The mantra for many hackers these days isn’t “go big or go home.” Instead, it’s “good things come in small packages” — because they are looking past large enterprises, and setting their sights on small and mid-sized businesses (SMBs).
Below, we highlight five reasons why hackers find SMBs such an attractive and lucrative target:
1. SMBs are typically much easier to hack than large enterprises.
Many SMBs do not perform ongoing, comprehensive IT security audits (and several do not perform them at all). As a result, they have a false sense of confidence that hackers can exploit with remarkable ease and speed — often burrowing deep into servers where they remain hidden for extended periods of time. And we aren’t talking days here, or even weeks — we’re talking months and even years. Keep in mind that it now takes an average of 287 days to initially detect a breach, and an additional 80 days to contain it.
What’s more, the new Devolutions’ State of IT Security in 2022/23 Survey has found that the majority of SMBs are unprepared for a cyberattack. For example:
- 88% of SMBs do not have a fully-deployed PAM solution in place.
- 44% of SMBs do not have a comprehensive and updated cybersecurity incident response plan in place.
- 35% of SMBs do not measure the impact of cybersecurity training on end users.
2. Hacking SMBs is highly profitable.
Hollywood would have us believe that hackers spend all of their time hunting the world’s biggest corporations and government agencies. But the plain, pedestrian reality is that most hackers are perfectly happy targeting SMBs. They aren’t motivated by making headlines. They’re interested in stealing credentials and data — either for their own illicit use, or to sell on the dark web.
Just how much money are we talking here? More than most people imagine! Mid-level cyber criminals can easily make up to $900,000 USD a year. And they don’t need ultra-sophisticated technology, either. Just one phishing email could lead to a 6-figure ransomware payout. With this kind of staggering ROI, the question isn’t “why are hackers targeting SMBs?” but rather “why on earth would hackers ever stop targeting SMBs?”
3. SMBs can be a gateway to larger organizations.
Cyber criminals often target vulnerable SMBs as stepping stone on their way to larger, tougher-to-breach enterprises. For example, cybersecurity firm BlueVoyant analyzed hundreds of SMB defense company contractor firms, and discovered that over half had massive vulnerabilities within their networks — including unsecured ports and unsupported or unpatched software, therefore making them highly vulnerable to cyberattacks.
4. Many SMBs have no choice but to pay when they’re hit by ransomware.
The new Devolutions’ State of IT Security in 2022/23 Survey revealed that the number one threat that worried SMBs is ransomware. This fear is valid, given that ransomware attacks have surged in recent years, and the average ransom payment has skyrocketed to $170,704 per incident.
Obviously, no company — regardless of size — is indifferent to being extorted by cyber criminals. However, after getting hit with a ransom demand, some larger organizations with deep pockets and ample resources have the option of temporarily going offline while they race to deploy a backup. Of course, they incur some costs. But after crunching the numbers and looking at the bigger picture, leadership may decide that the better strategy is not to pay a ransom.
Most SMBs simply do not have this option. The idea of “going off the grid” even for a few hours — let alone a few days — is not just problematic: it is a non-starter. And since many SMBs do not have in-house IT security experts to guide them through this nerve-wracking process, they decide that paying a hefty ransom is the lesser of two evils. Unfortunately, this is precisely what hackers are counting on.
5. SMBs can be especially vulnerable to “CEO fraud.”
In large enterprises, most employees never get an email from the CEO (unless it’s one of those generic mass emails that are sent to groups or everyone). But in SMBs, it’s typical to get an email from the CEO asking about various tasks and priorities.
Hackers exploit this routine, ordinary practice through what is known as “CEO fraud.” This involves a short message from the CEO (or potentially any other executive such as a CFO, VP of Finance, etc.), to an employee asking about an outgoing payment. Here is a real-world example of this tactic that was published by the cybersecurity company Trustwave (the names have been changed):
From: John Smith
Sent: Monday, 13 November 2017 11:27 AM
To: Susan Brown
Subject: Urgent Attention
Are you available to handle an international payment this morning?
Have one pending, let me know when to send bank details.
In this case, the victim quickly responded to the (fake) CEO’s email, which triggered a short correspondence that ultimately led to an outgoing bank transfer of more than $32,000. Once the fraud was detected, the hackers — and the cash — were gone without a trace.
The Bottom Line
SMBs that believe they are too small to be targeted by hackers need to think again. As pointed out by Forbes contributor and small business consultant Rhett Power: “Many entrepreneurs, startup founders, and small business owners might think of themselves as minnows compared to Fortune 500 whales. They assume they’re too small to attract the attention of hackers and cyber attackers. But that’s not how bad actors see it.”
Yes, there is a slim chance that an SMB might slip through the cracks and avoid getting torpedoed by ransomware, malware, botnets, spyware, and the list of cyberthreats goes on — and we haven’t even brought up the risks posed by rogue and careless/negligent insiders.
But there is an even greater chance that, at some point — and it will likely be sooner rather than later — wishful-thinking SMBs will find themselves under attack. When (not if) that happens, the damage could be severe, and potentially catastrophic. Consider that the average cost of a data breach has climbed to $4.24 million per incident, which is the highest average ever recorded. And lost business contributes to 38% of data breach costs.
The Way Forward
Thankfully, the story isn’t completely negative (and utterly terrifying). SMBs can dramatically reduce the size and vulnerability of their attack surface by proactively strengthening their IT security defense posture in four key areas: password management, privileged account management (PAM), remote access management, and end user training.
We take a deeper look at these areas in the Devolutions State of IT Security in 2022/23 Survey Report, which will be available in the coming weeks.
In the meantime, we urge SMBs to explore The Devolutions Cybersecurity Guide, which is a curated collection of cybersecurity-related content from our blog. Topics include everything from password management to end user training to online scams (yes, including CEO fraud), and more. Click here to access to guide now, and start closing the gap — before hackers invade, not after.