Why small and medium businesses are hackers’ favoured targets

According to Watchguard Technologies (a leading Internet security vendor), a staggering 80% of small and medium businesses believe that they’re too small to be of interest to hackers. However, their research shows that it is exactly these companies which are hackers’ favourite targets. But why?

A false sense of security leads to an easy target

As many small businesses don’t think of themselves as a target, they don’t bother to take sufficient steps to protect themselves or their clients’ data. Many believe that running antivirus software provides enough protection, but in 2017 as much as 40% of malware was missed by fully updated antivirus software due to the stealth technologies that virus writers are starting to use.

Hackers and cyber-criminals know that small businesses lack the awareness, staffing and protection they need which makes them a considerably easier target than larger organisations.

Automated malware doesn’t care who it attacks

A great deal of modern malware is automated, scanning the Internet for unprotected systems or emailing it’s self to unsuspecting victims. Due to the larger number of small businesses out there, and their lack of protection, they tend to be more likely to fall victim to these kind of attacks.

A lack of dedicated IT security staff means breaches go unnoticed for months

As most small and medium sized businesses lack dedicated IT security staff (although some have IT staff, IT security is a distinct discipline), hackers know that the chances of their activities being discovered is slim. Once a back door into a compromised system is established, data can be stolen over a period of months or even years, making the attack a very lucrative prospect for the attacker.

Quantity over quality

Attackers know that small business often contain a large amount of valuable data. Although this amount and value of this data tends to be smaller than that gathered by a successful attack against a larger organisation, it takes considerably less time, meaning more targets can be hit and more money raised.

The value of relationships

Relationships between small businesses and their suppliers and customers is a extremely valuable commodity to cyber-criminals. If a criminal knows who a business communicates with, they can impersonate employees to spread malware, order physical items, create fake payment requests or gain physical access to buildings and facilities.

A single hack can be the end of a small business

Many small businesses aren’t aware of their legal requirements regarding cyber security and data protection which means that many of them aren’t aware that a single breach could be the end of their business. Laws, such as the General Data Protection Regulation (GDPR), apply to all businesses with fines starting at €10million. And once you add to this the loss of business caused by the disruption, the cost of dealing with the aftermath of an attack and the damage to the reputation to the company, the true cost of the disruption becomes a figure that only the largest company can afford to pay and survive.

So what can be done?

The most important aspect of IT security for small and medium businesses is to understand that they could easily become a victim of cyber-crime, that a single breach is likely to be the end of their organisation if they don’t plan accordingly.

In the same way that organisations don’t rely on a single physical method to protect valuable items or data (such as locking only one door), companies should consider installing a selection of security systems. This “defence in depth” ensures that attacks missed by one system have other systems alongside it which can prevent a breach. A wise defence in depth solution for a small business should include:

  1. A Unified Threat Management (UTM) firewall. Unlike packet filtering firewalls (which are sometimes built into broadband routers), a UTM firewall runs a suite of software to identify and block all types of viruses, malware, ransomware and attacks entering by inspecting all data leaving and entering your network. UTM firewalls provide a huge amount of defence in depth in a single unit.
  2. Endpoint protection. Each device inside the network (including computers, tablets, point of sale till, etc.) should have a good endpoint protection suite installed on it. At an absolute minimum, this would be a combination of antivirus and anti-malware software but a specialist endpoint protection suite (which combines these functions with a security management platform) should be installed.
  3. Inventory and patch management. In order to protect a system, you must know it exists. For small businesses with only a handful of devices, this is relatively easy, but this becomes increasingly harder as companies grow. Not only does inventory management ensure that you don’t loose systems (and the data on them) but the patch management aspect is vital to ensure than any software patches are properly installed so that attacks can’t target known flaws in software.
  4. Monitoring. Attacks leave a trace and can be easily blocked if someone spots them and takes action. However, this monitoring can be a challenge for small and medium businesses who tend to lack specialist security staff. Managed Security Service Providers (MSSPs) can monitor systems remotely on a subscription basis, meaning that they can provide the monitoring and remediation on your behalf.
  5. Staff training. One of the most over-looked aspect of security is staff training. Many attacks, especially email based attacks, are designed to trick users to disclose information or transfer money to bank accounts they control. As these are simply emails, with no malware or viruses attached, they aren’t stopped by traditional antivirus of malware software and are very challenging for anti-spam systems. The most effective method of dealing with these attacks is good staff training and this also gives additional security benefits such as making sure that they know not to use insecure removable storage or weak passwords.
  6. Get professional help. IT security is a specialist and fast changing discipline which means you will need specialist help. Although general IT companies can provide some assistance, you will need to seek out a specialist IT security company to properly protect yourself.