As part of our experts’ comments series, please find below comments from experts on Why are SMEs facing rising cybercrime.
Cyber criminals target SMEs for a number of reasons:
1. Just because they are small doesn’t mean they are not a valuable target. An SME in a high value sector such as biotechnology, pharmaceutical research or high-tech engineering will, by definition, have a set of high value I.P. This may be attractive to both criminals for simple resale or as the target for a nation state sponsored attack. Therefore, an SME cannot take the view “I am small, so I am not worth targeting”. More importantly, the loss of the I.P. could be highly destructive to the SME as it could destroy their competitive advantage and negate years of research.
2. Just because they are small, that doesn’t mean they don’t know anyone big. Many SMEs work closely with larger organisations and provide key services,which may make them a target for a specific attack aimed at the larger company. For example, a small media company may have pre-release product details from a larger manufacturer so that they can prepare an ad campaign and an attacker may go for the SME to get the details rather than the manufacturer. There are many SMEs who may process personal data for smaller organisations, so it makes sense to attack them to get the data.
The third-party connection that an SME has with a larger organisation also means that the attacker can leapfrog into their main target. Therefore, an attacker may steal the identity of a user at an SME and then use this to connect to the main target – the SME is just there to provide a passage to the attackers’ real destination. This is why Third-Party Assessments are now becoming part of the role of the CISO in larger enterprises, as they want to check that the SME is not their weakest link.
3. Being small means that they probably don’t have the defence capability. SMEs tend to outsource a lot of their IT and have few, if any, full time security staff. There may be a half FTE who looks at security and must take on all aspects with a limited budget, making them a better target.
What steps can SMEs take to stay one step of the attackers?
It can be challenging for an SME to stay ahead of attackers due to their lack of resources. However, there are a number of steps they can take.
1. Look for support from government initiatives. In the U.K., a set of principles called Cyber Essentials has been established for SMEs. This provides them with a set of steps that they should take to provide basic security. They can establish a plan and measure how far they have progressed, which also has other advantages. For example, it may enable them to bid for business that they might otherwise miss out on as they can prove a security standard. An assessment request coming from an enterprise customer or partner will have many answers ready-made. So, there are business advantages as well as security benefits.
2. Look to the Cloud. It is becoming increasingly easier to find SaaS based security solutions. These will be easier to install and run, which goes some way to addressing the lack of employee time required to deliver security. These solutions cover some of the critical areas such as protecting users’ endpoints, which are often the favourite vector for entry. These solutions may also be priced on a user basis, providing a consumer type model and enabling very clear pricing.
3. Help your teams to be security conscious. We all want out teams to help customers and suppliers, and customer service is often a differentiator for an SME. However, this can also be a weak point, as rapid response to any query is expected. This means that phishing attacks asking for the user to click on a link will be easily mistaken for a genuine customer request. For this reason, making sure that the business is Phishing Aware is imperative. Some vendors will provide free phishing testing tools, which will enable the SME to test and educate their teams on potential attacks.
4. Keep up with advice notes. There will be sources of advice that will help on specific topics and suggest where to look for solutions, rather like a free security research team. The NCSC provides this in the UK but can be accessed from anywhere, so an SME can have their own online advisor for free.
Why cyber criminals are targeting SMEs?
Most cybercriminals prey on human error, manipulation, and the path of least resistance. A SME often has far less resources and a lower level of talent than an enterprise, making them prime targets for faster and less complicated attacks. With some basic research on an SME’s industry, their applications, and processes, an attacker can build an attack that they can “spray” across that industry. It is not necessarily a complex attack, nor are their aspirations for the largest of payouts. The ROI is simply based on being able to target like types of companies and their weaknesses and to be able to easily rinse and repeat their attack. Ransomware is also commonly a SME attack of convenience. The payout is immediate, and all too often paid, as the alternatives could be so severe that the business may not be able to recover. It provides new definition to application of “Account Based Marketing” strategies.
What are the other cyber threats that SMEs face and the steps they can take to stay one step ahead of attackers?
Although it is unlikely that an attacker would apply an APT to an SME for minimal likely payout, they will have endless opportunities to repackage exploit kits for mass malware or remote access tool (RAT) distribution. Sooner or later, a chink in the armor will be found and the attacker is in. Once the attacker is in, many SMEs have simply not made adequate investment in in-network detection tools, leaving the attacker with the freedom to roam throughout the network at their own pace in order to complete their attack. SME’s should not succumb to being a sitting duck and react only once the attacker has launched a successful attack.
The best defence for staying one step ahead of an attacker is to add in the ability to detect threats that have bypassed their anti-virus and firewall perimeters both quickly and accurately. Gartner, Inc. recently highlighted deception technology as a critical security control for SMEs at their recent Security and Risk Summit. They emphasized the technology because it is extremely accurate, easy to manage, and does not require highly skilled operators, which has been the Achilles heel of other forms of detection technology. A quiet but silent set of landmines within a network, deception technology should be on every SME’s checklist to ensure that attacker’s do not go undetected or responded too.
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics