Security “evangelist” Stephen Cobb argues that, more than consumers or large companies, small businesses are at risk of cyber crime. Cobb’s article, which appears in SC Magazine lays out the case that small- to mid-sized businesses (SMBs) represent a “sweet spot” for cyber criminals looking for a pay day or inside information.
Why? In short: they have more money than consumers but less security than larger enterprises. More specifically, while “an SMB is likely to have more money in its bank accounts than a consumer, and more likely to be moving money around (think wire transfers, vendor payments, customer payments),” Cobb argues SMBs are “likely to have fewer security resources with which to protect its networks and system.“ The end result is that cyber criminals looking for a target have a strong incentive to focus their resources on smaller businesses.
Cybercriminals are using two methods to target small businesses. First, some criminals employ the “spray and pray” method, sending out mass emails with little to no customization with the hopes that some businesses will be fooled into acting on the email. Cobb labels this the “machine gun” approach. One version of this attack involves sending fake invoices to companies, hoping that the finance department will believe the email is real and pay the bill without double-checking its legitimacy. Other criminals are using a more targeted strategy, referred to as the “rifle” approach, going after specific SMB for a specific reason such as inside information about the company’s finances or a technical weakness in their IT infrastructure.
Cobb acknowledges that we do not really know how many SMBs experience cyber crime. Companies are almost universally hesitant to publically discuss such cases, fearing that doing so will undermine the confidence of their customers and partners. Despite the lack of good data, Cobb argues that “every indication we have from talking to SMBs is that the attacks, both rifle and machine gun, are on the rise.”
I agree with both of his points. SMBs primary advantage over larger competitors is to do more with less — which often translates into more work with less security. These companies do not have the IT and human resources to be as vigilant as they should be when it comes to cybercrime and are under intense pressure to move fast even when that means being loose with their own security procedures. Finally, SMBs also often do not have a strong enough brand to weather a public admission of being the victim of cyber crime, making them ideal targets for criminals not wanting their activities to be exposed. Small businesses looking to buck the trend and protect themselves against cyber crime will need to be vigilant in maintaining cyber trained staff with the knowledge and expertise to protect their personal data.
Mike Jones is a researcher, writer, and analyst on national and international security. He lives in the DC area.