SMEs Increasingly Targets of Cybercime

Internet Security threat Report 2013In a new report from security firm Symantec, businesses with 250 employees or fewer are being increasingly targetted by cyberciminals.

The finding, from Symantec’s Internet Security Threat report 2013, is an increase on earlier figures. In 2011 SMEs accounted for just 18% of cyber attacks but by 2012 that figure had risen to 31%

By comparison, big businesses with between 251 and 2,500 employees took 19% of the cybercriminals’ attention and the remaining 50% of attacks were on businesses with 2,500 or more staff.

A key reason for the increase in attacks on small and medium-sized businesses is that they often have less sophisticated defences. As the report said:

"While it can be argued that the rewards of attacking a small business are less than what can be gained from a large enterprise, this is more than compensated by the fact that many small companies are typically less careful in their cyberdefenses."

Describing attackers as following the "path of least resistance", Symantec referred to the increased waves of attacks as crimes of of opportunity with small businesses offering the greatest opportunity for criminals.

Larger companies typically had more hardened defences so by targeting smaller firms with which bigger companies had a relationship, criminals were also expecting to "leap frog" into larger companies.

Another reason for the increase in the criminal focus on small businesses came from the fact that they could be used as a base for further attacks. Only last week hosting prividers reported an upsurge in attempts to hack into WordPress blogs.

The crude brute force botnet attack mainly focused on WordPress sites with common usernames "admin" and "user" with a wordlist of common passwords.

Watering Holes

Symantec have coined a term for some of the attacks on small business websites where opportunist criminals might exploit a website’s vulnerability to upload malicious software.

Visitors to the site will then be probed for vulnerabilities with insecure browsers being infected. These "watering holes", where bait is left for passers by, are increasing in number.

One watering hole attack was found where the tracking script, on a legitimate human rights organisation’s website, exploiting a zero-day vulnerability in Internet Explorer, could easily have affected the visitors from over 500 companies and organisation that visited over the 24 hour period that the site was monitored by Symantec.

Advice for Small Businesses

The security firm’s advice to SMEs is that business owners should adopt the assumption that they’re a target, regardless of how small the business or how anonymous they think they might be.

Establishing a strong security policy is key to firming up any small business’s defence and employees should be kept informed of the risks.

Data is also an important target of cyber attacks and businesses should guard against data loss. Symantec advise that SMEs should use encryption to protect their data both online and on media – USB sticks/thumb drives and CDs/DVDs should all have their data encrypted.

To read the full report visit Symantec’s annual threat report page where you can download the main report (5.5Mb PDF) and supplemental data (5Mb PDF)

Related Articles

To read more about internet security take a look at our articles on:

Leave a Reply

Your email address will not be published. Required fields are marked *


You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>