Size Isn’t Everything: Why Cyber Attackers Target SMEs

I recently wrote a piece about why small and medium organizations are also at great risk of cyber attack, which made it into UK’s Business Computing World. I’ve reposted the article here for your reading pleasure.

All too often SMEs plan their IT security under the misconception that their networks and data are already pretty safe because they don’t have anything that would interest cyber attackers. Surely, organized criminals or hackivists are going to be far more interested in going for the big targets that we read about in the news all the time such as Sony, HMRC, Subway and the University of Cambridge?

But the truth is that in recent years, cyber attackers have increased their focus on compromising small and medium enterprises (SMEs). A recent PwC report on security breaches showed that 76% of small businesses in the UK suffered a breach last year, with the average cost of their worst incident coming in at 15-30k.

There are two main classes of attack. First, the automated opportunistic attack, where a wide net is cast using mass emails, automated SQL injection, or automated network attacks to trap any victim. Everyone is the target of this attack – it’s just a numbers game. The second are specifically targeted attacks where a single organization or group of organizations is targeted, such as a group of companies in the same vertical market or public sector departments.

These attacks will usually consist of very targeted ‘spear-phishing’ emails attempting to lure victims to a malware site. What SMEs don’t realize is that attackers have been opportunistically going after them for years, but now they are increasingly targeting them more specifically.

It is clear that SMEs have been victims of the first type of attack for years now, whether they know it or not. Bot herders use automated techniques to try to ‘zombie-fy’ as many Internet connected victims as possible, without caring who they are, and they often end up infecting hundreds of small businesses this way. They then use these bot-infected SME machines as a stepping stone to gain control of the network and its sensitive, often valuable, data.

In its 2011 Data Breach Report, Verizon noted that although the number of stolen records may have dropped in 2011, the number of breeches actually increased over 5-fold, suggesting that the attacks were affecting smaller organizations.

However, it is the more recent increase in targeted attacks on SMEs that is even more concerning. Recently, my company has seen an increase in more targeted phishing emails that focus on very specific SME organizations. For instance, one recent email appeared to come from ADP, a company that helps SME manage payroll, among other things.

This spear-phishing email was designed to target accounting and HR people, with the aim of gaining access to payroll systems. Other research organizations and experts are also seeing the rise in targeted attacks against SMEs. Recently, Symantec released its latest Security Intelligence Report for 2012, which confirmed that targeted attacks against SMEs doubled during the first half of the year.

Why target SMEs?

There are a number of reasons why attackers might want to focus on SMEs. Certainly, in general an SME will have weaker defenses than a larger organization. This is in a large part due to the fact most SMEs still don’t think attackers target them, despite evidence to the contrary. A study done by The Hanford found that 85% of small business owners think a data breach is unlikely; thus they often don’t implement simple security controls. In the last few years, larger enterprises have been hammered with some big and very public breaches, and as a result, have beefed up their defenses, making SMEs a much easier target.

An attack on an SME may even be just the gateway to bigger targets. Small and large businesses will often have many partners and these partners in turn will also have partnerships and connections with other, perhaps even smaller, companies. Attackers know they may not be able to storm the well-protected “castle,” but if they can get into one of the “guard’s” houses, they can use that to sneak in through a backdoor, metaphorically speaking.

SME breaches are also likely to pose less risk to the attacker. If you try to attack and steal millions from Google, you will quickly get onto the authority’s radar. However, if you attack small, lesser-known businesses and only steal a few thousand at a time, it may not even get reported. If you use automation to repeat this small theft many times, you can still make millions.

Finally, SMEs will still have very valuable information including customer financial data or commercially sensitive IP information. Don’t think anonymity protects you. If you are a small business, you are still a target.

New generation of phishing

SMEs need to be aware that the most common attacks impacting small businesses at the moment are well-crafted and targeted spear-phishing campaigns, which link to drive-by download sites. These targeted phishing campaigns have three things going for them:

• They are well-crafted compared to malicious emails of the past. They often look very legitimate and don’t have all the spelling and grammar mistakes old phishing emails had. Sometimes they will even inject HTML content from the company they are masquerading, to make them look very legitimate
• They target a very specific group or individual. By writing them specifically for a certain target at the organisation, that individual is more likely to interact with the message
• They contain a web link rather than an attachment. While even small business employees realize they should be careful with email attachments, many users still don’t realize that attackers can hijack your computer from a malicious website. They feel safe clicking web links in emails, making this far more effective than having an attachment.

Protection for the SME

There is no silver bullet to keep safe from cyber-attacks, but defense is not as hard or as expensive as some SMEs assume. The only real way to protect yourself is to implement ‘Defense in Depth.’ This is the act of layering multiple security controls together to give the enterprise the best chance of protecting itself from the many types of attacks hackers leverage.

Unfortunately, today’s threat is very much blended; the hook may arrive via email, IM, or a social network, but the true attack may happen over the web. Then, the follow-up attacks in your network may happen over a number of network services. So you need different security controls like a next-generation firewall, IPS, antivirus, reputational services, and so on, to protect yourself from various aspects of these attacks.

The good news is these security controls are well developed and readily available. Furthermore some security vendors have combined all of these required security controls in one easy-to-manage, cost effective UTM (Unified Threat Management) appliance that will make it easier for even a small business to implement and enforce the layers of security they need.

Don’t let your small size lure you into a false sense of security. Instead, leverage today’s technology to implement many layers of defense, and keep yourself out of tomorrow’s cyber attack headlines. — Corey Nachreiner, CISSP (@SecAdept)

Share This: