There are many areas in life where size matters. But it may surprise you to learn that when it comes to cyber crime, that saying does not hold true. Small and medium businesses (SMB’s) are a viewed as favored targets even though the payday may not be a huge. There are a number of reasons you don’t hear much about this threat area, but that doesn’t mean attacks are not a reality.
For the media, size does matter and the focus is on sensational headlines of major breaches. If a large corporation gets hacked and millions of records are compromised, it’s a bigger story than if a local mom-and-pop shop gets hacked and a couple hundred records are stolen. But for SMB’s an attack can be devastating. Most SMB’s cannot survive a successful cyber attack. Additionally, many attacks go unreported because they are undetected or the business simply folds up following the attack.
As with all crime, it boils down to a matter of opportunity and value versus risk. What can be stolen, what is it worth, and what are the chances of getting away with it? Cyber crime is no different. This begins to get to the point of why SMB’s are such attractive targets.
Risk: Starting with the deterring factor, SMB’s typically represent targets with lower risk of getting caught. With fewer resources available to build and monitor sound information security defensive systems, SMB’s tend to be easier to breach and have less chance of attackers being tracked down if and when their attack is discovered.
Opportunity: There are hundreds if not thousands of SMB’s for every major mega-corporation out there, and SMB employees are less likely to be well educated in information security practices. Phishing email attacks are cheap and easy to launch, so multiple organizations can be targeted with little effort on the attacker’s part.
Reward: The payoff for SMB attacks comes from volume. The rewards from each individual company may be limited, but when the attacker reaps the reward from dozens or hundreds of SMB’s, the aggregate can rival a successful mega-corporation attack.
The big issue is that SMB’s generally do not have the resources and expertise to deal with information security appropriately. Capability tends to align proportionally with the size of the organization, meaning the smaller the company the fewer resources to dedicate to the battle. There is one noteworthy exception – Managed Security Service Providers (MSSPs) and Information Security Consulting companies. These companies may be small in size, but since their business is information security, they tend to be highly focused on these issues. But for most companies, their core competency is not cyber security, and that reality is why they are favored targets.
The reality is cyber criminals target SMB’s because they are less likely to mount a solid defense. The logical conclusion is SMB’s need to devote more resources to their information security posture, but it may not be practical to hire additional experts internally. One alternative to obtain a greater security posture quickly is to outsource security support to a Managed Security & Compliance Consulting firm like Intrinium who can hit the ground at full speed with a wealth of expertise and experience helping SMB’s address these issues. There is no long-term success posture that comes with downplaying or ignoring information security. If you want to be in business for the long haul, you either have to handle this internally or hire it out, and if your core business is not information technology services, you can get more for less by engaging an expert firm to handle it for you.