A recent data breach investigations report from Verizon shows that small businesses continue to be the most victimized of all companies. Is this because there are many more smaller businesses than larger ones – and the larger ones have more resources and layered security mechanisms to combat cyber attacks? The answer depends on a couple of factors.
Of the 621 confirmed data breach incidents Verizon recorded in 2012, close to half occurred at companies with fewer than 1,000 employees, including 193 incidents at organizations with fewer than 100 workers.
A different recent report from Symantec has confirmed this trend. The report discovered that cyber attacks on small businesses with fewer than 250 employees increased 31% in 2012, after growing by 18% in the prior year. It’s a pattern that many security analysts have noticed for several years now. Larger corporations have more resources and CISOs that are capable of investing heavily in sophisticated security strategies. That has forced cyber criminals to look for other ways to direct their initial attacks.
Cyber criminals today have become efficient in using smaller businesses to initiate their attack as a way of working upstream to a larger organization that may purchase software, hardware, or services from the smaller organization. These smaller suppliers or partners of large companies offer an indirect path into a major corporation’s network.
Another tactic some more patient cyber criminals are using is targeting small companies in growth industries, such as health care or manufacturing. The cyber criminals plant their backdoor in the smaller organizations software in hope that their targets could be acquired by a larger corporation at some point down the road. Meanwhile, they lie in wait — if and when the company merges or is acquired, they gain access to breach the system of the larger parent company.
Despite the statistics, too many small businesses think they’re invulnerable. Some believe their small business would be a boring target for hackers. Small businesses can’t afford to remain complacent or ignorant about the risk of being a cyber attack target. Small businesses retain very valuable information for hackers, like customers’ credit card numbers, code repositories, and intellectual property.
The most common tactics cyber attackers use against small businesses include “ransomware” scams that lock computers and demand a ransom fee. Attackers also use malicious software designed to steal information from employees’ mobile devices and malware that uses a small businesses’ website as bait to gain access to a larger company’s database. To combat the siege small businesses should deploy basic tactics such as using good passwords, maintain the latest versions of antivirus software, and keeping essential
business services off direct access to the Internet.