If only I had a dime every time I hear the claim from a business owner: I’m not a target, I have nothing of value! Sorry Bob, but that’s no longer the case.

What’s going on here?

It is a common belief, especially amongst small-to-medium (SMB) sized businesses that they are not the target of malicious actors, i.e. criminals, because they are too small and offer little value as a target. This belief amongst SMB owners, unfortunately, is no longer true.

The Facts

Every year, Verizon releases their Data Breach Investigations Report (DBIR), which is a collection of various data breaches, security incidents, etc. from a variety of sources over a large number of countries. The 2019 report consisted of:

  1. 41,686 security incidents
  2. 2013 confirmed breaches
  3. 73 different data sources, from public and private entities
  4. 86 countries worldwide

I personally love the DBIR report, and the one from 2019 is especially a great read. Having said that, it also pointed out some interesting trends1:

  1. 43% of breaches involved small business victims
  2. 69% of the attacks were perpetrated by outsiders
  3. 39% of the attacks were done by organized criminal groups

You can look at it however you’d like, but those are some pretty interesting figures! I’d love to agree with the premise that SMBs are not targets, but unfortunately they are.

Why?

The most likely reason, I believe, is because there is a lack of protection for these businesses. Going along with the belief that there is nothing to worry about because the risk is small, most SMBs do not make information security a priority for their organizations. This makes sense - why spend time on something that isn’t going to help me grow the business? However, this lack of protection also makes these organizations easy targets for criminal groups.

Believe it or not, criminals are lazy. They are not going to use the latest and greatest attacks, 0-day exploits that companies like Microsoft and Google aren’t aware of yet, or any other form of attack that shows up in the latest news headlines. No, most of these criminals will simply go with old techniques because they work. If an SMB does not patch their main computer that’s connected to the Internet, attackers will find it and take advantage of tried-and-true methods for taking that machine over. Anti-virus software is great, but there are plenty of attacks that can easily bypass those programs without breaking a sweat.

Hold on, isn’t this just FUD?

Not really. FUD stands for Fear, Uncertainty, and Doubt. There certainly is an element of Fear here, because there is proof of bad people doing bad things to companies of all sizes, not just the big ones. I’m not trying to spread any false rumors or cause a panic; I’m honestly just pointing out the fact that SMBs do get targeted as well.

What can you do?

Taking security seriously does not mean you have to spend a fortune to protect yourself. Here are some very simple approaches you can take to help protect your organization, regardless of the size:

  1. Patching machines regularly, such as weekly, can help
  2. Use a simple firewall to prevent machines from being exposed directly to the Internet
  3. Use a strong password of at least 12 characters - or even better - a pass phrase
  4. Even better, add multi-factor authentication to your accounts if possible - especially your business email accounts
  5. Use a modern antivirus/anti-malware solution
  6. Keep track of your systems, from laptops to servers, that you use to run your company
  7. A little awareness training can help everyone; ESET has some good, free training available that you can use to train your staff

Criminals are opportunists; they will try to take advantage of easier situations. If you do these simple steps, you’ll be well on your way to protecting your organization, especially if you don’t believe you are a target.

If your organization is larger, or you’ve already taken some of these steps, then perhaps it’s time for a more thorough threat assessment and vulnerability analysis. Organizations that specialize in Information Security such as EliteSec can help. Contact us and we’ll be happy to talk with you about how to best protect your organization and your unique needs.

– John