• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

Size Isn’t Everything: Why Cyber Attackers Target SMEs

December 3, 2012 By Corey Nachreiner

I recently wrote a piece about why small and medium organizations are also at great risk of cyber attack, which made it into UK’s Business Computing World. I’ve reposted the article here for your reading pleasure.


Magnifying Glass GuyAll too often SMEs plan their IT security under the misconception that their networks and data are already pretty safe because they don’t have anything that would interest cyber attackers. Surely, organized criminals or hackivists are going to be far more interested in going for the big targets that we read about in the news all the time such as Sony, HMRC, Subway and the University of Cambridge?

But the truth is that in recent years, cyber attackers have increased their focus on compromising small and medium enterprises (SMEs). A recent PwC report on security breaches showed that 76% of small businesses in the UK suffered a breach last year, with the average cost of their worst incident coming in at 15-30k.

There are two main classes of attack. First, the automated opportunistic attack, where a wide net is cast using mass emails, automated SQL injection, or automated network attacks to trap any victim. Everyone is the target of this attack – it’s just a numbers game. The second are specifically targeted attacks where a single organization or group of organizations is targeted, such as a group of companies in the same vertical market or public sector departments.

These attacks will usually consist of very targeted ‘spear-phishing’ emails attempting to lure victims to a malware site. What SMEs don’t realize is that attackers have been opportunistically going after them for years, but now they are increasingly targeting them more specifically.

It is clear that SMEs have been victims of the first type of attack for years now, whether they know it or not. Bot herders use automated techniques to try to ‘zombie-fy’ as many Internet connected victims as possible, without caring who they are, and they often end up infecting hundreds of small businesses this way. They then use these bot-infected SME machines as a stepping stone to gain control of the network and its sensitive, often valuable, data.

In its 2011 Data Breach Report, Verizon noted that although the number of stolen records may have dropped in 2011, the number of breeches actually increased over 5-fold, suggesting that the attacks were affecting smaller organizations.

However, it is the more recent increase in targeted attacks on SMEs that is even more concerning. Recently, my company has seen an increase in more targeted phishing emails that focus on very specific SME organizations. For instance, one recent email appeared to come from ADP, a company that helps SME manage payroll, among other things.

This spear-phishing email was designed to target accounting and HR people, with the aim of gaining access to payroll systems. Other research organizations and experts are also seeing the rise in targeted attacks against SMEs. Recently, Symantec released its latest Security Intelligence Report for 2012, which confirmed that targeted attacks against SMEs doubled during the first half of the year.

Why target SMEs?

There are a number of reasons why attackers might want to focus on SMEs. Certainly, in general an SME will have weaker defenses than a larger organization. This is in a large part due to the fact most SMEs still don’t think attackers target them, despite evidence to the contrary. A study done by The Hanford found that 85% of small business owners think a data breach is unlikely; thus they often don’t implement simple security controls. In the last few years, larger enterprises have been hammered with some big and very public breaches, and as a result, have beefed up their defenses, making SMEs a much easier target.

An attack on an SME may even be just the gateway to bigger targets. Small and large businesses will often have many partners and these partners in turn will also have partnerships and connections with other, perhaps even smaller, companies. Attackers know they may not be able to storm the well-protected “castle,” but if they can get into one of the “guard’s” houses, they can use that to sneak in through a backdoor, metaphorically speaking.

SME breaches are also likely to pose less risk to the attacker. If you try to attack and steal millions from Google, you will quickly get onto the authority’s radar. However, if you attack small, lesser-known businesses and only steal a few thousand at a time, it may not even get reported. If you use automation to repeat this small theft many times, you can still make millions.

Finally, SMEs will still have very valuable information including customer financial data or commercially sensitive IP information. Don’t think anonymity protects you. If you are a small business, you are still a target.

New generation of phishing

phishingSMEs need to be aware that the most common attacks impacting small businesses at the moment are well-crafted and targeted spear-phishing campaigns, which link to drive-by download sites. These targeted phishing campaigns have three things going for them:

  • They are well-crafted compared to malicious emails of the past. They often look very legitimate and don’t have all the spelling and grammar mistakes old phishing emails had. Sometimes they will even inject HTML content from the company they are masquerading, to make them look very legitimate
  • They target a very specific group or individual. By writing them specifically for a certain target at the organisation, that individual is more likely to interact with the message
  • They contain a web link rather than an attachment. While even small business employees realize they should be careful with email attachments, many users still don’t realize that attackers can hijack your computer from a malicious website. They feel safe clicking web links in emails, making this far more effective than having an attachment.

Protection for the SME

ProtectionThere is no silver bullet to keep safe from cyber-attacks, but defense is not as hard or as expensive as some SMEs assume. The only real way to protect yourself is to implement ‘Defense in Depth.’ This is the act of layering multiple security controls together to give the enterprise the best chance of protecting itself from the many types of attacks hackers leverage.

Unfortunately, today’s threat is very much blended; the hook may arrive via email, IM, or a social network, but the true attack may happen over the web. Then, the follow-up attacks in your network may happen over a number of network services. So you need different security controls like a next-generation firewall, IPS, antivirus, reputational services, and so on, to protect yourself from various aspects of these attacks.

The good news is these security controls are well developed and readily available. Furthermore some security vendors have combined all of these required security controls in one easy-to-manage, cost effective UTM (Unified Threat Management) appliance that will make it easier for even a small business to implement and enforce the layers of security they need.

Don’t let your small size lure you into a false sense of security. Instead, leverage today’s technology to implement many layers of defense, and keep yourself out of tomorrow’s cyber attack headlines. — Corey Nachreiner, CISSP (@SecAdept)

Share This:

Related

Filed Under: Security Bytes

Comments

  1. Alban Vesprey says

    December 3, 2012 at 1:25 pm

    Great post Corey. You are truly a security nerd. Great info got to take a second.look at the way employees do thier stuff. Also the full fledged utm devices its the configuration when in different lo Atkins and the of course it goes without mentioning the cost.

    Connected by MOTOBLUR™

    Reply
  2. Alban Vesprey says

    December 3, 2012 at 1:25 pm

    Great post Corey. You are truly a security nerd. Great info got to take a second.look at the way employees do thier stuff. Also the full fledged utm devices its the configuration when in different lo Atkins and the of course it goes without mentioning the cost.

    Connected by MOTOBLUR™

    Reply
  3. Dave Purscell says

    December 3, 2012 at 3:47 pm

    Very well written article. We’ve been preaching some of this for years. Sometimes it falls on deaf ears. Glad to have your article to help bolster the case for Enterprise class security even at the smallest of companies.

    Reply
  4. wbailey5793 says

    December 4, 2012 at 7:22 am

    A very well written and informative article. We have been using a UTM appliance since 1999 and I could not imagine not having this device in our infrastructure. Thanks for the great information you provide and keep the articles coming, a good read!

    Reply
  5. wbailey5793 says

    December 4, 2012 at 7:22 am

    A very well written and informative article. We have been using a UTM appliance since 1999 and I could not imagine not having this device in our infrastructure. Thanks for the great information you provide and keep the articles coming, a good read!

    Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
  • US National Cybersecurity Strategy
  • Here Come The Regulations
  • Successfully Prosecuting a Russian Hacker

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • Cybersecurity News: LastPass Incident Revealed, White House Issues Cybersecurity Strategy, FBI Purchases Leaked USHOR PII Data, and a Slew of Other Breaches
  • An Update on Section 230
  • Here Come The Regulations
  • US National Cybersecurity Strategy
  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use