Why Small Business is big business for cybercriminals
For a small business, a cybersecurity incident can be devastating. Why are small businesses so vulnerable? We look at some of the reasons —including how being part of supply chains create extra risks for SMEs. By TNK2 co-founders Alix Kwak, Jay Jeong, Elston DSouza and Upling co-founder Peter Thomas.
Out in the Western suburbs of Melbourne, Australia is a hardware and building supplies store that employs five people — the owner, two counter employees who serve mostly trade and some walk-in retail customers, a delivery driver/warehouse and stock control manager and an administrator who looks after payroll, invoicing, accounting and trade accounts.
One day, while reading through a long inbox of messages, one of those employees opens up a seemingly innocuous file attached to an email — ignoring instructions never to open email attachments that come from an unknown source.
The next day the store’s stock inventory and EFTPOS systems start to malfunction.
It takes two days, and ten phone calls to the bank, to get the EFTPOS system up and running. Considerably longer to investigate and remedy the incident and reinstall the software, change credentials and install new antivirus software. Longer still to analyse the cyberattack (which was a piece of malware) and claim on cybersecurity insurance. All of the data on the last months’ orders can’t be recovered.
The financial impact for this SME was many days of staff time to resolve the problem, costing approximately $18,000; $50,000 in lost revenue from trade customers who needed supplies to finish their projects (some of them will never return as customers); the costs of specialist forensic analysis of the incident were $100,000; and fees for an incident response manager amounted to $10,000. Total cost: $178,000.
(Adapted from ‘Cyber Case Studies for SMEs’ by Chubb Insurance).
The example above is fictional but is probably representative of what happens when a Small to Medium Enterprise (SME) becomes a victim of a cybersecurity attack.
Large enterprises — with all their human, technological and financial resources — are much better placed to respond to cybersecurity incidents than the many SMEs that form the backbone of the economy.
SMEs have little time, little expertise and, in the current economic climate — hit hard by COVID-19, with over 60% of them operating in crisis or survival mode — little in the way of financial resources to devote to protecting themselves from the increasing number of cybersecurity attacks that come their way.
SMEs — typically employing a handful of people, and often family-owned and run – make up nine out ten enterprises in Australia and account for 33 per cent of Australia’s GDP, employ over 40 per cent of Australia’s workforce, and pay around 12 per cent of total company tax revenue.
For them, the consequences of a cybersecurity incident are very real. There is no CIO, no team of cybersecurity professionals, no risk assessments and no detailed mitigation strategies — unless they have pockets deep enough to pay professionals to help them recover after the fact. They mostly don’t.
And that of course, is why they are easy targets for cybercrime. It’s why over 60% of SMEs have experienced cybersecurity incidents. And it’s why 62% of ransomware attacks in 2020 involved SMEs.
One of the biggest vulnerabilities for SMEs is that they rely on an array of service providers.
A typical SME might use dozens of online services (84% of SMEs have adopted some form of online service) — from websites to banking, payroll, inventory management, purchasing, cloud storage and social media. SMEs have been swept along in a wave of digitalisation. But while that was once seen as a blessing, it can now be a curse when it exposes them to cybersecurity risks.
And an SME, even the smallest microbusiness, is part of a larger supply chain.
Whether you are a small manufacturer, a provider of training and education, are in retail or in construction, you will buy and supply — often providing complex added-value services, and often to and from other SMEs. All of those SMEs also share the same vulnerabilities.
Take the global Petya ransomware attack in 2017. According to this Fortune article, MeDoc — a little-known Ukrainian financial tech company that makes accounting software — was probably the primary source. Hackers breached the company’s systems and compromised a software update that was then pushed to its customers. Petya spread rapidly, eventually to multinational companies. Mark Simos, Microsoft’s Lead Cybersecurity Architect said:
“One of the more unusual aspects of the Petya attack is that it used a supply chain attack to enter target environments instead of phishing or browsing, which are vastly more prevalent methods used by threat actors for most attacks.”
Many companies have accelerated their digitalisation during the pandemic — the most obvious being retailers who transitioned to e-commerce when their bricks and mortar stores were shuttered.
Because stores were closed and people were forced into lockdowns, customers turned to buying online. To keep pace with demand, retailers scaled up quickly without implementing a comprehensive cybersecurity strategy. This is why e-commerce has been one of the most targeted sectors by cybercriminals.
And for those companies that scaled up — or those that started fresh to surf the wave of increased online consumer demand — it meant reliance on external vendors to build and run their online presences including web hosting, inventory management and payment processing companies, amongst others.
Who is responsible for securing these systems? It turns out that over 60% of companies believe that website designers and website service providers should take responsibility for ensuring cybersecurity. An Australian Cyber Security Centre Small Business Survey observed:
“Cybersecurity has to compete for time and other resources with multiple demands. The ability to outsource to experts is also impacted by financial capacity as well as security needs. If SMBs do outsource, they may not be as protected as they believe.”
But digitalising – especially doing it quickly, and often on a tight budget – isn’t easy, and many companies have failed to appreciate the complexities.
SMEs, in particular, have failed to fully comprehend how difficult it is to integrate their operations with other, and many, often larger companies. Effective digitalisation relies on complex, globally distributed, and interconnected supply chains that are long, geographically diverse and consist of multiple tiers of outsourcing. SMEs can’t possibly hope to monitor and control what happens in those supply chains.
All of this puts SMEs in a position of vulnerability. And the bigger the firm, the more sophisticated the challenge of digitalisation becomes.
Think about the Kaseya VSA ransomware attack in which hundreds of US businesses were hit by a sophisticated cyberattack that hijacked widely used technology management software from a Miami-based supplier called Kaseya.
The attack was on a Kaseya tool called VSA, used by companies that manage technology for other smaller businesses. The attackers encrypted the files of the customers of the providers who were Keseya’s customers. Kaseya is plugged into lots of companies’ systems, big and small — over 40,000 of them — many of whom had no idea that Kaseya, or VSA, even existed.
So in what specific ways are SMEs vulnerable?
As we talked about in a previous story, cybercrime is now a business.
And like all businesses, it’s about maximising return. Cybercriminals target SMEs because, in comparison to larger organizations that are harder to attack, the reward/effort ratio makes it worth it.
One of the fastest-growing forms of cyberattack on SMEs is ransomware.
Ransomware attacks increased by 15% in 2020. On average, cybercriminals demand over $170,000 from their SME victims and 60% of those SMEs closed as a result of an attack. In Australia in 2020–2021, it was reported that the average loss by an SME was over twice that of large organisations.
Similarly with social engineering.
Leaving aside reputational damage, the average cost of a data breach for an SME was $149,000 and the data harvested can be sold to other malicious actors or be exploited for future attacks. For those who are victimised, it is hard to predict how and when breached data will be used again and hard to detect as 70% of the incidents are discovered by external parties.
Hackers may not only seek financial gain but also access to commercially sensitive information in so-called gateway attacks.
Large organisations often partner with SMEs — whether as service providers, contractors or subsidiaries — and these smaller companies make easier targets to access data or networks. So-called man-in-the-middle attacks target this relationship. Using a third-party script — code that pulls functionality from the external provider — is a form of eavesdropping where cybercriminals insert legitimate-looking software to collect data that flows between two parties.
One example is the Magecart attack on Ticketmaster’s data breach in 2018 which led to a GBP1.25M fine. It was probably caused by cybercriminals first targeting a smaller third-party chat-bot provider, Inbenta, to access to payment details of Ticketmaster customers. As James Dipple-Johnstone, ICO Deputy Commissioner said:
“The £1.25milllion fine we’ve issued today will send a message to other organisations that looking after their customers’ personal details safely should be at the top of their agenda.”
This shows that while cyberattacks can happen anywhere, it's likely to be at the weakest link(s) in a supply chain.
And that’s often an SME.
So what can SMEs do? How can they protect themselves from becoming the latest victim of a growing wave of cybercrime?
There is a common misunderstanding that cybersecurity is expensive and technically complex.
Most companies have focused on managed security and network security services in the hope that service providers take care of the problem.
But this is not working. McAfee and Kaspersky, for example, who produce antivirus software, do not guarantee 100% protection from all types of malware or for outsourced managed security services. The amount that a typical SME spends on cybersecurity — less than $500 annually — doesn’t guarantee security.
Research suggests that 99.98% of all attacks can be mitigated through two of the simplest things that it is possible to do: stronger password management and multi-factor authentication — using a password manager or a hardware authentication device, such as YubiKey.
And as we have observed before, it's the human part of the cybersecurity equation that causes the most problems.
Sole traders or microbusinesses often blur the personal and professional — you are your business. Scam text messages and phishing emails sent to personal devices become business threats: almost 60% of cyberattacks that targeted SMEs were via phishing emails – but 20% of SMEs aren’t aware of the term ‘phishing’ or what it means. As the Big cyber security questions for small business: The state of cyber fitness in Australian small businesses report says:
“Australian [small businesses] need to better understand the risk and impact of a cyber incident… [they] face the inherent problem of a lack of positive reinforcement for good cyber security practices.”
This report also says:
“The free resources on sites like cyber.gov.au look like they’d be great — but small business owners struggle to apply the lessons to their specific circumstances and set up.”
And this is one of the challenges with one-size-fits-all education and training in cybersecurity, especially for SMEs — it’s hard to apply it to your situation, to your circumstances and your specific challenges.
The boutique corporate furniture retailer has wholly different challenges (and perceptions of them) to the Father and son electrical contractor; the 20 person road haulage business operating in three states is, and feels, different to a suburban bedroom business supplier of handmade crafts; and the website designer in a co-working space in the city has different challenges to the one person picture-framing business in the suburbs.
What makes SMEs vulnerable to risk is not a lack of knowledge — after all, they have all seen the same advice scrolling past in their Twitter, Instagram or LinkedIn feeds, or in the form of government messaging — but habits and behaviours.
When it comes to cybersecurity what we need to focus on is surfacing the errors and mistakes we make as humans — skills-based errors, mistakes and social engineering — and helping SMEs address them.
That’s why at TNK2, we help to identify cybersecurity vulnerabilities and help build more effective knowledge, attitudes and behaviours.
We have developed training and education products to mitigate human cybersecurity challenges. Our CyEd and Upling products are based on sophisticated cybersecurity diagnostics from which we create personalised awareness, training and digital literacy education — all based on behavioural science, nudge theory, gamification and microlearning.
The proprietary software that sits behind CyEd and Upling, the Behavioural Assessment Engine, considers all of those factors, and more, to identify and remedy human risks throughout the entire supply chain and help people become safer — whatever they do and whoever they are.
To learn more, visit us at https://tnk2.com.au
Come back to the TNK2 publication to read more stories.
All too human
An overview of why the difficult challenges of cybersecurity are human, not technological. Peter Thomas, co-founder of Upling, writing with TNK2 co-founders Elston DSouza, Alix Kwak and Principal Researcher Jay Jeong.
Class is not dismissed
We take a look at the education sector and particularly K12 schools. In the light of several recent high-profile security breaches, we look at why schools are so vulnerable and what we might do to change that. By Peter Thomas for TNK2.
Your money or your data: inside ransomware
Expensive, disruptive, and possibly disastrous. We look inside the disturbing and rapidly-growing ransomware phenomenon. By Alix Kwak for TNK2.
The state of cybersecurity
We know that cyberattacks are on the rise. Cybercrime is up 600%. We go behind the numbers to look at trends and patterns — and the rise of cybercrime-as-a-service. By Elston DSouza, Alix Kwak, Peter Thomas and Jay Jeong for TNK2.
To err is human
We look at the science of errors, how it relates to cybersecurity and how unintentional actions make us less secure — from downloading a malware-infected attachment to failing to use a strong password. By Alix Kwak, Elston DSouza, Jay Jeong and Peter Thomas for TNK2.
