Risk & Security

Big Enough to Hack

Poor cyberdefense and a business-critical need to keep operations running have put SMBs squarely in the sights of ransomware hackers.

Kathleen Duffy never expected her business to come to a screeching halt on such a lovely Sunday in March.

Working from home, the CEO of Duffy Group, a 30-year-old executive recruiting firm based in Phoenix, knew her IT systems had experienced email problems the previous week. So, when she couldn’t access company email or data servers over the weekend, Duffy chalked it up to a continuation of the same problems.

But a quick call to her outside IT consultant told her it was far more serious. A hacker in Germany had encrypted all of her company’s files and was demanding a $25,000 ransom to unlock them. Until she complied with the hacker’s request, Duffy Group’s business files and job-candidate records—the heart and soul of her enterprise—would be completely inaccessible.

Take a proactive, data-driven, and continuous approach to managing your exposure with a real-time view of risk.

“Quite literally, our business stopped,” says Duffy, who estimates the incident cost her company $50,000 in lost revenues and IT expenses. “It was really scary. You feel so violated, and you’re thinking: Why me? I’m a good person, and we’re not that large. I mean, you hear about hackers getting $5 million from Colonial Pipeline. Why would they want a couple grand from us?”

Duffy Group employs 35 people and has annual revenue in the single digit millions. Like the CEOs of most small and medium-size businesses (SMBs), Duffy believed that cybercriminals primarily target big companies because they have all the money. Similarly, Colonial, a midsize company with around 850 employees, may not have thought it was big enough to hack, despite the critical role it plays in supplying the Eastern Seaboard with oil. In truth, SMBs are the No. 1 target for hackers because they’re often poorly defended, have meager IT security, and can’t afford to be down for very long.

In short, they are low-hanging fruit.

“Most midsize businesses take an ad hoc approach to security where they only plug gaps when incidents occur,” says Sanjeev Aggarwal, founder of SMB Group, a consulting firm specializing in technology trends in the smaller and midsize enterprise market. “With how aggressively hackers are targeting smaller organizations these days, that’s a real recipe for disaster.”

[Read also: How enterprise is facing up to ransomware]

Before COVID-19 changed business as we know it, the U.S. Small Business Administration reported there were 30.2 million SMBs in the country, employing nearly half the nation’s workforce. (Small businesses are generally those with 100 or fewer employees, while midsize ones usually have 100 to 999.) Of those, about 43% were attacked by cybercriminals in 2019, according to a study of data breaches by Verizon. And the volume of attacks against SMBs is surging, more than quadrupling last year. That’s why experts say small and midsize businesses must step up cybersecurity efforts now—before it’s too late.

Juicy targets

Juan Lorenzana is CEO of SymbiSystems, an IT support company that represents dozens of SMBs and eventually helped Duffy negotiate a reduced ransom payment of $2,800 in exchange for a decryption key to free her data. Lorenzana says the spike in SMB attacks comes down to three things: an increase in the number of assaults exploiting on-premises Microsoft Exchange Server vulnerabilities, the explosion of workers operating remotely with insufficiently secured endpoint devices, and too many hackers sitting around during lockdown thinking up ways to seize corporate data and assets.

Quite literally, our business stopped. You’re thinking ‘Why me? We’re not that large.’
Kathleen Duffy, CEO, Duffy Group
Lorenzana notes that while attack victims may feel singled out by cybercriminals, it’s often not the case. Hackers, he says, use network discovery tools like Angry IP Scanner or Nmap to automatically search blocks of internet addresses looking for vulnerable devices. When found, they launch attacks against the juiciest, easiest, and least risky targets (for them), which often turn out to be SMBs.

“They’re not necessarily singling out any small or medium-size business, but it often ends up feeling that way,” Lorenzana says.

Andre Mintz, chief information security officer for Newport Group, a retirement services provider, offers another perspective. He says the hunt for business targets can be highly specialized.

“Bad actors rarely poke around on the internet, like a rocket ship in outer space looking to see what star they’ll bump into,” he says. “They have skills and affinities that are best suited for specific verticals or disciplines, like financial services, healthcare, or real estate.”

[Read also: The incoming threat: why healthcare organizations must defend against ransomware]

Often, he says, they begin with a business sector that interests them and then drill into a subset of it. In his industry, for example, cybercriminals could specialize in 401(k) retirement accounts.

“There might be hackers, scammers, or fraudsters who are very familiar with the processes and practices of the retirement industry or have broad knowledge of the financial services space, which they’re able to parlay into the compromise or takeover of an individual’s account,” Mintz says. “For instance, when a participant account holder has never logged into their account, some cybercriminals are able to get in there, establish an initial account setup, and define their own answers to security questions designed to protect the account holder from just this sort of thing.”

Other types of attack on SMBs are also gaining ground, says Mintz. “Social engineering,” where criminals con people into giving up confidential information, network access, or valuables, is becoming a more serious problem for smaller companies, he says.

The most common form of social engineering is “phishing,” where criminals trick users into clicking on email or web links that open the door to malicious software or “malware.” But it can also involve someone posing as a company executive, digitally or on the telephone, and coaxing an unsuspecting employee into transferring credentials or funds to a remote location that only they control.

“Midsize businesses are particularly prone to social engineering,” Mintz says, “because they have a lot of busy people wearing multiple hats. People are trusting by nature, and they don’t always realize there’s a bad actor coming at them until it’s too late. Larger organizations, by comparison, train employees to watch for this behavior and tend not to fall for it as often.”

Basic cyber hygiene

In the cold light of day, experts say that no matter how well a midsize business guards against attacks, they will still occur and will eventually succeed. Cybercriminals have become so sophisticated, and change their techniques so regularly, that even the most secure companies struggle to outflank them.

“No matter how much money, resources, or time you commit to cybersecurity, someone always has more capability than you do,” says Lorenzana. “It is impossible to avoid being hacked forever.”

People are trusting by nature, and they don’t always realize there’s a bad actor coming at them until it’s too late.
Andre Mintz, CISO, Newport Group
But that’s not to say there aren’t proactive steps midsize businesses can take to limit exposure and minimize the impact of cyberbreaches.

First, most experts recommend focusing on basic cyber-hygiene to make the business less attractive to hackers: Keep antivirus signatures current. Use network firewalls. Download and install critical security patches without delay. Deploy strong solutions for managing and securing endpoint devices. Employ device encryption wherever possible. Enforce strong password and two-factor authentication policies. And follow the “3-2-1 backup strategy,” where an organization keeps three copies of data on two different pieces of media, one of which sits off-site. This can be hugely beneficial to bringing systems quickly back online in the event of a ransomware attack.

Second, experts strongly recommend shifting to a “zero trust” identity and access model. This is where an organization revokes everyone’s right to access all computing infrastructure. Instead, as Gartner VP analyst Neil MacDonald puts it, “trust levels are explicitly and continuously calculated and adapted to allow just-in-time, just-enough access to enterprise resources.” The zero trust approach is growing in popularity among IT security teams, with 96% calling it critical to their organizations, according to a recent Microsoft survey.

“Zero trust is a way of thinking, not a specific technology or architecture,” says MacDonald in a recent report by Gartner. “It’s really about zero implicit trust, as that’s what we want to get rid of.”

[Read also: Experts share advice for getting started with zero trust for remote infrastructures]

Mintz recommends a third best practice to head off some forms of social engineering: Limit the number of people in an organization who can approve funds transfers.

“That way, if someone tries to convince some employee to move money, they will say, ‘Bob’s the only one who can do that,’ and the social engineering attempt dies.”

Small and midsize businesses are just as vulnerable to cyberattacks as larger organizations, and in many ways are more vulnerable to breaches because their defenses are often weaker and the stakes much higher if their operations are halted, experts say. As such, those who have been through the experience warn that no business can take the threat lightly.

[Read also: 5 ways your company and avoid becoming a headline]

Duffy, for example, notes that even after she made the ransom payment and received a decryption key, it took weeks to get systems fully back online. And some of her company’s data (mostly marketing information) were never recovered.

“I think the more we get it out there that us little people are being attacked, the better prepared everyone will be to guard against such things,” she says. “There are no guarantees best practices will protect you, but they certainly make it much harder for cybercriminals to get your data or assets.”

David Rand
David Rand is a business and technology reporter whose work has appeared in major publications around the world. He specializes in spotting and digging into what’s coming next – and helping executives in organizations of all sizes know what to do about it.