All too often, small and midsized businesses are taken advantage of by cyber criminals. In fact, according to Chubb, more than half of all cyberattacks are directed against small and midsize enterprises (SMEs) and that number is steadily increasing. Here are some further important details related to this subject:
- 93% of SMEs that have experienced a cyber incident reported that it had a severe impact on their business.
- Almost all SMEs affected by a cyber incident reported a loss of money and savings.
- 31% of SMEs reported damage to their reputation, which eventually lead to a loss of clients, as well as an increased difficulty in attracting new employees and winning new business.
- Nearly 50% of SMEs reported an interruption in service which ultimately damaged their ability to operate.
- Despite all these figures, less than 3% of all SMEs have a cyber insurance policy in place.
To better understand how cyber criminals can attack a SME, we must first understand why the attack occurs in the first place. Chubb suggests there are two distinct reasons why SMEs are targeted more often than large businesses:
- Reason #1 – Because most news headlines suggest that large companies are the only ones facing these massive cyberattacks, SMEs don’t feel the need to prepare accordingly. Cyber criminals are constantly looking for easy targets to attack. In fact, Chubb states that, “they often accomplish this by using software that automatically scans the web and identifies companies with specific security weaknesses… making the process nearly effortless for them.” SMEs get targeted often because they are “low hanging fruit.” With less security in place, SMEs are not only easier to target, but they also can potentially provide substantial payouts to cyber criminals in the form of bank account information, ransom money, and stolen credit cards.
- Reason #2 – Large businesses can spend a much larger amount of money on corporate cybersecurity to ensure that their tech is protected. SMEs face most of the same threats; however, they don’t have the same budget required to protect their businesses.
After reading this, it makes sense why cyber criminals would choose to attack a SME rather than a large business. In addition to using the above-mentioned software, cyber criminals have several other ways they can attack a SME’s website or internal server. Below, you will find four unique methods of attack:
- Attacks on Physical Systems – Cyber criminals can access the internal server or hardware through poorly protected devices that have legitimate access (laptops, desktop computers, tablets, USB devices, etc.). They can also gain access through a server room break-in. This could be triggered by something as minor plugging in an infected USB driver into a company computer.
- Authentication & Privilege Attacks – when passwords are weak, cyber criminals have an easier time of gaining access to a company’s sensitive information. The amount of information that is available to the public can be somewhat surprising to many. According to Chubb, “There is a vast repository of billions of compromised user ID and password combinations available today on the dark web.” Many people aren’t changing their password as frequently as they should, so it may not be difficult for cyber criminal to find valid credentials and gain access to a SME’s server.
- Loss of Service – Chubb states there are two different ways to lose service (i.e., a SME’s site cannot be accessed). The first way to lose service involves human action and the other involves service failures that lead to an inability to connect to the Internet.
- Malicious Internet Content Attacks – Several types of content attacks, one of which is called phishing. According to Chubb, “Phishing involves sending an employee an email with a link that, when clicked on, automatically downloads malicious software onto the computer that employee is using.” The cyber criminals take advantage of these employees by making the email seem that is coming from a fellow coworker or employer.
Now, SMEs are probably asking themselves, how can we protect ourselves from Cyberattacks? At first glance it seems nearly impossible to stop these cyber criminals from attacking your business; however, there are several simple measures SMEs could take to create their own cyber risk policy. Below you will find five risk mitigation steps:
- Develop and Enforce a Formal, Written Password Policy – one of the fastest ways a cyber criminal gains access to SME assets is by taking advantage of weak or reused passwords. To resolve this issue, SMEs should install a written password policy encouraging their employees to create strong passwords (a mix of letters, numbers, and symbols) that are frequently changed. If an employee leaves the company, make sure to change their password and/or even delete their account information.
- Educate All Employees Regularly on Cybersecurity Vigilance – SMEs should inform employees of the role they play in preventing a cyber breach. It’s easy for malicious software to latch onto a company server when company laptops of devices are used offsite and then connected back to the server. The best way to establish positive cyber habits is by participating in regular training and education.
- Update IT Equipment & Deploy Security Software – as is expected, an easy way to fix cyber security problems is by updating IT equipment. Outdated operating systems are easy for cyber criminals to attack because their malware is so sophisticated. It is also important to make sure those that have legitimate access to the network on the only ones connecting. Even without cyber security experts on your team, downloadable software offerings are available that do essentially the same thing.
- Create a Cyber Incident Response Plan – Even though most SMEs can’t resolve a major cyber breach on their own, there are ways that can make it less damaging. Have a team of cyber responders consisting of employees and outside service providers ready to work on the incident.
- Purchase Cyber Insurance – SMEs can fully protect their assets and the viability of their businesses by purchasing cyber insurance. The cost of insurance will be FAR less than the cost of shutting down a business in the wake of one or more cyberattacks. And cyber insurance can be packaged with other services/policies
There are several measures available for SMEs to protect themselves from cyberattacks and cyber criminals. Unfortunately, most cyber criminals know how to take advantage of your business, so it is your job to ensure that you are protecting your information on a regular basis. At the end of the day, we encourage you to buy a cyber insurance policy to guarantee that your business and its assets are protected. We will leave you with one final quote from Chubb, “In today’s world, it behooves SMEs to ensure their company’s future by incorporating common-sense cybersecurity measures. Fortunately for them, although cybersecurity has historically been a highly technical and costly challenge, such simple measures as those mentioned above can provide effective protection at a low level of cost and complexity.”
For more information on this, please see the blog from Chubb!