Cyber Crime and the Death of Obscurity

Cyber Crime and the Death of Obscurity

Office of The CISO Office of The CISO

Office of The CISO

You Focus On Your Business, We Focus On Your IT Security

Published Mar 21, 2024
Follow

There’s an adage in news broadcasting that goes “If it bleeds, it leads.” Lately, it feels like there are a dozen news stories about malicious cyber-attacks every day, and that’s for one very good reason: businesses are bleeding money.

Industry estimates are placing the global costs of cybercrime for 2023 at $9.5 trillion (with a ‘t’) US Dollars. That number is expected to grow in 2024 by 15 percent to $10.5 trillion, which would make cybercrime the third largest economy in the world, trailing only The United States and China.

“Surely they’ll go after the bigger fish, right?”

What isn’t as obvious is how many of those dollars are coming from Small and Midsize Enterprises (SMEs). Astoundingly, 46% of that $9.5 trillion came from SMEs with fewer than 1,000 employees. Many SME decision makers have traditionally fallen prey to the fallacy that their organization’s comparatively smaller size and revenue numbers, along with their relative obscurity, make them safe. Their line of thinking was similar to the old adage “I don’t have to outrun the bear; I just have to outrun you.”

On the surface, malicious actors targeting SMEs instead of the larger organizations might not make sense. Here’s why they do:

  • Compared to larger organizations, they’re an easier target. SMEs typically have smaller budgets and fewer resources dedicated to establishing, implementing, measuring, and monitoring cybersecurity controls. These controls sometimes include backup infrastructure and best practices, which can protect the availability of an organization’s data in the event of a breach. Larger profits, less effort.

  • Their Attack Surface Area has grown. An Attack Surface Area (ASR) is generally defined as the “number of all possible points, or attack vectors, where an unauthorized user can access a system and extract data.” With the increased reliance on BYOD, Software as a Service solutions, cloud services providers, and cloud-based identity provider solutions, SMEs have significantly increased their ASR.

Even if your organization is under 100 users, your ASR may include assets like:

  • Company employee portal

  • Cloud Service Provider logins (Office 365, AWS, HubSpot, etc.)

  • VPNs (including site-to-site and VPN client software)

  • Physical office keys or badges

  • Company web applications/websites

  • Stolen credentials, including third party and vendor logins (think HVAC providers, accounting partner logins, etc.)

  • IoT devices (smart thermostats, smartwatches, cameras, etc.)

  • Company-owned or personal mobile devices

  • Out-of-date SSL certificates

  • Their data footprint can be much larger than their company footprint. Cloud solutions and providers have made it possible for some small organizations to store massive amounts of data that can be valuable to malicious actors in several ways. If these same small organizations don’t have proper security controls in place, they could find themselves under attack on multiple fronts. There has been a marked increase in “double extortion” attacks where a ransomware event (where the target organization’s data is encrypted) is coupled with data exfiltration (where the organization's data is stolen) and a threat to expose the data. This can lead to fines, litigation, and regulatory penalties that can disrupt or kill a small business.

  • Lack of regulatory oversight. Many SMEs are in industries that do not enforce strong cybersecurity regulations for organizations under a certain size or revenue threshold. This can lead to gaps in their cybersecurity defenses, making them more susceptible to attack.

  • They are connected to bigger targets. SMEs are sometimes targeted because they are the weaker link in a larger supply chain. Malicious actors will penetrate the less stringent cybersecurity measures and practices that are put into place at SMEs to gain backdoor access to larger organizations. This means that well-equipped and sophisticated malicious actors, like nation-state sponsored hackers, could work to infiltrate smaller businesses to infiltrate larger, more secure environments. Since 2020, the number of supply chain attacks utilizing malware has skyrocketed.

  • Weaker organizational/operational policies and procedures. SMEs often don’t have the personnel required to establish, enforce, and maintain security and privacy policies and procedures. This can make these organizations susceptible to control gaps that can be exploited by social engineering campaigns, phishing attacks, and other information-stealing schemes. Malicious actors find it exponentially easier to breach an organization that has no formal policy detailing how terminated employee accounts should be decommissioned or how employees should authorize/validate requested changes to accounting information.

Whatever shall we do?

If your organization is big enough to have a website or a web application, it is likely big enough for malicious actors to find it.

Your business, regardless of its size or maturity, must take steps to secure its data and its environments. Whether this means hiring an IT security professional or outsourcing to a Managed Security Services Provider, the days of doing nothing and hoping for the best are over.

To view or add a comment, sign in

More articles by this author

Insights from the community

Others also viewed

Explore topics