5 Tips for Defending Against Cyber Attacks on Small Businesses (And Why They're Targeted)

The headlines are often filled with data breaches and cyberattacks that target large enterprises, yet small and medium-sized businesses are no less susceptible to malicious attacks.

In fact, small businesses are likely to have fewer resources to devote to cybersecurity and less staff to monitor potential threats to critical IT systems, according to experts.

A June 2016 study, sponsored by Keeper Security and conducted by the Ponemon Institute, found that more than 50 percent of SMBs were breached in the previous 12 months. The study also found that only 14 percent of the companies surveyed rated their ability to mitigate cyberattacks as “highly effective.”

Recent research in the United Kingdom yielded similar results. According to a U.K. government survey released last week, 52 percent of small businesses (10-49 employees) and 66 percent of medium-sized businesses (50-249 employees) reported identifying a cybersecurity breach in the past 12 months.

Why are SMBs targeted so much?

Why Do Cybercriminals Focus Cyber Attacks on Small Businesses?

Cybersecurity firm FireEye says that there are five main reasons SMBs are frequently attacked by hackers.

One is that, for criminals, cyberattacks against SMBs offer both low risks and high rewards. That’s largely because, according to the United Nations Office on Drugs and Crime, only 10 percent of cyber crimes reported to police by SMBs result in a conviction.

“Advanced malware typically resides in infected systems for weeks, even months, before common security tools detect it,” according to a FireEye white paper on the topic. “Some malware quietly cleans up after itself after exfiltrating data to make a clean getaway. Other malware makes sure to leave few traces in the first place, running solely in computer memory so that no artifacts are left on the compromised machine’s storage.”

And those factors are usually heightened with SMBs, “which are usually less able than their larger counterparts to detect and counter advanced threats. With much to gain and little to lose, cyberattackers have strong incentives to attack.”

SMBs are also easier targets, since, according to the U.N. data, 65 percent of them have no data security policy, FireEye notes. Similarly, the U.K. survey found that only around a third of firms have a formal policy on cybersecurity. FireEye notes that, unlike large firms, SMBs typically have IT directors wearing many hats.

Many SMBs “cannot afford the layered, ‘defense-in-depth’ security employed by large enterprises. And even if they could, most of these defenses are futile anyway,” FireEye says.

That’s because of the third reason SMBs are targeted: Their cybersecurity defenses are ill-equipped to deal with today’s advanced threats. “Firewalls, next-generation firewalls, intrusion prevention systems (IPS), antivirus (AV) software and gateways remain important security defenses,” the white paper notes. “But they are woefully ineffective at stopping advanced attacks.”

According to a real-world study conducted by FireEye, attackers bypassed multiple layers of security in 96 percent of deployments. “These traditional technologies rely on approaches such as URL blacklists and signatures. By definition, these approaches cannot stop advanced attacks that exploit zero-day vulnerabilities,” the white paper says.

FireEye adds: “If an IPS or AV program does not have the signature of a new exploit, it cannot stop it. When highly dynamic malicious URLs are employed, URL blacklists do not cut it. Furthermore, many advanced attacks are a blend of email and network exploits, making it even more difficult for these technologies as standalone solutions to stop them. Most defenses can stop known attacks but are defenseless against unknown, advanced attacks.”

Despite these risks, SMBs are attacked because of a lack of awareness around the importance of cybersecurity. According to the Ponemon Institute, 58 percent of SMBs don’t consider cyberattacks a big risk to their organization, and 44 percent don’t consider strong security a priority.

Finally, SMBs are attacked because their information is valuable. Small businesses have customers’ credit card numbers, their employees’ personal data and, depending on the business, access to financial data. For example, FireEye notes, in the case of a real estate firm, “it might be something as valuable as the keys to the business banking account.”

According to Ponemon’s 2016 “Cost of Data Breach Study,” the average consolidated total cost of a data breach grew from $3.8 million in 2015 to $4 million in 2016.

How To Fight Against Cyber Attacks on Small Businesses

What can SMBs do to fight back? FireEye lists five key priorities:

1. Assume you’re a target. “Your data is valuable. And you likely have ties to bigger, higher-profile business partners,” FireEye says. “Given that today’s advanced attacks can easily bypass most security tools, you may have been breached and not yet know it. By assuming that you are in cyberattackers’ crosshairs, you can better prepare yourself against the inevitable attack.”
2. Identify your most valuable assets and connections. This might be more difficult than it sounds, FireEye notes. “Information that seems ordinary to you — say, the name of a business contact’s executive assistant — could help cyberattackers forge a spear-phishing email that compromises a vital partner,” the firm says. “Identify potentially valuable data and how it could be vulnerable to well-funded, highly-organized attackers. That crucial step will help spot the weakest links in your security system and highlight what you need to do to protect your assets.”
3. Adopt a real-time security approach. “To limit damage, choose a solution that stops advanced threats in real time,” FireEye says. “Otherwise it could take an average of 320 days to discover an attack.”
4. Cover all attack routes. According to FireEye, more than 90 percent of attacks come through web traffic and email. SMBs also need to protect shared files and endpoint devices.
5. Know that technology alone is not enough. Firewalls and anti-virus software stop only known attacks, FireEye notes. “To be well prepared, select a solution that stops known and unknown attacks, and augment it with the right people and processes,” the firm says.