likely to be targeted. Whilst it’s the biggest brands that get the headlines for the magnitude of their security breaches, such as Marriott and British Airways, statistics show that most attacks are aimed at small and medium sized businesses (SMBs) and that the volume of these attacks are rising.


Attackers are drawn to the perceived low-hanging-fruit of small businesses since they will often have less well-guarded data stores. All it takes is for automated online scripts to be run so that vulnerabilities and unsecured databases can be found, then gladly harvested for the data they contain.


Attacks on SMBs increasingly more frequent and sophisticated

According to a global survey carried out by the Ponemon Institute, attacks against small and medium sized businesses in across Europe, the UK and the US are growing in both frequency and sophistication. The report released in October 2019, surveyed 2,176 individuals in companies with a headcount of less than 100 to 1,000 in the US, UK, DACH (Germany, Austria, Switzerland), Benelux (Belgium, Netherlands, Luxemburg) and Scandinavia (Denmark, Norway and Sweden). Amongst the key findings:


  • Overall, attacks are increasing dramatically. 76% of U.S. companies were attacked within the measured timeframe, up from 55% in 2016. Globally, 66% of respondents reported attacks in the same period.

  • Attacks that rely on deception are rising. Overall, attacks are becoming more sophisticated, with phishing (57%), compromised or stolen devices (33%) and credential theft (30%) among the most common attacks waged against SMBs globally.

  • Data loss among the most common impact. Globally, 63% of businesses reported an incident involving the loss of sensitive information about customers and employees in the past year. That number is 69% in the U.S.– an increase from 50% in 2016.


Can you tell if you've been attacked?

With some attacks, businesses are left in no doubt that their systems have been compromised for example a ransomware attack, where individual files or computers are held hostage unless a ransom fee is paid. Similarly, Distributed Denial of Service (DDoS ) attacks where multiple systems flood the bandwidth or resources of a targeted system are obvious when users can’t get access to what they usually can. The Mirai botnet attack in October 2016 famously brought down much of the internet across the US and Europe including Twitter, Netflix, CNN and many other popular websites and internet services.


However, other attacks may employ covert tactics in order to maximise the amount and quality of information they can exfiltrate over the longest period of time before they are caught e.g. the Marriott/Starwood data breach took up to 4 years to spot, during which it is now confirmed that the personal data of over 339 million guests were stolen from Starwood Hotels’ reservations system since 2014 (Marriott acquired Starwood in 2016).


The 2019 Cost of a Data Breach Report conducted by the Ponemon Institute and sponsored by IBM Security, which also included larger enterprises in their survey, actually found:


  • Average time to detect a breach = 209 days

  • Average lifetime of a breach = 314 days


SMBs struggling with a lack of cybersecurity leadership

Many SMBs lack personnel with any real security expertise, often leaving it in the hands of IT technicians who typically ask for budget to spend on more technologies. This often results in businesses spending ever increasing amounts of money on tech, yet never really understanding what any of this does for the business. The 2019 Global State of Cybersecurity in Small and Medium-Sized Businesses report worryingly confirmed this, finding that:


45% of SMBs described their security posture as ineffective


NIST's definition of Security Posture:
The security status of an organization’s networks, information, and systems based on Information Assurance resources (e.g., people, hardware, software, policies) and capabilities in place to manage the defense of the organization and to react as the situation changes.

Small businesses can be better prepared than large enterprise

Despite having far less budget and security capabilities of larger enterprises, SMBs can often be more agile and better prepared to deal with a cyber attack.

Security is not solely an IT function and it's time that businesses realise this.

Larger enterprises also typically have more complex networks; a greater number of new and old systems, which are cloud-based or on-premise, or a hybrid of the two; huge amounts of data in a variety of formats spread across these multiple systems; an exponentially larger workforce who are possibly susceptible to social engineering, all of whom have multiple endpoint devices (including computers, smartphones etc.) which increases the attack surface for any motivated attacker. Whilst small businesses have less of these, they tend to have a bigger problem in finding staff with sufficient cybersecurity expertise.

Be better prepared. Engage a trusted partner to help you understand your security posture and implement a strategy that's clearly aligned with the particular risks and needs of your business.

The shortage of cybersecurity expertise on the market is well documented and small businesses face an impossible challenge to recruit staff with sufficient know-how and experience. Whilst cyber threats make the headlines, security is not solely an IT function and its high time that SMBs realise this - especially since they have become the favourite target for attackers. Yet there is still a way they can be better prepared than larger enterprises and that is to engage a trusted partner with the expertise you need to help you focus your efforts, understand your security posture and implement a strategy that's clearly aligned with the particular risks and needs of your business.

STRATEGY CONSULTING & TRANSFORMATION

FOCAI helps businesses reach the next level with technology-, cybersecurity-, and business growth strategies, blending next generation solutions with insight and action - so that you can focus on what really matters.

FOCAI © 2024

  • LinkedIn
  • Instagram
bottom of page