SMEs Increasingly Targets of Cybercime
The finding, from Symantec’s Internet Security Threat report 2013, is an increase on earlier figures. In 2011 SMEs accounted for just 18% of cyber attacks but by 2012 that figure had risen to 31%
By comparison, big businesses with between 251 and 2,500 employees took 19% of the cybercriminals’ attention and the remaining 50% of attacks were on businesses with 2,500 or more staff.
A key reason for the increase in attacks on small and medium-sized businesses is that they often have less sophisticated defences. As the report said:
"While it can be argued that the rewards of attacking a small business are less than what can be gained from a large enterprise, this is more than compensated by the fact that many small companies are typically less careful in their cyberdefenses."
Describing attackers as following the "path of least resistance", Symantec referred to the increased waves of attacks as crimes of of opportunity with small businesses offering the greatest opportunity for criminals.
Larger companies typically had more hardened defences so by targeting smaller firms with which bigger companies had a relationship, criminals were also expecting to "leap frog" into larger companies.
Another reason for the increase in the criminal focus on small businesses came from the fact that they could be used as a base for further attacks. Only last week hosting prividers reported an upsurge in attempts to hack into WordPress blogs.
The crude brute force botnet attack mainly focused on WordPress sites with common usernames "admin" and "user" with a wordlist of common passwords.
Symantec have coined a term for some of the attacks on small business websites where opportunist criminals might exploit a website’s vulnerability to upload malicious software.
Visitors to the site will then be probed for vulnerabilities with insecure browsers being infected. These "watering holes", where bait is left for passers by, are increasing in number.
One watering hole attack was found where the tracking script, on a legitimate human rights organisation’s website, exploiting a zero-day vulnerability in Internet Explorer, could easily have affected the visitors from over 500 companies and organisation that visited over the 24 hour period that the site was monitored by Symantec.
Advice for Small Businesses
The security firm’s advice to SMEs is that business owners should adopt the assumption that they’re a target, regardless of how small the business or how anonymous they think they might be.
Establishing a strong security policy is key to firming up any small business’s defence and employees should be kept informed of the risks.
Data is also an important target of cyber attacks and businesses should guard against data loss. Symantec advise that SMEs should use encryption to protect their data both online and on media – USB sticks/thumb drives and CDs/DVDs should all have their data encrypted.