Cyber Attacks - Protect and Connect
Although technology is – quite literally – opening a world of opportunity, the speed of change as well as the recent move to home or remote working, has meant that cyber-attacks on small businesses are increasingly common.
Businesses don’t need to be massive corporations or house treasure troves of sensitive information to be frequent targets of cyber-attacks. Recent cybersecurity statistics show that, despite their size, small businesses account for the majority of data breaches (58%).
• Two-thirds of SMBs have suffered a cyber-attack in the past 12 months
Attack campaigns have become so prevalent that if you didn’t experience a cyber-attack in 2019, you have to count yourself lucky. According to Keeper Security and the Ponemon Institute, you’re in the 33% minority. 6 out of 10 SMBs also report the attacks they’re seeing are becoming more targeted, damaging, and sophisticated.
The cost of an attack can be very significant with wide-ranging costs of sustained system outages and disruption. In many cases, downtime is the real killer following a breach.
• 92.4% of malware is delivered via email
So how are small businesses being compromised? According to the 2018 Verizon DBIR, the answer is almost always via email.
Attackers see email as a direct line to the most vulnerable part of any network — end users. Why go to all the trouble of utilising sophisticated exploits and bypasses when you can count on users being human?
Malicious emails have come a long way from the easily recognizable spam messages of old, but it’s often the simplest messages and disguises that are the most effective.
In the vast majority of cases (92.2%), malicious emails rely on tricking users into opening attachments. The most popular attachment type by far are Office files, which typically aren’t blocked by email filters.
According to the ISTR, 48% of malicious email attachments are Office files, up from just 5% in 2017.
Currently, one of the most successful email infection strategies is employed in Emotet and Ursnif campaigns. Once an organization has been infected with one of these trojans, one of the ways they spread is by hijacking victim email accounts and using them to send malicious attachments (often Word docs disguised as invoices) to the victim’s contacts. In some cases, malicious emails are even sent as replies to existing email chains, raising the odds of them getting past filters and tricking unsuspecting recipients who recognize the “sender” as someone they know and trust.
Email and RDP aren’t the only attack vectors small businesses need to worry about, of course. Vulnerable software and out-of-date operating systems can also provide attackers with a way in. Keeping those systems and programs patched is one of those best practices that’s easy to say, but far more difficult to do. Updates can be annoying at best, disruptive at worst, and incredibly easy to fall behind on.
Combine that with the fact that there were 16,555 common vulnerabilities and exposures (CVEs) issued last year — 1,529 rated critical — and it’s no wonder if a patch or two slips through the cracks. For many small organizations trying to handle patching manually, the goal may not be comprehensive compliance so much as simply picking a few priorities and keeping fingers crossed on the rest.
Larger organizations struggle with patching, too, thanks to testing requirements and the complexity of their networks. According to the Ponemon 2019 State of Endpoint Security Risk report, it takes organizations an average of 102 days to fully test and deploy patches. This is one area where being a small business with a smaller software footprint can actually be a benefit, but in many cases, small businesses can still benefit greatly from tools that can automate patch management.
• 3 out of 4 SMBs say they don’t know how to address IT security
Lacking tools is one thing, but the #1 pain point for small businesses when it comes to securing their network isn’t lack of software or hardware — it’s lack of people! They simply don’t have someone to properly manage security tools and processes in the first place.
According to the Ponemon and Keeper Security study, lack of personnel even trumps lack of budget. In some cases, the money is there, and so is the priority. Only 4% of respondents flagged “management does not see cyber-attacks as a significant risk” as a top challenge.