Cyber crime is a phenomenon related to the interconnected and online world in which we live today, but criminals exhibit some common traits regardless of the domain in which they operate. Similar to legitimate business ventures, there is a classic risk vs. reward evaluation in determining targets for attack. But that does not mean small businesses are out of scope for this threat.
From the SMB owner’s perspective, the risk is huge. One study found that 60 percent of small companies shut their doors permanently during the six months following a cyber attack. For over half of small businesses, a data breach represents a one-and-done outcome!
From the criminal’s perspective, it is a calculation of potential reward contrasted with the risk and effort required. Focusing on theft of data as a category, the value of customer records on the dark web is often directly proportionate to the difficulty required to obtain them. Stealing data from an international banking firm is likely to be significantly more difficult than stealing data from a local landscaping company who sits in a coffee shop using public Wi-Fi to do their record keeping. But the quantity, quality and value of the stolen data would be commensurate with the effort required to steal it.
Criminals also tend to target SMB’s for their “gateway” value. Many SMB’s operate in a trusted environment to larger corporations as part of a supply chain or as a services provider. If the SMB can be breached, there is a chance that the hacker can get into the citadel of the large corporation over the trusted connection. Instead of attacking the fortress head-on, this would be like slipping in through the aqueduct and then mucking about from the inside.
Essentially, SMB’s are viewed as easier targets since they often lack the depth of skills and investments to create a solid defense, or to train their people to be alert to social engineering schemes like Phishing. Often SMB owners lack the perspective to believe they would even be a target. Yet in the five years from 2011 to 2016, a period in which the total number of cyber attacks has skyrocketed, attacks targeting SMB’s doubled from 18 to 36 percent of the total attacks.
Still, there is hope in this battle. One of the first things you need to do is evaluate and understand your threat landscape. Every workstation, tablet, or smartphone in your organization is a potential access point, but not all will have the same probability of attack. Similarly, you need to understand the potential impact if particular systems are breached. You know what your “crown jewels” are, as compared with commonplace data, and your security efforts should be reflective of the value of these assets. But that doesn’t address the fact that you simply may not have sufficient resources in-house to deal with this.
Many businesses are turning to Managed Security Services Provider (MSSP) like Intrinium to bridge the gap. MSSP firms provide security consulting services to help you understand your threat landscape and best practices for securing your assets. They can also assist with things like information security awareness training for your staff, reducing the likelihood that a Phishing exploit will be successful. As an SMB owner, you must always get the best return on any investment you make in your business, and you should realize by now that you are likely to be the target of a cyber attack at some point. You have an opportunity now to prepare, so invest your time and money wisely!