Are cybercriminals really targeting SMEs?

Yes, small to mid-sized enterprises (SMEs) continue to prove a fruitful target for cybercriminals. 

The Allianz Risk Barometer reported that cyber risks are the largest concern for companies globally in 2022. And the number of cyberattack attempts per week reached an all-time high in Q4 of 2021. 

Many hacking attempts — such as spam containing malicious links — are general in scope, not discriminating against the company’s size or sector. But the hit rate for small and medium businesses is as high as 42%, and the damage to SMEs can often be far worse than when a large corporation is hit. 

In this article, we will review the major cybersecurity risks that SMEs face, why they are as prone to attack as larger firms, and how they can protect themselves from the onslaught of cyberattack attempts. 

Why SMEs are at an elevated risk for cyber attacks

Smaller budgets and limited resources make SMEs a prime target for cybercriminals. Whether through oversight or because security isn’t high on the priority list, SMEs tend to have more security gaps compared to large corporations. 

The reasons for these gaps are usually due to one or more of the following:

• Lack of budget: Setting up comprehensive protection across all parts of an SME’s security posture can be expensive when working with multiple vendors. The same is true when trying to build up an in-house cybersecurity department.
• Security is not a priority: In 2021, 56% of US small business owners told CNBC that they didn’t think they would be the victim of a hack. If they don’t think they’re at risk, they’re less likely to prioritize cybersecurity.
• Lack of security controls: Without detection tools in place, malicious links, attachments, and fraudulent websites have a higher chance of compromising systems. 
• Limited response capabilities: Without the capabilities to detect an attack and respond quickly, breaches will either remain undetected, or cause more damage.
• Lack of employee training: Malicious hackers often target employees and without the right training in place, the chances that user error leads to security breaches only increases. Seeing as 55% of workers took at least one risky action in 2021 — actions such as clicking a suspicious link or compromising their credentials — helping them spot phishing or social engineering attacks can reduce an organization’s risk immensely.

Organizations should consider implementing robust security controls to improve their overall security posture and cyber resilience. 

Types of Cyber Attacks Most Likely To Target SMEs

Through a combination of automated software, botnets, and billions of scam emails, organized criminals operate primarily on a hit-and-miss strategy that “hits” enough times to be profitable. Coupled with targeted attacks, such as CEO email impersonations, organized cybercrime is big business. SMEs need to be prepared for the scenario of being targeted and potentially being compromised. 

Here are the biggest types of cybersecurity risks faced by SMEs. 

Phishing

Phishing is a type of email attack where cybercriminals impersonate a legitimate business, but the email in fact contains malicious links. These links can lead to malware, ransomware, or to a fraudulent website designed to steal login credentials. 

Spam emails typically also contain malicious links, although they do not always attempt to impersonate a known entity as phishing emails do. 

Phishing attacks were at an all-time high in Q1 2022, topping one million total attacks, according to a report by the Anti Phishing Working Group (APWG). The primary driver for the rise in attacks was an increased focus on “smaller accounting and insurance firms.”

Twenty-four percent of the attacks were levied against the financial sector. 

Adware, malicious advertisement campaigns

Adware is malicious software that runs in the background of your computer and displays intrusive adverts that typically lead to shady websites, such as pornographic sites, dark web marketplaces, and “drive-by” websites that can install further malware on your machine without you being aware of it.

Adware can be extremely sophisticated, such as the AdLoad malware that has plagued macOS computers since 2017. The malware developers recently managed to find a way to completely bypass Apple’s inbuilt malware scanner for as long as 10 months. 

AdWare tops the list of mobile malware in 2021, at 42.42%. 

Malicious or compromised websites

SME websites can be notoriously easy to compromise. Due to a lack of budget, many companies will go with a system like WordPress which powers 43% of the world wide web, but which accounts for an enormous portion of all website hacks. 

The same is true of custom-designed websites. “Budget” website development can leave many unpatched security holes, resulting in crippling data breach fines that can put many small companies out of business — the average cost of a data breach for a small and medium business is over $100,000. 

A compromised site often sends malicious spam emails from your domain name. This can have catastrophic effects on your domain’s reputation, tanking it completely in the search results. 

CEO Fraud

CEO Fraud is a type of business email compromise (BEC) attack where an attacker compromises the account of a high-level executive and then uses that account to send fraudulent emails that impersonate the executive. Because an email comes from a “CEO,” it is far more likely to be acted upon. 

This type of attack is particularly effective at the SME level because it is unlikely that the CEO of a large multinational corporation would directly email someone lower down on the command chart. 

Overall, BEC attacks resulted in the highest financial losses than any other crime in 2021, according to the FBI. 

Use of botnets/IoT device compromises

Botnets are a network of computers that contain malware that allows them to be controlled by a malicious actor. These botnets often send spam that contains malicious links. Almost any internet-enabled/IoT device can be turned into a member of a botnet if malware can be installed on it. 

SMEs that haven’t properly invested in the right security training are more likely to have a computer or device turned into an unwitting member of a botnet. Users may not know enough to spot a malicious link in a phishing email or avoid a drive-by website that installs malware on their computer. 

Large-scale botnets are often known by name, such as the prolific Emotet botnet that infected over 1 million computers before a global crackdown managed to hinder its growth. The hackers behind the botnet are reportedly trying to get around the limitations imposed by the crackdown by upgrading the malware’s code. 

Ransomware attacks

Ransomware famously made headlines when Colonial Pipeline was hacked on May 6, 2021. But this type of attack is far more prevalent against smaller businesses — 82% of all ransomware attacks are targeted at small businesses, reported tech.co. 

According to Lexico, ransomware is “a type of malicious software designed to block access to a computer system until a sum of money is paid.”

Why are SMEs such a common target? As a ransomware gang member interviewed in the above article says — “You can hit the jackpot once, but provoke such a geopolitical conflict that you will be quickly found. It is better to quietly receive stable small sums from mid-sized companies…”

In other words, SMEs are a consistent source of income for hackers with a relatively low downside. SMEs pay ransoms and are unlikely to have additional budget to thoroughly investigate who was behind the attack.

Data breaches/leaks

Personally Identifiable Information (PII) is a hot item on the black market. Knowing someone’s Social Security Number can open the door to countless types of fraud such as identity theft. Protected Health Information (PHI) is even more valuable, with criminals paying up to ten times as much for medical data. This is because possession of such data makes high-stakes insurance fraud possible. 

Poor passwords, badly coded websites, stolen credentials, poorly secured devices, and dozens of other factors can lead to a data breach that can result in heavy fines for the SME. 

According to data from Verizon, data breach attacks against small and medium businesses are on the rise, accounting for nearly half of all data breaches in 2021. 

SMEs need to invest in cybersecurity to offset risk

Despite all the above, the costs of implementing a complete security solution might be far out of reach for many smaller businesses.  

A robust security posture requires that so many different elements are considered that the only choice an SME seemingly has is to hire a dozen vendors to cover all bases. 

The solution to this lies in hiring a modern Managed Security Service Provider (MSSP) that can bolster every aspect of an SME’s security posture without breaking the bank. 

Modern managed security providers offer the full gamut of security services — including security awareness training to reduce human error — under one umbrella, and at an enormously reduced cost. 

An MSSP will typically provide coverage in the following areas: 

• Endpoint Detection and Response (EDR) tools
• Active directory protection
• Ransomware protection
• Advanced email protection
• Phishing training for employees 
• 24/7 SOC support

Each tool in itself does not constitute a full solution. But together they provide a comprehensive combination of protection, detection, and response that minimizes the success of attacks as well as nullifies them quickly if they do occur. Fast response minimizes business impact.

Contact SolCyber to find out how we can help your SME improve its security posture easily and affordably.