SMBs’ size doesn’t make them immune to cyberattacks

78% of SMBs indicated that having a privileged access management (PAM) solution in place is important to a cybersecurity program – yet 76% of respondents said that they do not have one that is fully deployed, a Devolutions survey reveals.

size cyberattacks

While it’s a positive trend that the majority of SMBs recognize the importance of having a PAM solution, the fact that most of the respondents don’t have a PAM solution in place reflects that there is inertia when it comes to deployment.

SMBs are not immune, company size doesn’t protect from cyberattacks

Global cybercrime revenues have reached $1.5 trillion per year. And according to IBM, the average price tag of a data breach is now $3.86 million per incident. Despite these staggering figures, there remains a common (and inaccurate) belief among many SMBs that the greatest security vulnerabilities exist in large companies.

However, there is mounting evidence that SMBs are more vulnerable than enterprises to cyberthreats – and the complacency regarding this reality can have disastrous consequences.

“SMBs must not assume that their relative smaller size will protect them from cyberattacks. On the contrary, hackers, rogue employees and others are increasingly targeting SMBs because they typically have weaker – and, in some cases, virtually non-existent – defense systems.

“SMBs cannot afford to take a reactive wait-and-see approach to cybersecurity because they may not survive a cyberattack. And even if they do, it could take several years to recover costs, reclaim customers and repair reputation damage,” said Devolutions CEO David Hervieux.

Key findings from the survey

To dig deeper into the mindset of SMBs about cybersecurity, Devolutions conducted a survey of 182 SMBs from a variety of industries – including IT, healthcare, education, and finance. Some notable findings include:

  • 62% of SMBs do not conduct a security audit at least once a year – and 14% never conduct an audit at all.
  • 57% of SMBs indicated they have experienced a phishing attack in the last three years.
  • 47% of SMBs allow end users to reuse passwords across personal and professional accounts.

These findings reinforce the need for better cybersecurity education for smaller companies.

“Conducting this survey reaffirmed to us that while progress is being made, there is a still a lot of work to do for many SMBs to protect themselves from cybercrime. We plan to conduct a survey like this each year so that we can identify the most current trends and in turn help our customers address their most pressing needs,” added Hervieux.

size cyberattacks

Protect from cyberattacks: The role of MSPs

One way for SMBs to close the cybersecurity gap is to seek out a trusted managed service provider (MSP) for guidance and implementation of cybersecurity solutions, monitoring and training programs. Because SMBs do not typically have huge IT departments like their enterprise counterparts, they often look to outside resources.

MSPs have an opportunity to strengthen their relationship with existing customers and expand their client base by becoming cyber experts who can advise SMBs on various cybersecurity issues, trends and solutions – as well as offer the ability to promptly respond to any security incidents that may arise and take swift action.

“We expect more and more MSPs will be adding cybersecurity solutions and expertise to their portfolio of offerings to meet this demand,” Hervieux concluded.

Prevent privileged account abuse

Organizations must keep critical assets secure, control and monitor sensitive information and privileged access, and vault and manage business-user passwords – all while ensuring that employees are productive and efficient. This is not an easy task for SMBs without the right solution in place.

Many PAM and password management solutions on the market are prohibitively expensive or too complex for what SMBs need.

Ransomware getting more fearsome, but there’s reason for optimism

Cybercriminals continued a barrage of attacks in 2019, spurred on by botnets of infected IoT devices and by attacker interest in the Eternal Blue vulnerability. A report from F-Secure documents a steep increase in attack traffic in 2019 that was unmatched by previous years.

attack traffic

There have been 2.8 billion attack events in the second half of the year. After 2.9 billion in the first half of the year, the yearly total rings in at 5.7 billion attacks. For comparison, 2018 saw just over 1 billion attacks, while 2017 saw 792 million.

Traffic was dominated by attacks hitting the SMB protocol, indicating attackers are still very much interested in using worms and exploits related to Eternal Blue. Telnet traffic and attacks hitting SSH were also high, indicating continued high attacker interest in IoT devices. Malware found in the honeypots was dominated by various versions of Mirai.

Ransomware becoming more targeted and impactful

While ransomware spam was observed to have dropped during the course of the year, ransomware itself became more targeted and impactful, inflicting greater damage, targeting enterprises, and demanding sums in the hundreds of thousands of dollars. Modular malware employed a range of tricks, one of which was dropping ransomware as a second stage payload.

“The last decade was pretty bad for information security, but the next one will be better,” says Mikko Hypponen, Chief Research Officer at F-Secure.

“It doesn’t always look like it, but we are getting better. In the middle of news on major breaches and data leaks, it might look it’s getting worse, but it isn’t. If you look at the level of security tools we were using in 2010 and today, it’s like night and day. We are going in the right direction.”

Other findings

  • Countries whose IP spaces played host to the highest numbers of attack sources were the US, China, Russia and Ukraine.
  • Countries where the most attacks were directed were the Ukraine, China, Austria and the US.
  • The most common delivery method for ransomware during the period was via manually installed/second stage payloads at 28%, followed by email/spam.
  • The greatest share of Telnet traffic came from the US, Armenia, the UK, Bulgaria and France.
  • The greatest share of SMB traffic came from the Philippines and China.

attack traffic

“Spam continued to be popular amongst attackers in 2019. It preys on unsuspecting individuals, making the lack of awareness about threats a weak link for companies, and a lucrative target for malware authors,” says Calvin Gan, Manager at F-Secure‘s Tactical Defense Unit.

“And with attacks becoming more sophisticated, such as ransomware infections that escalate into data breaches, it’s more important than ever for organizations to improve their cyber defenses in preparation for these attacks.”

Orgs that sacrifice mobile security are twice as likely to suffer a compromise

The percentage of companies admitting to suffering a mobile-related compromise has grown (39%, when compared to last years’ 33%) despite a higher percentage of organizations deciding not to sacrifice the security of mobile and IoT devices to meet business targets, Verizon has revealed in its third annual Mobile Security Index report, which is based on a survey of 876 professionals responsible for the buying, managing and security of mobile and IoT devices, as well as input from security and management companies such as Lookout, VMWare and Wandera.

The report also shows that attackers hit businesses big and small, and operating in diverse industries, and that those that had sacrificed mobile security in the past year were 2x as likely to suffer a compromise.

66% of those that suffered a mobile-related compromise said that the impact was major, and 55 percent of those companies said that they suffered lasting repercussions.

mobile security compromise

“Among those in our survey that had experienced a compromise, downtime was even more common as a consequence than loss of data. Financial services companies were particularly concerned about this – 95% said that their customers expect a reliable service and that even a few minutes of unplanned downtime could have an adverse impact on the company’s reputation,” Verizon pointed out.

Mobile threats

Phishing continues to be the most common attack type leveraged against all users and it’s getting ever more sophisticated and targeted.

Mobile users are at a disadvantage because red flags are more difficult to spot in emails rendered on mobile devices, but also because phishers are taking advantage of other communication mediums – such as messaging, gaming, social media apps – for which many organizations don’t have filtering in place.

When attendees of a mobile security event were sent a phishing email that purported to be from the hotel they were staying in, offering a free drink at the bar, a whooping 70% opened it and clicked on the link, according to VMware. Similarly, in a test carried out by a Lookout customer, 54% of executives tapped on a malicious link included in an SMS that looked like it was from a hotel they were due to check into.

Hackers are coming up with new and effective pretextes to get targets to click on malicious links, and are coming up with new ways to disguise them:

mobile security compromise

They are also finding new ways to hide malicious links and text from spam and phishing filters used by email/SaaS providers (one of the most recent is using customized fonts and a simple substitution cipher).

Downloading and installing apps that ask for permission to access all kinds of (potentially sensitive) data represents a risk but malware posing legitimate apps presents a more immediate danger.

“Of organizations that were compromised, 21% said that a rogue or unapproved application had contributed to the incident,” Verizon noted.

Other risks come from insecurely coded apps by reputable companies, mobile cryptojacking apps and the general user inconsistency when it comes to regularly updating their many apps.

For example: six months after WhatsApp announced that users had been subject to a spate of attacks where hackers exploited a buffer overflow vulnerability to run malicious code on victims’ devices (without requiring user interaction), more than 1 in 15 users hadn’t updated and remained susceptible to attack.

Then there are the threats involving the devices: device loss and theft, SIM swapping, juice jacking, unsecured devices open to compromise by physically present attackers (e.g., office colleagues, abusive partners, etc.).

Finally, the network threats: insecure networks, MitM attacks (through rogue access points), etc. Some companies bad employees from using public Wi-Fi to perform work-related tasks but 55% of those who know that public Wi-Fi is prohibited use it anyway, Verizon found.

IoT threats

49% of organizations are now using IoT devices – to enhance productivity, physical security, products and services, and measure the wellness of people – and most adopters consider them critical or very important to the smooth running of their organization.

Almost half of those that Verizon surveyed that were using IoT had at least one full-scale deployment and 33% said they have over 1,000 IoT devices in use. Nearly a third (31%) of those with IoT deployments admitted to having suffered a compromise involving an IoT device.

While the biggest concern at the moment is IoT devices getting conscripted into a botnet, organizations should also be concerned about data tampering and IoT devices being used as a stepping stone to more sensitive data and wider business systems.

The good news regarding IoT is that new regulations are slowly coming into force to help protect businesses, consumers and citizens from IoT-related attacks, and they are expected to push manufacturers into implementing more security in their products, but also organizations into using these features.

“Even though IoT-specific regulations are yet to come into force in most jurisdictions, we’re already seeing a shift in the mindset of organizations. Seventy-four percent of IoT respondents said they have reassessed the risk associated with IoT devices in light of regulatory changes,” Verizon pointed out.

One in five SMBs use no endpoint security at all

An alarming number of SMBs (small to medium businesses) in the US and UK are not prepared for a potential cyber attack or breach, BullGuard warns.

SMBs breach prepared

One-third of companies with 50 or fewer employees report using free, consumer-grade cybersecurity, and one in five companies use no endpoint security whatsoever.

SMBs are not prepared for a breach

Additionally, worrisome, the BullGuard study found 43% of SMB owners have no cybersecurity defense plan in place at all – leaving their most sensitive financial, customer and business data, and ultimately their companies, at significant risk.

“Small businesses are not immune to cyber attacks and data breaches, and are often targeted specifically because they often fail to prioritize security,” said Paul Lipman, CEO of BullGuard.

“Caught between inadequate consumer solutions and overly complex enterprise software, many small business owners may be inclined to skip cybersecurity. It only takes one attack, however, to bring a business to its knees.”

SMB owners overly confident in the safety of their company and customer data

The study also revealed some glaring discrepancies between what SMB owners believe versus what is actually occurring in the market. Nearly 60% of SMB owners believe their business is unlikely to be targeted by cyber criminals, however the results revealed that 18.5% of SMB owners have suffered from a cyber attack or data breach within the past year.

Unfortunately, while securing data can be simple, remediation is not. Companies that fall victim to a cyber attack often experience significant downtime that seriously impacts productivity, data privacy, and even revenue.

Once breached, 25% of SMB owners stated they had to spend $10,000 or more to resolve the attack, which could be devastating for a small company. As for time lost, 50% of SMB owners said it took 24 hours or longer to recover from a breach or cyber attack, while 25% reported they lost business as a result, and almost 40% stated they lost crucial data.

Despite these numbers, many SMB owners are overly confident in the safety of their company and customer data. One in five SMB owners surveyed stated their organization has zero vulnerabilities, however 50% of SMB owners stated their employees do not receive any cybersecurity training.

A significant number, 65%, of SMB owners report managing their cybersecurity in-house, but less than 10% say they have a dedicated IT staff member. The right solution makes it simple and extremely cost-effective for SMBs to manage their own cybersecurity, ensuring their business is secure and protected.

How do SMBs plan to improve their security posture in 2020?

With cybersecurity concerns already mounting ahead of the 2020 presidential election, SMB executives are turning their attention to how these threats could impact their own business.

SMBs security posture 2020

The threat of foreign adversaries

According to a new Zix-AppRiver survey, 93 percent believe that as foreign adversaries attempt to breach national security or wage cyberwar, they will use small businesses such as their own as entry points. Among them, two thirds expect this threat to become even more severe.

“In 2019, we saw cyberattacks on our government trickle down from large agencies to smaller local municipalities and schools,” said Dave Wagner, CEO, Zix.

“That follows the pattern we’ve seen in business, where attacks have expanded from big corporations to small- and medium-sized businesses. While these attacks can originate from anywhere, the survey data shows that SMBs believe foreign actors and even nation-states may be targeting them as a first step toward access to larger companies or government agencies.”

SMBs want a better security posture in 2020, and they’re ready to pay for it

This, among other cybersecurity concerns, could be a possible driver behind SMBs’ plan to shore up their security investment and defenses in 2020. Sixty-two percent of all SMBs plan to increase their cybersecurity budgets in 2020.

Among the list of cybersecurity upgrades they’d like to make, their highest priorities include employing more cybersecurity technology (58 percent), creating better security awareness training for their employees (57 percent) and conducting more regular reviews of their security defenses (50 percent).

These findings are in line with other key results from the survey, which indicate that only 43 percent of all SMBs currently feel in-control and confident in their own cyber preparedness.

Concerns about foreign powers

SMBs within the government and technology sectors are among those most concerned about their security posture and nation-state cyberattacks on their business in 2020. Executives within these industries also have the highest propensity to increase their cybersecurity budgets next year, with 77 percent of technology SMBs and 76 percent government SMBs planning to increase their budgets in the coming year.

“It seems unusual that small and midsize companies are concerned about foreign powers, but with elections coming up in 2020, they have legitimate reasons to worry about becoming vulnerable entry points for outside entities,” said Troy Gill, senior cybersecurity analyst at AppRiver.

“The silver lining is that they are actively planning to improve their security with new technology and better training for employees, which together, are a powerful combination.”