These statistics show more cyber attacks are hitting small businesses. They also explain how, why, and what we can do about it.
As if small business owners didn’t already have enough on their plates, recent data indicates that SMBs actually suffer the lion’s share of malware infections. That may be surprising considering it’s typically major corporate data breaches and huge ransomware paydays that dominate the headlines. But the numbers suggest there’s a whole host of smaller-scale attacks that are wreaking havoc on small businesses on a daily basis.
If you’re a small business owner, or if you work with small businesses in an IT capacity, here’s what you need to know.
58 percent of malware attack victims are categorized as small businesses
It’s true — small businesses are actually big victims when it comes to cyber attacks. Not only do they suffer more malware infections, the frequency of attacks against SMBs appears to be on the rise, as well. According to the Ponemon Institute’s 2017 State of Cybersecurity in Small & Medium-Sized Businesses report, the percentage of small businesses that have experienced a cyber attack in the past 12 months is up from 55 percent in 2016 to 61 percent in 2017.
One way to interpret those findings is to assume that cyber criminals are explicitly targeting small businesses, but it’s more likely that SMBs simply present more vulnerabilities. After all, it’s giving most hackers too much credit to consider them sharpshooters. They tend to utilize opportunistic approaches and techniques that can be better described with terms like “spray and pray.” For smaller companies, it’s often simply a matter of being caught in the line of fire without adequate protection.
That said, small business owners should be aware that their companies do represent worthwhile opportunities for hackers. While smaller companies may not have resources or data at the scale of enterprise-level organizations, they do have valuable business data (such as customer information that could be used in identity theft crimes) and can often provide access to larger companies via unprotected connections (ex: the massive Target data breach of 2013 was perpetrated by hacking a small HVAC company first).
In 2017, cyber attacks cost small and medium-sized businesses an average of $2,235,000
Not only are small businesses being hit by hackers, the attacks are costing them a lot of hard-earned cash. In 2017, average malware-related costs for small and medium-sized businesses included $1,027,053 due to damage or theft of IT assets, and $1,207,965 due to disruption to normal business operations. Sobering, right?
In general, cybercrime is big business. It’s predicted that by 2021, cybercrime will cost the world $6 trillion annually. That’s double the $3 trillion tab cybercrime racked up in 2015. Ransomware damage costs alone are on track to hit $11.5 billion in 2019, at which point it’s estimated that a business will fall victim to a ransomware attack every 14 seconds.
These numbers can sometimes seem too big or abstract to translate into real-world terms, but the bottom line is they are built on thousands and thousands of very real attacks. Our next statistic helps paint a more detailed picture of how those attacks play out.
[Related Reading: What Is Ransomware?]
92.4 percent of malware is delivered via email
How do hackers gain access to small business networks in the first place? Not surprisingly, the number one tactic is email, or, more specifically, email attachments. According to Symantec’s 2018 Internet Security Threat Report, 88 percent of malicious emails use malware-laden attachments to ensnare their victims.
To put that in day-to-day terms, on average, each user at a small business (fewer than 250 employees) receives nine malicious emails per month. That means that if you have 10 employees, your company could be at risk of an email-borne malware infection an average of 90 times each month. To avoid infection, either your firewall or email filtering has to come through, or your employees have to make the smart decision 90 out of 90 times. All it takes is one slip or one wrong click for your business to be compromised.
And, unfortunately, email isn’t the only thing you have to worry about. While email is the starting point for a majority of attacks on small businesses, there are other points of entry that can be just as—or even more—effective.
Microsoft’s Remote Desktop Protocol (RDP) is one example that continues to gain traction, especially in attacks on small businesses. The reason is many small businesses outsource their IT, and one of the most common remote management tools is RDP.
If you’ve ever had an IT person login to your computer and take over your keyboard and mouse to work on an issue, chances are they were using RDP.
RDP is an incredibly useful tool, but when left exposed to the Internet, it can be a beacon for attackers who can attempt to establish their own connection by cracking RDP passwords (what’s known as a brute-force attack). RDP brute-force attacks have become especially popular ways of staging ransomware infections, with the groups behind SamSam, CrySiS, LockCrypt, Shade, and other ransomware variants all getting in on the act.
60 percent of small businesses say attacks are becoming more severe and more sophisticated
Email remains the most common method of getting a foot in the door. Once that initial access has been established, however, the techniques attackers use to evade security, deploy malware, and establish control over compromised computers are changing.
According to another recent Ponemon study, the majority (77 percent) of successful attacks in 2017 utilized exploits or other “fileless” techniques that were able to bypass the victims’ security. Because these techniques replace the need for dropping malicious executable files on disk, security solutions such as traditional antivirus (AV) programs can’t detect them. With no file to scan, there’s unfortunately nothing AV can do.
Thanks to their effectiveness, the Ponemon study estimates a third of all attacks in 2018 will make use of fileless techniques.
Ransomware also continues to be a growing concern for small businesses—with more than half of the organizations surveyed in the 2017 Endpoint Security Risk Report experiencing one or more ransomware incidents in 2017. Of those organizations, 40 percent experienced multiple ransomware incidents.
Recent data indicates ransomware is no longer the most prevalent form of malware, however. That title now belongs to cryptominers — malware designed to hijack an infected system’s resources in order to mine cryptocurrency without the victim’s knowledge.
The growth of cryptomining malware is staggering. According to IBM, cryptomining attacks increased by 600 percent between January and August of 2017. Researchers at Checkpoint reported that cryptominers affected more than half (55 percent) of organizations globally in December 2017.
What makes this shift in payloads especially notable for small businesses is that cryptominers are a completely different threat than ransomware. Organizations that responded to ransomware infections by investing in backup were smart to do so, but now they face a threat designed to infect them just as effectively while quietly draining their resources and bogging down their systems over time. Small businesses need to adapt their security efforts accordingly, and make sure they’re properly equipped to address infections that aren’t as blatant as ransomware.
To prevent these silent attacks from taking hold, organizations need to prioritize preventative measures like threat detection.
Advanced protection and prevention is the #1 budget priority
Because of these new realities, small businesses are getting serious about upgrading their protection. The number one priority for companies is making sure they have advanced protection and prevention in place. This is a smart move given that only 21 percent of small and medium-sized businesses rate their ability to mitigate cyber risks, vulnerabilities, and attacks as highly effective. 81 percent of SMBs report that exploits and malware have evaded their antivirus solutions.
The good news: Blocking attacks doesn’t have to be complicated or expensive
While malware and the techniques cyber criminals use to inflict it on their victims continues to evolve, you’ll be glad to know that the good guys have been keeping pace with sophisticated developments of their own.
Companies no longer need to rely solely on traditional AV solutions with well-documented gaps, and small businesses don’t need to break the bank investing in cybersecurity infrastructure and hiring IT security professionals. Small businesses can get the protection and cybersecurity expertise they need at a price they can afford with Alert Logic.
[Related: Learn More About MDR for Small Business]