Think that because your business is not the size of a Target, JPMorgan Chase or Sony means that you’re immune from today’s breed of cyberthreats? Think again. Just because small and medium-sized businesses (SMBs) don’t have the financial resources or the brand reputation many enterprises do doesn’t mean hackers aren’t targeting them, recent studies show.
Why exactly are SMB organizations in these hackers’ crosshairs? It isn’t so much as what’s on their networks, but how attackers can use those networks. “The hackers are looking at that network as another means, as another jump-off point, to go out and get some other networks. They want to turn your network into basically a botnet,” said Page Moon, CIO of Focus Data Solutions, an IT and Web hosting firm, at an IT Nation 2014 session in Orlando, Fla., last year. In other words, SMBs’ systems are a potential entry point into other, larger networks.
And what do SMB IT pros believe is their top cybersecurity vulnerability? Employees. According to a 2014 study by digital security firm Gemalto, which surveyed 438 IT professionals who work in SMB organizations, 77% of these IT pros believe employees to be the single weakest link in their security infrastructure, and a similar percentage — 75% — say that employees, particularly the risk of them unintentionally leaking data, are their top cloud security concern. And there might be a reason for these fears. According to the findings, the two security challenges that top the IT pros’ lists are social engineering (48%) and BYOD management (42%), which both involve employees.
Social engineering threats expected to rise
The first of these security hurdles, social engineering, is a particularly devious form of cyberthreat because it exploits the fact that many SMBs — their employees and IT pros alike — are lacking in security education; for instance, many believe that only back-end operations are vulnerable to the latest cyberattacks, said Moon. And this security gap has a wider scope, according to the authors of Symantec’s 2014 Internet Security Threat Report (ISTR), which examined trends in 2013. “While the ease of installation and cost of maintenance may have decreased, many new administrators are perhaps not familiar with how to secure their servers against attacks from the latest Web attack toolkits,” the authors write. SMB IT admins also aren’t necessarily diligent about security, such as staying up to date with the latest patches, they said.
Social engineering is lucrative for hackers. For example, 62,000 attacks of one common type of social engineering, spear phishing, raked in $233 million in October 2013 alone. Not a shabby profit, considering that one can buy a spam service to send out half a million phishing emails for only $75, according to RSA, the security division of EMC Corp. And spear phishing aimed at SMBs has been on the rise in recent years: In the Symantec study, 41% of the IT pros who work in companies with 1 to 500 employees reported this type of attack in 2013 — a 5% increase from the previous year. And according to Angel Grant, senior manager for anti-fraud solutions at RSA, social engineering attacks are poised to increase this year.
Employee education reduces risks
It’s clear that it’s not just Fortune 500 companies that are the targets. So how can SMBs arm themselves with the limited resources that they have? For starters, implementing the best security tools and technologies you can afford, perhaps cloud-based security apps, is certainly critical. But you also need to educate your employees. The benefits that come with equipping employees with the knowledge of how to effectively deal with threats are quantifiable — doing so can reduce security risks by up to 70%, according to companies surveyed by the Aberdeen Group recently.
It’s important to note, however, that training employees doesn’t just mean teaching them best practices on creating complex passwords or how to spot suspicious emails, but also changing how they approach their interactions online in general, said Chris Hadnagy, founder of security training company Social-Engineer. “If you just want people to follow the rules — don’t think, just do — you create an easy environment for [hackers],” he told Inc.