By Byron V. Acohido
Small and midsize businesses — so-called SMBs — face an acute risk of sustaining a crippling cyberattack. This appears to be even more true today than it was when I began writing about business cyber risks at USA TODAY more than a decade ago.
Related: ‘Malvertising’ threat explained
However, one small positive step is that company decision makers today, at least, don’t have their heads in the sand. A recent survey of more than 1,000 senior execs and IT professionals, called the AppRiver Cyberthreat Index for Business Survey, showed a high level of awareness among SMB officials that a cyberattack represents a potentially devastating operational risk.
That said, it’s also clear that all too many SMBs remain ill equipped to assess evolving cyber threats, much less effectively mitigate them. According to the Cyberthreat Index, 45 percent of all SMBs and 56% of large SMBs believe they are vulnerable to “imminent” threats of cybersecurity attacks.
Interestingly, 61 percent of all SMBs and 79 percent of large SMBs believe cyberhackers have more sophisticated technology at their disposal than the SMBs’ own cybersecurity resources.
“I often see a sizable gap between perceptions and reality among many SMB leaders,” Troy Gill a senior security analyst at AppRiver told me. “They don’t know what they don’t know, and this lack of preparedness often aids and abets cybercriminals.”
What’s distinctive about this index is that AppRiver plans to refresh it on a quarterly basis, going forward, thus sharing an instructive barometer showing how SMBs are faring against cyber exposures that will only continue to steadily evolve and intensify.
I had the chance at RSA 2019 to discuss the SMB security landscape at length with Gill. You can give a listen to the entire interview at this accompanying podcast. Here are key takeaways:
Sizable need
AppRiver is in the perfect position to deliver an SMB cyber risk index. The company got its start in 2002 in Gulf Breeze, Florida, as a two-man operation that set out to help small firms filter the early waves of email spam. It grew steadily into a supplier of cloud-enabled security and productivity services, and today has some 250 employees servicing 60,000 SMBs worldwide.
Last February, Dallas-based email encryption vendor Zix Corp. acquired AppRiver for $275 million, doubling the size of both companies; the merged companies intend to keep focusing on helping SMBs operate more efficiently and securely.
That need is sizeable. Cyber criminals in today’s environment have ready access to powerful tools — and innumerable support services — available on the Dark Net to anyone wishing to attempt to plunder businesses.
In the not-so-distant past, only elite hackers had access to high-end, cutting-edge hacking tools.
Gill
Today, very sophisticated tools are out there for anyone to use and are being incorporated into a wider variety of malware families. For example, Gill pointed to the Eternal Blue exploit that was infamously stolen from NSA, and then posted publicly, free for anyone to use, by the Shadowbrokers’ crew. AppRiver has been tracking Eternal Blue showing up regularly in malware samples targeting SMBs.
As you might imagine, the harm being caused is material. Following a fire or earthquake, a building and equipment can be replaced. But once digital assets are stolen, they remain in control of the thieves forever.
Attackers SMB attackers have long focused on breaching company websites to pilfer business documents and customer information. This can include poisoning a company’s web pages as a means to infect and take control of visitors’ PCs. Many SMBs lack the wherewithal to recover from the long-run consequences of a serious breach. These stark realities are beginning to sink in.
High to very high threat
Index contributors expressed a widely held belief that a data breach can put a company out of business. The survey asked respondents to rate 12 aspects of cybersecurity, ranging from their direct experiences with common types of attacks to their readiness for such attacks, as well as the impact of cyberattacks.
Respondents were asked to rank cyberthreats on a scale of 0 to 100, with “complete cybersecurity confidence and readiness, with zero threats” on one extreme and “complete absence of cybersecurity confidence and readiness, with constant threats” at the other; they collectively assigned a 59.8 index rating, reflecting the belief that cyber threats currently pose a high to very high operational risk.
Other notable findings that will be instructive to track in quarters to come:
•64 percent of those polled said they believe cyberthreats are prevalent — yet only 37 believed they could survive a cyberattack without long-term consequences.
•Only four in ten gave themselves positive ratings in their cybersecurity posture and preparedness. “What that tells me is the majority believe that an attack would be extremely damaging over short- and long-term business plans, but the majority believe they’re under prepared,” said Gill.
•Certain verticals, namely the government and transportation sectors, gave themselves a positive preparedness rating; meanwhile the hospitality, legal and retail sectors were much less positive about their cybersecurity preparedness.
Shifting Attacks
Going forward, AppRiver’s index should prove most helpful in shedding light on shifting attack patterns targeting SMBs. In 2017, for instance, SMBs were under tremendous pressure to defend their networks against rapidly morphing ransomware attacks.
In 2018, attackers shifted their focus to refining and deploying banking trojans, which essentially act as spyware. With banking trojans, criminals can exfiltrate any type of data they want – in support of various campaigns to illicitly transfer funds. So far in 2019, we’re seeing another shift back to ransomware, Gill told me.
Criminals also continue to refine a time-honored tactic: using business email as an attack vector. Spear-phishing remains popular, and criminals continue to frequently carry out meticulously planned Business Email Compromise (BEC) attacks, in which an imposter poses as senior executive, and directs a subordinate to wire transfer company funds into an account controlled by the perpetrators.
Growing reliance on cloud-based services, and third-party collaborations is only making it easier for threat actors. There are so many more ways to subvert authentication. Years of stealing user names and passwords, and poor password practices add to this mix.
For example, it is not at all unusual for a Microsoft 365 user to use his or her web portal credentials to log into other systems. That practice improves a threat actor’s chances for success on several levels.
Interloping in email threads is a fresh wrinkle, Gill said. A threat actor can respond to an email thread already in progress, continuing what was a legitimate conversation. The hacker can then easily email a document filled with malware and ask the recipient to take a look. Because nothing appears suspicious, the recipient opens the email and the device or network is compromised.
Boosting awareness of popular hacking tactics of the moment is a key to stopping them. Kudos to AppRiver for coming up with this valuable intelligence-sharing tool. I look forward to the insights this index will provide on an ongoing basis, moving forward. Talk more soon.
Acohido
Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.
(Last Watchdog’s Sue Poremba contributing.)
