October is Cybersecurity Awareness Month, and this year’s theme is See Yourself in Cyber, which focuses on the individual’s role in cybersecurity. While cybersecurity can feel complex and inaccessible to the average person, the reality is that everyone has a role to play in security, from executives to the IT team to end users. This month, the JumpCloud blog will focus on helping you empower everyone in your organization to do their part regarding cybersecurity. Tune in throughout the month for more cybersecurity content written specifically for IT professionals and MSPs.
What are hackers really like?
If pop culture has any say in it, they’re usually effortlessly cool members of the counterculture that use mononym code names and have a vendetta against the world.
If stock image libraries have any say in it, it’s someone working on a computer with their hood up (for some reason).
One thing cybercriminals aren’t usually depicted as is businesspeople (maybe because it doesn’t make for an exciting story premise or photo). But more often than not, cybercriminal groups function a lot like legitimate businesses: they plan strategically, hire talent, and work for a profit.
Understanding how these cybercriminal groups work and what they’re after is important to forming your defense strategy: after all, you can’t defend your organization if you don’t know what it’s up against. And small to medium-sized enterprises (SMEs) are up against quite a lot: 42% of the small businesses that responded to a 2021 survey reported that they had experienced a cyberattack within the last year.
This blog will dive into the motivations behind cybercrime against SMEs. Understanding these attacks is critical to developing a defense plan and prioritizing it: what are cybercriminals really after when they attack SMEs?
It’s All About the Money.
First things first: cybercriminal groups are often run like businesses, and they share a common end goal: money. While some attacks may be driven by non-monetary motives — like political attacks and hacktivism — most cybercrime today is a for-profit venture. Money is the key motivator in the vast majority of cybercrimes and 100% of cybercrimes against very small businesses (those with 10 or fewer employees).
How Do Cybercriminals Profit?
We’ve established that cybercriminals are looking for money — but we’ve seen enough attacks in the news to know they don’t always go straight for the finances. So, how do they profit?
Cybercriminals can profit from attacks directly or indirectly. For example, they may profit directly by demanding a monetary ransom, or indirectly by selling stolen data to another cybercrime organization.
What Are Cybercriminals After?
With this in mind, let’s dive into the different things cybercriminals might go after in an attack. The following are some of the most common targets. This list is not exhaustive, but it may help give you a sense for what many attackers are looking for when they strike.
- Direct payments.
Naturally, receiving direct payments from victims is the most efficient way to profit from an attack. In attacks like ransomware, for example, adversaries earn money directly by locking down a company’s assets and demanding a ransom in exchange for unlocking them. In others, adversaries may profit by selling breached data, assets, or information.
- Credentials and network access.
Credentials aren’t direct revenue in a cybercriminal’s eyes, but they’re close to it. Hackers often steal credentials and use them to further penetrate the target’s network (or other networks), or sell them to other criminals who may leverage them to hack personal accounts, for example. This means that breached credentials often circulate farther than they may appear to, endangering those assets as well as the employees, customers, and third parties associated with them.
- Intellectual property.
Adversaries know intellectual property (IP) is valuable and unique, which makes it a highly motivating asset to steal: adversaries know SMEs will work hard (and likely pay big) to get it back. For similar reasons, leaked IP can be highly detrimental to an SME and highly valuable on the black market, which can motivate cybercriminals to spread or sell it.
- Company information.
Like in any good movie heist, the majority of time spent in many attacks is reconnaissance-based: adversaries often spend a considerable amount of time seeking out information about their target to plan their attack. Information about your network or defense system, for example, could either help the cybercriminal group strike later or be sold to another group looking to mount an attack.
- Third-party access.
In supply chain attacks, you may not be the attack’s first or last stop. Some cyberattacks follow the supply chain to their intended target or leverage company connections by infecting one company or product and allowing it to spread throughout the supply chain.
Aside from the damage caused by being breached in a supply chain attack, companies may also face compliance and reputational ramifications if they incurred a breach that spread to other parties.
- Access to resources.
Some attacks leverage a company’s resources or relationships. For example, a cybercriminal group may target an SME as part of a larger DDoS attack, to hijack compute resources for crypto mining, or to steal personally identifiable information (PII) for financial scams or fraud.
- Testing out tactics.
When cybercrime groups develop new tactics or mount high-profile attacks, they often test out their tactics first — sometimes, on real businesses. Some unlucky organizations end up acting as the test subject for a new attack vector.
- Company damage.
Some attacks aim to simply cause damage — wipe data, cause downtime, or even drive a total business shutdown. These are often the attacks that are politically, competitively, or ideologically motivated.
How Is Cybersecurity Different for SMEs Than Enterprises?
In terms of general vulnerability and risk type, SMEs and enterprises don’t differ as much as many believe: in fact, SMEs are targeted at almost the same rate as enterprises. And they face many of the same types of threats: ransomware and use of stolen credentials fall within the top three breach methods for both very small businesses and companies of all sizes.
However, cybersecurity can differ between SMEs and enterprises in terms of scale: SMEs are sometimes targeted with smaller-scale attacks. For example, adversaries often demand lower ransoms from SMEs because they know they will pay them. Other attacks where SMEs are indirect casualties — like attacks that infiltrate SMEs to gain more information about a large enterprise they do business with — may hit the final target — i.e., the enterprise — harder.
But SMEs also tend to invest less heavily in security than their enterprise counterparts. Not surprisingly, SMEs don’t have the virtually unlimited budgets and resources that enterprises do to protect themselves. SMEs are less likely to have dedicated security teams or personnel — for example, the majority of companies with fewer than 1,000 employees do not have a CISO. And less than half of small businesses have an incident response plan in place.
What’s more, many people — including SME leaders — do not believe SMEs are susceptible to cybersecurity attacks. For example, a 2022 CNBC survey found that 61% of small business owners are not concerned about falling victim to a cybersecurity attack, and only 5% of small business owners named cybersecurity their top concern.
The combination of limited resources and leadership’s false sense of security in SMEs causes them to significantly underinvest in cybersecurity. As a result, SMEs often have much more limited defenses than their enterprise-level counterparts.
How to Protect Your SME
Understanding that cybercriminals do target SMEs and what types of assets they’re after is half the battle. But many SMEs feel at a loss when it comes to developing a security program, especially when working with limited resources and facing a market that tends to cater its security solutions to large enterprises.
Fortunately, there are ways for SMEs to build a strong foundation of security — or work to shore up their existing security — that are both affordable and effective. For guidance on security tailored specifically for the resource-strapped SME, check out the whitepaper we wrote with CrowdStrike, Combining Business Priorities and Security: Choose Your Own Adventure.