Information Security Focus: Enterprise vs. SME

Cyber-attacks affect businesses of all sizes. These attacks can range in complexity from isolated malware infections to fully executed APTs (Advanced Persistent Threats). Cyber criminals can be highly indiscriminate of whom they attack; in many cases, they scan for soft targets and breach with automated tools. When necessary, skilled hackers can employ sophisticated reconnaissance for extended periods before launching an highly customized attack. Regardless of the method of ingress, the critical requirement for attack execution is the discovery of a vulnerability – preferably an easily exploitable one.

Large businesses and organizations generally have dedicated security teams and hardware/software solutions to detect and prevent internal and external breaches. They are able to spend large amounts of money to protect their critical data assets, and generally represent a greater challenge to would-be intruders. Small and medium sized businesses, on the other hand, do not have the resources to spend on complex intrusion and prevention systems, or the dedicated staff required to monitor them. As such, a hacker’s “hit rate” will generally be higher in the SMB category. Smaller business are highly interconnected – both to other small/medium-sized business and to major corporations. This interconnectedness is just the type of low-hanging fruit that attackers can use to gain entry into enterprises of any size. This is one reason that the SMB segment is under increasing attack. Consider the following:

• Many vulnerabilities are found simply by scanning with rudimentary tools; this “low-hanging fruit” is generally the first to fall.
• Smaller companies are more vulnerable because their security spend (in terms of hardware, software, and personnel) is necessarily low.
• Small/medium-sized companies are interconnected with each other and with large enterprises.

The facts above provide a compelling ROI proposition for attacking smaller businesses. Easy discovery and penetration combined with the potential of unsecured data of other connected businesses is a winning combination.

The article below highlights some of the points we discussed earlier:

1. Criminals don’t care who they attack – they scan for a target and breach with automated attacks. Low hanging fruit falls first.
2. Smaller companies are more vulnerable because they cannot afford the security spend (in terms of hardware, software, personnel)
3. SME’s are interconnected. A breach at a smaller company can be an inroad into a large enterprise (NOTE: most large breaches are not discovered by the major entity, but by a business associate – vendors and contractors, or the FBI)

http://www.csoonline.com/article/2866911/cyber-attacks-espionage/why-criminals-pick-on-small-business.html

Recent trends and statistics:

• Firms with annual revenues less than $100M cut infosec spend by 20% last year, whereas those between $100M and $999M increased spend by 5% (PwC Global State of Information Security Survey, attached)
• In 2013, 62% of attacks in 2013 were against SMEs (Verizon DBIR 2013)

In brief, the overall trend of cyber-attacks is toward small/medium sized businesses – primarily because they are not as well defended and represent an easy point of entry to into the larger companies with which they do business.

Contact AccuImage, LLC today for information on how our SmartCipher™ suite can help protect your company’s data.