With all the headline breaches focusing on the more high profile victims of cyber breaches, you could be forgiven for thinking that the SMB sector is overlooked by hackers in favour of the big prize targets such as Ashley Madison, Three Mobile, Facebook, Yahoo, LinkedIn and Target. That isn’t the case, SMB’s are in fact taking the brunt of cyber-attacks and in some cases providing a route into the bigger high profile targets…
Survival of the fittest…
Statistically 43% of cyber-attacks hit small businesses and only 14% of small businesses rate their ability to mitigate cyber risk, vulnerabilities and attacks as highly effective. Coupled with the fact that the cost of a breach to a small business can be anywhere in the region of £65,000 to £115,000 if not more, it’s no wonder that 60% of SMB’s go out of business within 6 months of a breach. Given the opportunistic nature of most hacks, it safe to say that SMB’s aren’t being targeted specifically, more that they are exposing themselves with a wider range of vulnerabilities and therefore falling foul more readily than the average enterprise.
Understandably the smaller businesses may not have the resources available to defend themselves in the same way the average enterprise can, but they still hold valuable data (such as customer data which could be used for identity theft) which would be deemed a worthwhile opportunity for hackers. In addition to the data they hold they may also provide hackers a route into a larger company, as was the case with the Target breach in 2013.
The most predominant attacks small businesses fall foul to are (more than one choice permitted):
- - 49% Web based
- - 43% Phishing / Social engineering
- - 35% Malware
- - 26% SQL Injection
What this tells us is that a two-fold approach is required to address these issues…
Firstly, it’s clear there is a short fall in cyber security awareness within the SMB community which can only be corrected through education and process implementation. Employees should be educated about the various risks they face when accessing an unfamiliar website or opening a link in an email from an unfamiliar source. There should be guidelines in place on password complexity and how often it should be changed. A clear process needs to be defined on how to manage sensitive data. There needs to be documented usage guidelines readily available with periodic updates carried out to ensure employees have a clear understanding of the risks and how to spot and avoid them.
[You might also be interested to read "3 Worst Data Breaches From 2018 & How to Avoid Them"]
Secondly and equally as important is the need for network perimeter protection. That ISP provided router just isn’t cutting it anymore, at most they provide a state full firewall but with no gateway AV or IPS they provide little protection for the devices connected to them. You could argue that most machines have some form of endpoint AV but with the ever increasing threat from fileless malware this is no longer enough. Next gen perimeter defence is a must in this day and age and there are plenty of NGFW (Next Generation Firewall) solutions aimed squarely at the SOHO market with a range of protective features previously only found in enterprise grade hardware. For little more than the cost of the latest greatest smartphone a NGFW armed with IPS, GeoIP, Gateway AV, DPI-SSL and advanced threat protection can be implemented with the aid of a security consultant or by the in-house IT team.
One such offering is SonicWall’s Entry level range which offers all of the bells and whistles you’d find in an enterprise offering neatly packaged in a small form factor desktop unit.