SMEs more prone, but still quite oblivious, to cyberattacks
Despite governments, organizations and brands intensifying their cybersecurity awareness campaigns in recent years, as well as several recent high-profile attacks and security breaches, it seems that many small and medium business owners still fail to realize the extent of risk for their companies from hacking, phishing, denial-of-service, and other types of common attacks.
The Department of Homeland Security declared this past October as National Cyber Security Awareness Month. And they’re not alone. Across the pond, the EU is moving towards imposing a minimum level of security for networks, services and digital tech across all its members. That should be good news, but is it too little, too late?
A July 2016 report by the Ponemon Institute outlines just how susceptible small and medium enterprises (SMEs) already are to cybercrime. 55 percent of respondents admitted to having suffered a cyberattack over the past year, while 50 percent experienced a data breach – and let’s not forget that those are only those who were aware of such issues. Forbes highlights that 71 percent of cyberattacks occur at firms with fewer than 100 employees.
SMEs often lack the willingness or the resources to educate their employees about cyber threats. That is why phishing scams, password hacks and malware are among their biggest vulnerabilities. In fact, sometimes it’s the simplest attacks that can cause the most harm because people tend to laugh such attempts off as something they wouldn’t ever personally fall for. And perhaps that’s true once in a while, but can every manager safely say the same about their employees too?
If business titans at Sony Pictures can be hacked using Apple ID phishing emails, SMEs should take heed and should realize how important it is to build their defenses and raise awareness among their staff as soon as possible. In the case of Sony, attackers designed email messages to look like they came from AppleCare. Once unsuspecting employees clicked on the provided link, they ended up on ioscareteam.net, a convincing Apple-like website which asked for their login credentials, which were then recorded. This phishing attack proved simple, but methods used by cybercriminals are advancing rapidly.
There are some attempts to acquire personal data and passwords which are significantly harder to detect, and they often come in the form of a Man in the Middle attack, of which there are many increasingly sophisticated variations. Incapsula explains that every MITM attack has an interception and a decryption phase. Attackers use advanced IP, ARP or DNS spoofing techniques during each phase to convince not only individual users but also their computer systems that they are transmitting sensitive information safely, while it is not the case.
For instance, some attackers adopt a proactive approach, infiltrating to infiltrate DNS servers to alter a domain’s address record. When an individual attempts to access that website, they are instead sent to the attacker’s website, which is set up to look identical to the one they are spoofing. In this case, as with many other MITM attacks, even advanced users cannot detect the risk without specialized security software. This is known as DNS spoofing, and can, of course, prove very effective.
Fortunately, security solutions are constantly improving. New tech brings in a wider range of options, and competitive pricing ensures that SMEs can find the type of cybersecurity that suits their needs. For instance, web application firewalls, previously only the domain of large enterprises, have become more affordable in recent years, and available in the cloud, safeguarding against attacks such as the DNS spoofing explained above.
The average cost of a data breach in 2020 is predicted to exceed $150 million and cybercrime will cost businesses over $2 trillion by 2019, as a Juniper Research whitepaper discusses. Experts highlight the efficiency of a combined and balanced WAF and hardware web security approach, with many providers offering to tailor their security offerings to the type, size and needs of each company.
One final argument, and it’s a big one: Consumers themselves have been demanding better security from companies they buy from, regardless of their size, as the Modern Business Solutions MongoDB data leak in October 2016 showed. Over 58 million subscriber records were made public, followed by another 258 million rows of personal data. To anyone who will tell you that is a big-business problem, let us remind you that Modern Business Solutions provided storage solutions and other services for hundreds of its partners, including SMEs.