Are SMBs Easy Pickin's for Cyber Criminals?

While cyber attacks on large business often make the headlines of tech publications, security company, McAfee wanted to know if smaller businesses were any less susceptible to cyber security breaches as a result of their smaller size. So McAfee surveyed 500 companies in the U.S. and Canada that have between 2 and 1,000 employees, and McAfee just released the results in its study titles "Does Size Mater? The Security challenge of the SMB."

As to just how important reliance on the Internet is to SMBs (small and medium-sized business), the study found that:

"SMBs have become very reliant on the Internet, with 92 percent of respondents claiming that online access and availability is very important to the running of their businesses."

The study also found that 21 percent of the businesses that responded claimed to have suffered at least one "IT security attack;" and one third of those businesses had suffered more than four attacks in the last three years. It took 26 percent of businesses a full week to fully recover from their most-recent attacks. Additionally, 21 percent of "businesses surveyed felt that an IT security could put them out of business."

As to SMBs' susceptibility to cyber security breaches, such as viruses, spyware, and hacker intrusions, McAfee concluded:

"There is predominant belief that that SMBs on both sides of the border (and in Europe) are too small to be of any value to cyber criminals, and most SMBs are confident that they are adequately protected by default settings in their IT equipment."

McAfee's overall conclusion, however, is based on a single statistic:

52% don’t think they are well known enough to be a target of cyber criminals

Once the specifics of this sentiment were explored deeper, however, the numbers start to drop below the 50-percent mark:

  • 46% do not think they could make a cyber criminal money
  • 45% of SMBs do not think they are a valuable target for cyber criminals
  • 44% of SMBs think cyber crime is an issue for larger organizations
  • 35% of SMBs are "not concerned" about being a target of cyber crime
  • 34% don’t think their information has value outside the organization

Credit: McAfee

While the numbers do indicate a sizable percentage of SMBs that might be taking their security for granted, we're not sure that the numbers justify McAfee's sweeping generalization that "SMBs in the United States and Canada are burying their heads in the sand, living with the belief that the small they are the less of target they are to cyber criminals."

A much more likely reason for a laissez faire attitude and potentially inadequate security protection is a function of the limited amount of time SMBs actually devote to proactively managing security on their networks. In regards to the amount of time that SMBs devoted to this, the largest percentage of respondents (39 percent) said they only spent one hour per week. This at least partially explains then why 50 percent of the survey's respondents said that they "typically accept the default settings" on their IT equipment.

Credit: McAfee

As to where the attacks are being targeted, McAfee reports:

"Cyber criminals are increasingly turning their attention to technologies such as Voice over IP (e.g. Skype), smartphone software (Blackberrys) [sic] and new virtual systems. These technologies are being progressively adopted by SMBs as they offer substantial cost-savings and flexibility, making SMBs even more likely to become targets."

The report concludes that SMBs are just as susceptible to cyber attacks as big businesses are. This is a bit of a leap in faith, considering that McAfee provides no hard evidence comparing the percentage of security breaches in large companies versus SMBs. Of course, not all security breaches are reported or made public, and as McAfee points out, "an attack focused on an SMB will often be for a smaller amount (and will therefore be below the radar of organizations like the FBI, who focus on larger crimes)." We agree that SMBs probably need to do more to improve their IT security measures, but we're still not convinced that SMBs are just as lucrative targets as big businesses are--as McAfee would have us believe.
Via:  McAfee
Tags:  RIM, SMB, KIN, cyber criminals, Pi, EA, IM, AR, K, ALS
ice91785 6 years ago

This seems that most SMBs are simply arrogant and un-educated when it comes to varying attacks -- granted they probably would not be as targeted as a HUGE corporation or anything but the fact that SMBs make money (a lot or a little) still makes the business a target none-the-less....

It is like me saying since I live in a small town in MN, I don't need to drive my car carefully and will never get in an accident because the majority of accidents occur in NYC....its just not common sense! Especially now with the increasing variety of potental attacks -- namely the newcomers being cellphones/PDAs being easy targets.........

digitaldd 6 years ago

Yeah you don't even need to social engineer some SMBs to get valuable info. You can merely call or email people and ask for it most of the time they'll freely give it to you no questions asked. I have a friend who does Penetration testing for a security firm. and he says the easiest thing to do is find the email address of an executive officer in the company and forge an email from their security team, helpdesk, ops group requesting their  login info and someone will always bite and send it.

nECrO1967 6 years ago

It is this mixture of arogance and ignorance that always gets people into trouble. One of the most disturbing stats is that so many didn't think their data has any value for criminals. I hear this a lot from home users. Almost all businesses, even small ones, have competitors and I am sure they see value in their data. Not to mention the fact that cyber criminals may not even be interested in the data at all. A small company with say 20 computers would make a nice additon to a botnet. Or even as an anonymous way to comunicate terrorist plots or other illegal activity. Security is everyones concern. Period. Any part of the poulation, business or otherwise, that thinks differently is helping the criminals do their work. Until that changes Identity theft and cyber-crime in general will continue to rise. Education is the best tool we have and all the software in the world won't stop cyber crime until that is addressed.

ice91785 6 years ago

[quote user="nECrO1967"] Education is the best tool we have and all the software in the world won't stop cyber crime until that is addressed[/quote]

The problem is people have to be willing to be educated -- generally I would say that 95% of people (once they have a certain mindset) require a HUGE life-altering event to take place before they change their mind to reason with common sense (i.e. a large attack on their small-scale network or perhaps a DoS attempt...)

Something to tie into this -- I regularly have people that "own their own businesses" come into work needing one of their main workstations to be fixed under warranty. I tell them that I have to ship it off and strongly recommend that they back up their data before doing so (most of the time I find out these people have NEVER backed up their data in the first place). Anyway for $100 they gasp and say "no way!! OMG that way too much!". I say fine, ship it off -- low and behold it comes back witha replaced HDD and there's now a 0% chance to get data back as the repair center destroys bad HDDs for customer privacy. Guess what? These people that scoffed at $100 now tell me that there was 5 yrs worth of data on there, never backed up, that is going to cost their company THOUSANDS of dollars....

I guess $1000 < $100 in their heads -- similiar to SMBs and implementing good security within their networks; why pay a relatively smaller amount to make sure attacks are prevented and a network is set up more robust, when you can spend TEN TIMES that amount on repairs after the attack has taken place.....dumb

nECrO1967 6 years ago

Excellent points Ice. I've dealt with the same crap as well. They scoff as well at spending a few hundred to a few thousand dollars for a good backup sollution with redundency because the $99 external hard drive they got on sale is fine for their needs. I guess no one ever told them hard drives sometimes fail and take your data with it. I even had a customer that swore he was fine with his external hard drive for back-ups and when I looked at his setup, he never set up the backup software at all. The Hard drive was sitting there not doing a thing. Nada. I guess I should love these people as they keep me in beer nuts.....

Post a Comment
or Register to comment