October is Cybersecurity Awareness Month, and the U.S. Cybersecurity & Infrastructure Security Agency (CISA) organization is calling on all of us to “Secure Our World,” with a simple message that calls everyone to action “to adopt ongoing cybersecurity habits and improved online safety behaviors.” This month, the JumpCloud blog will focus on helping you empower everyone in your organization to do their part regarding cybersecurity. Tune in throughout the month for more cybersecurity content written specifically for IT professionals.
When we think of cyberattacks, we tend to envision the biggest and most disastrous ones — ones that involve well-known companies, expose tons of important data, and cause some serious fallout and public mistrust. While these attacks are real and dangerous, they’re not the only ones out there.
The reality is that cyberattacks affect businesses of all sizes and in all industries. Sometimes, our focus on the big ones can eclipse the less flashy ones that are just as dangerous to small and medium-sized enterprises (SMEs). According to Accenture’s latest Cost of Cybercrime Study, 43% of cyber attacks are aimed at small businesses… but unfortunately only about 14% feel they have the right tools and resources in place to properly protect themselves from it.
Mounting a viable defense starts with understanding what you’re up against — and even understanding the basics of common threats and defense measures can go a long way. The following are six of the most common attack vectors that can hit SMEs.
Because the largest ransomware attacks tend to dominate news cycles, many people don’t realize that ransomware attacks on SMEs are common as well. In fact, 50-70% of ransomware attacks are aimed at small businesses.
What Ransomware Looks Like for SMEs
Ransomware generally follows the same basic principles in attacks of all sizes: adversaries seize and lock a company’s data or assets and promise to return them upon payment of a ransom. For large enterprises, these ransoms can reach into the millions. For SMEs, they are often smaller — ransoms as low as $10,000 are common. While this may sound like a silver lining for SMEs, there’s a darker motive at play: adversaries know SMEs will pay them.
For established enterprises with decades of built-up resources, six-figure ransoms and the downtime associated with an attack are painful, but not often a death sentence. For SMEs with tighter resources, this isn’t always the case — the downtime and loss of data access alone can be crippling for a tightly run SME. To adversaries, this means SMEs will fight to get their data back — so they demand a “reasonable” ransom and can expect with near certainty that the SME will pay it. According to research, more than half of them do.
The ramifications of a data breach to your employees, customers, partners, and reputation are grave: a Ponemon study found that 65% of consumers whose data was breached lost trust in the company that experienced the breach.
What’s more, paying the ransom doesn’t guarantee that your data hasn’t been compromised or shared when under the adversary’s control. Of the 59% of SMEs who said they had paid a ransom in a survey, only 23% got all their data back.
In fact, paying up can endanger your organization further: it tells hackers that you are willing and able to pay ransoms to reclaim your data. And now that they’re familiar with your defenses and architecture, they’ll have an easier time attacking you again. Unfortunately, repeat attacks are highly likely — either from the same criminal organization, or from another organization that the attackers sold your information to.
What’s more, the latest Verizon Data Breach and Incident Report indicates that with the data they have access to, in partnership with the FBI Internet Crime Complaint Center (IC3), it loks as though the amount paid to adversaries may be decreasing… but that the cost to recover from a ransomware attack is in fact trending in the opposite direction. According to this report, the calculated median cost of an attack (for those that reported a loss) more than doubled to over $26,000 (USD), with a range of anywhere from $1 to $2.25 million! It seems that the long term effects of an attack like this are multitudes more damaging than the incident itself.
2. Supply Chain Attacks
Most of us are familiar with supply chain attacks, where an infection starts with a large corporation and spreads as it comes into contact with other businesses through the supply chain. And while we’re likely to hear about supply chain attacks on large businesses, news sources don’t always report on their trickle-down effects on smaller businesses in the supply chain.
How Supply Chain Attacks Affect SMEs
In supply chain attacks, SMEs aren’t usually direct targets, but rather casualties resulting from a larger breach. Thus, large supply chain attacks have ramifications on many of the target organization’s partners, customers, or vendors. In REvil’s attack on Kaseya’s VSA software, for example, many of those impacted were SMEs that used the product. In another example, the famous SolarWinds breach was originally believed to have affected a few dozen organizations. It actually impacted over 250.
3. Phishing and Its Variants
Some of the most basic and low-effort tactics remain common — and effective — infiltration methods. Phishing remains one of the top three threats SMEs face, even despite increasing organizational awareness around it.
The reason phishing is still so common is two-fold:
- It is effective for adversaries. From the cybercriminal’s point of view, phishing is relatively easy to deploy, and it often yields lucrative results. It takes few resources and minimal skill to launch phishing attacks, and yet they continue to dupe employees into sharing credentials, network access, and other sensitive (and, for cybercriminals, profitable) information and assets.
- It preys on human error. Unlike many other attack vectors that leverage vulnerabilities in systems, phishing uses social engineering to take advantage of human nature (and human error) to gain initial entry. It only takes one mistake to allow an attack to take hold — and the average organization has a 37.9% phishing test fail rate.
Targeted Phishing in SMEs
Cybercriminals have refined tactics to mount more targeted and precise attacks with different types of phishing. Spear phishing, for example, involves background research to convincingly target individuals rather than bulk-sending a list to a group of recipients. This personalization and specific targeting makes spear phishing attempts harder to spot — like the popular scam that involves posing as the target’s boss in a text or email. These messages often use conversational language and use the names of the target and the boss, which can make them quite convincing.
Some adversaries take this type of attack a step further with whaling, which uses spear-phishing tactics to target company executives. Because executives have extensive access to systems and data, whaling is particularly popular — especially with SMEs, where scarce resources could hamper their ability to adequately train leaders on security and phishing awareness and best practices.
4. Software Vulnerability Exploits
Leveraging software vulnerabilities is a common way to gain access into an organization’s systems. Often, exploited vulnerabilities are known and even have patches available. In fact, many of the top exploited vulnerabilities were found years ago — for example, a Microsoft Office vulnerability found in 2017 continues to plague businesses that haven’t kept up with their patches. In a Ponemon survey, 60% of respondents who had experienced a breach said it could have occurred through a known vulnerability that had a patch available, but the organization hadn’t applied it.
Why SMEs Are Vulnerable
Routine patching is a critical basic cyber hygiene activity, and it is highly effective at blocking this type of attack. However, large-scale organizations are more likely to have formal patch management solutions in place than SMEs, which can make SMEs an easier target. In a 2022 JumpCloud survey, only about half of SME respondents said they were confident that their organization’s patch management strategy was sufficient to protect against known vulnerabilities.
5. Account Takeover
As businesses move to the cloud and dispersed infrastructure becomes the norm, identity has increasingly come to define the new perimeter. Because identity permeates every element of the infrastructure, it has become a common infiltration point. In fact, the number of password-stealing attacks on SMEs around the world increased by almost 25% from 2021 to 2022, and nearly 80% of attacks leverage identity to compromise credentials.
How ATO Attacks Work
In account takeover (ATO) attacks, adversaries gain access to the network by taking over a user’s account. Account access can be gained through various means, including password-stealing ware, social engineering, and using (often, by purchasing) the credentials of already breached accounts. Once the adversary has taken over the account, they can access resources and move around the network under the guise of a legitimate user. This makes account takeovers difficult to detect.
6. Advanced Persistent Threats
SMEs that work with large enterprises may be more susceptible to advanced persistent threats (APTs), which are sophisticated attacks carried out stealthily over an extended period of time. APTs typically consist of infiltration, lateral movement toward targeted data or assets, and exfiltration. APTs can start from any ingress point, and can enter through methods as simple as a phishing attack or stolen password.
For example, an adversary could gain the credentials of an employee with base-level permissions through a phishing scam, then take over the account to analyze the network and gather permissions, access and store the target data, and finally exfiltrate it to sell for profit.
APTs are harder to detect in sprawled IT environments, which are common in SMEs that have grown quickly. IT sprawl limits the ability to fully carry telemetry data from one element to another, which makes infiltration and lateral movement hard to detect.
Shoring Up SME Security
Because cybersecurity attacks on SME attacks don’t always make headlines, SMEs often underestimate their vulnerability and underinvest in security. However, adversaries have something to gain from just about any business; SMEs face many of the same threats that enterprises do.
The attacks above are some of the most common, but SMEs face a multitude of threats via many different vectors. And while it’s impossible for anyone to achieve 100% immunity from threats, it’s possible for SMEs to develop a strong, reliable security program that deflects most attacks.
What’s more, SME security isn’t as cost-prohibitive as many believe. To learn how to strike a balance between supporting your SME’s security and continuing to invest in business initiatives (without breaking the bank), check out the whitepaper written by JumpCloud and CrowdStrike, How to Secure Your SME with JumpCloud and Crowdstrike.