Small businesses and cyberattacks—You're more vulnerable than you think

When it comes to cybersecurity, the default mindset is that a small business is not a target for cybercriminals. After over a decade in the cybersecurity industry, some of the common phrases I have heard too often are:  

“I’m too small. Who would target me?” 

“I don’t have anything they would want.” 

“I don’t think it’s worth the time and money investing in cybersecurity products. I’ll never be a target.” 

These may have been pretty accurate statements 10 years ago when attackers were almost exclusively targeting the enterprise world. The risk for attackers was significantly higher, but if successful, the reward was much bigger.  

However, cybersecurity has always been a cat and mouse game. Enterprises evolved, increasing their security posture and making it more difficult for attackers to be successful. In response, attackers have upped their game. And as enterprises continue to increase their cybersecurity, threat actors also continue to evolve. In the last few years, the cybersecurity landscape has changed drastically.  

These changes started with the enterprise world and enterprise cybersecurity teams. They evolved from using traditional antivirus to next-generation antivirus (NGAV). This gave them the ability to block and learn more about how the attackers were getting into systems, so they could increase cybersecurity and set up better protective measures.  

Cybercriminals evolved as well. Instead of using their traditional techniques, exploits, and malware, they started to use our tools—such as PowerShell and WMIC—against us. 

Detecting misuses of our tools 

This development led us to the more advanced endpoint detection and response (EDR) systems. EDR systems not only block the known bad but focus a lot more on attack behavior, keeping track of standard usage on our computers. This allowed us to respond more quickly to abnormal occurrences on our endpoints.  

Unsurprisingly, attackers evolved in tandem. This time, not only did they switch up their techniques, but they also switched up their targets. Instead of going after the highly protected enterprise systems, they started going after smaller businesses.  

While many of us might think that smaller organizations would be unattractive to cybercriminals, the contrary is more accurate. In fact, small businesses may be even more enticing. According to Verizon’s 2022 Data Breach Investigation Report, threat actors have a “we’ll take anything we can get” philosophy. What’s worse is when these cybersecurity incidents happen to small companies, they may end up going out of business.  

The gap in small business cybersecurity 

Small businesses typically do not have fully staffed cybersecurity teams and are probably running legacy software and antivirus. This makes them softer or easier targets.  

The rewards for cybercriminals may not be as high as when they attack a larger enterprise, but the work and effort levels are significantly lower. In the time it takes for cybercriminals to compromise one enterprise, they may be able to compromise dozens of smaller- to medium-sized businesses (SMBs).  

A method that managed service providers (MSP) especially need to be aware of is Buffalo Jumping, which allows threat actors to compromise dozens of SMBs at once. Cybercriminals used this method multiple times last year, which we documented in our 2022 Cyberthreat Report for MSPs 

Buffalo Jumping is when an attacker compromises an MSP, which in turn compromises all their customers. When this happens, the attackers can do whatever they want, but from what we’ve observed, they typically deploy ransomware.  

In 2021, 66% of mid-sized organizations experienced a ransomware attack. This is almost double the previous year when only 37% were hit. On top of that, the average ransom payment also went up almost fivefold—from $170,000 in 2020 to $812,000 in 2021.  

This is a significant amount, and for a small business, it could be the difference between survival and going under.  

Challenges in implementing cybersecurity for small business 

Despite the available data, one of the unfortunate challenges we continue to see MSPs facing as they try to deploy more advanced cybersecurity software is the pushback from their clients. Many small businesses say that they don’t need advanced security because they aren’t going to be targeted.  

We now understand that this isn’t the case. It doesn’t matter what size your business is; everyone is a target. And attackers often go after the low-hanging fruit—those without advanced protection or dedicated cybersecurity staff, which is often the status of SMBs. 

So, what can we do about this?  

As IT professionals and security practitioners, we need to prioritize cybersecurity. We need to get better at making everyone understand that when it comes to cyberattacks—nobody is off-limits. Attackers will target anyone they can, and the easier the target, the higher the likelihood that they will be the victim of a cyberthreat. Nothing in cybersecurity is 100%. That’s why protection works best in layers. 

Cybersecurity solutions for small business 

First, it’s typical to protect our endpoints with EDR software 

But what about everything else that can’t be protected with EDR software alone? For example, Office 365, network devices, and the network traffic itself. This is where a security incident and event management (SIEM) system comes in. This will give us the ability to monitor everything else. We can use the SIEM to bring all the information to one place, and in case of an attack, use all this information to determine what occurred and how we can develop better protections against it. 

Finally, it is ideal to have a 24/7 security operations center (SOC) to provide continuous monitoring so that they can prevent, detect, analyze, and respond to cybersecurity incidents. But it can be challenging—not to mention costly—to maintain a 24/7 SOC. The good news is that you can explore using a managed SOC to support your security needs.  

The key takeaway here is that SMBs can be lucrative targets for threat actors—even more so than enterprises—because SMBs aren’t often equipped with sufficient cybersecurity. In today’s tech landscape, cybersecurity is a valuable investment for SMBs that want to avoid becoming a victim of cyberattacks.