With cyberattacks, there is no “under the radar,” no “dodging the bullet.” No company is too small to be devastated. In fact, small and medium-sized businesses increasingly face attacks from cybercriminals. The number, intensity and cost of these attacks continues to rise.
The threats themselves -- ransomware, phishing, etc. -- are nothing new. What is new is the scope, and the increased threat to small and medium-sized businesses
Understanding the problem
The Ponemon Institute’s report, The 2017 State of SMB Cybersecurity, released in September, reveals just how exposed small and medium-sized businesses are to cyberattacks. Sixty-one percent of this year’s respondents say they faced such attacks, compared to 55 percent last year.
The attacks are also more costly. The average cost related to the damage to or theft of IT assets and infrastructure grew from $879,582 to $1 million. The average cost due to disruption of operations jumped from $955,429 to $1.2 million.
Unsurprisingly, more personal information is at risk. In 2017 current survey, 54 percent of respondents report they had a breach involving sensitive information about customers, potential customers or employees; that’s an increase from 50 percent in last year’s survey.
And here’s what may be the scariest stat: Leaders at 96 percent of SMBs in the U.S., U.K. and Australia believe their organizations are vulnerable to external cybersecurity threats, according to a new report from Webroot. However, despite this apparent awareness, 71 percent said they were not prepared to address those threats.
And if the respondents to the Ponemon survey are to be believed, the attacks are only becoming more targeted, severe and sophisticated than in the past.
Scared? There’s more. Here’s a look at a real-life example and few of the top cybersecurity challenges facing businesses in 2017.
A story of ‘unexpected events’
Just like with most things in life- you never think it will happen to you until it does:
Our Healthcare client’s system was infected with a ransomware attack that added the additional threat of loading child pornography on their servers. They involved the FBI immediately who ‘seized’ the server as evidence,effectively shutting them down. You may be thinking, how often do ransomware attacks
According to a Justice.gov survey “More than 4,000 ransomware attacks have occurred every day since the beginning of 2016. That's a 300% increase over 2015, where 1,000 ransomware attacks were seen per day.”
The single biggest thing that will defeat ransomware is regular data files backup. The client took a proactive approach was to install a backup solution that allowed them to fail over their operation to the backup device and continue operating as in nothing had happened.
Our client heeded our advice about proper filtering and protection suite. In what could have been a catastrophic shut down, they lost no downtime and have had no issues since our suite of tools were installed.
Phishing is the top challenge
Since the 2016 survey, phishing/social engineering (48 percent of respondents) has replaced web-based attacks (43 percent) as the most frequent type of cyberattack, according to the 2017 Poneman survey.
Phishing attacks are the single biggest threats to SMBs in 2017, Joel Snyder, Ph.D., a senior IT consultant, writes in a Biz Tech Magazinearticle. One reason is they are becoming increasingly difficult to identify, even for the savviest email users. One example of this, warns Inc., is “spearfishing.”
Phishing casts a wide net, hoping to trick people into sharing confidential information. But in spear phishing, the criminals get personal, targeting a specific victim.
Inc. offered an example of what spear phishing looks like: A criminal may pose as your business banker and ask you, via email, to confirm certain information or review a recent transaction. The email is addressed specifically to you, signed by the banker, and looks like every other communication you get from the bank. It emulates the look and feel of the typical communication you receive from that bank.
Make sure you and your employees understand that phishing doesn't just catch the naive anymore. Anyone is vulnerable.
Ransomware growing more common
In the 2017 Ponemon survey, 52 percent of respondents say their companies experienced a successful or unsuccessful ransomware attack; 53 percent of these respondents say they had more than two ransomware incidents in the past 12 months. That’s huge, considering that, in the 2016 survey, only 2 percent of respondents described the cyberattacks they experienced as ransomware.
Symantec called ransomware the most dangerous cyber crime threat facing consumers and businesses in 2016, and there’s no indication that the ranking will change when 2017 ends.
The pervasiveness of ransomware drives home just how successful phishing attacks are: Seventy-nine percent of respondents say the ransomware came through a phishing/social engineering attack.
Even if you can't avoid an attack, you can generally protect your data with regular and complete system backups. (Just be sure you have a reliable backup system.) The criminals' power is in holding data you need. You strip them of that power when you have a complete backup.
The up-and-coming risk: IoT
The Internet of Things is ripe for cyberattacks, Inc. warns. Any unsecured connected devices brought into your network can be accessed. Twenty-three percent of SMBs reported a data breach or security incident related to IoT devices, according to the Ponemon report.
Symantec points out that weak security makes these devices easy targets. The number of attempted attacks against IoT devices has doubled during 2016, it reports. At some points, the average IoT device was attacked once every two minutes. The biggest point of weakness? A default password.
The biggest risk: being unprepared
Being unprepared is a real cyber threat--perhaps the biggest one facing your company.
Consider: Overall, 43 percent of cyberattacks target small businesses, according to Small Business Trends. However, only 14 percent of small businesses say their ability to mitigate cyber risks is “highly effective.”
This increase of attacks on small and medium-sized businesses could, in part, reflect a false sense of confidence about cybersecurity within small and medium-sized businesses, according to CSO. Many SMBs simply don’t see themselves as targets, however. Too often, they believe they have nothing of value to an attacker.
“From an attacker’s perspective, small and medium-sized businesses have access to the same data, and they may be easier targets,” Eman El-Sheikh, director of the Center for Cybersecurity at the University of West Florida, tells BizTech Magazine. The big difference? The SMBs are "less likely to have the resources dedicated to cybersecurity that a larger corporation might.”
And those business are likely to suffer more: Sixty person of SMBs shut down within six months of a breach, according to the US National Cyber Security Alliance.
So how are they managing it? Twenty percent of SMBs have in-house employees with some IT security responsibilities, and 37 percent use a mix of in-house and outsourced IT security support. Only 23 percent have a dedicated in-house IT security professional or team.
There’s no mystery about the cyber threats facing businesses, and there’s no shortage of advice about how to avoid them and keep your business safe. The challenge is putting that knowledge and advice into practice. It’s long past time for small and medium-sized businesses to think they can dodge the bullet. It’s already aimed at you. Are you doing anything to safeguard your privacy against any potential threat, or are you waiting till you become a victim?