Corporate cybercrime is big business, and it gets all the headlines. Probably because it costs corporations worldwide somewhere between $375 and $575 billion, according to estimates.
But small business cybercrime is evidently big business as well. Smaller companies have limited resources for security and are, subsequently, more vulnerable to attacks. As a result, small business cybercrime is an easier avenue for hackers.
Corporations Less Vulnerable
Corporate cybercrime has become incredibly sophisticated, with cybercrime groups now functioning as well-organized, multi-disciplined and focused crime syndicates.
One of the reasons these groups have developed such sophistication, however, is that their potential targets have developed sophistication in their defenses.
It’s a trickle-down effect, in some ways. Corporate cybercrime is on the rise, yet it’s getting harder to hack big companies, some of which have gone so far as to hire “white-hat” hackers to test their defenses through bug bounty programs.
As a result, hackers are turning to lower hanging fruit – small business cybercrime. Unfortunately, these companies are providing the building blocks of another growing crime industry.
Cyber security is an afterthought for many small businesses. A lot of small business owners don’t consider themselves too vulnerable at first because they’re so small – they don’t think they’re necessarily on any hacker’s radar.
Also, if you’re a small business, your resources are spread pretty thin. You don’t have a lot of extra money laying around for things that aren’t directly profit-generating. So, your security may be a little lax.
However, cybercriminals are savvy, and they know small businesses tend to be more vulnerable. They make it a point to seek out and target these companies. Without solid security, small companies are leaving themselves vulnerable to attacks.
– Kirk Porter, President of Avitus Technologies
Small Business Cybercrime a Bigger Piece of the Pie
While their bigger brothers may garner all the media hype, smaller businesses represent a larger percentage of the companies subject to attack.
Once again, organizations of all sizes are included among the 855 incidents in our dataset. Smaller organizations represent the majority of these victims, as they did in the last [report].
Like some of the industry patterns, this relates to the breed of “industrialized” attacks mentioned above; they can be carried out against large numbers in a surprisingly short timeframe with little to no resistance (from the victim, that is; law enforcement is watching and resisting)…
Smaller businesses are the ideal target for such raids, and money-driven, risk-averse cybercriminals understand this very well. Thus, the number of victims in this category continues to swell…
Small business cybercrime represents the most common form of cybercrime against companies, and it’s fast becoming the most attractive as well.
…Experts are warning that not only are small businesses now firmly in the crosshairs of cyber-criminals, they are fast becoming their favored target – and are often woefully unprepared.
“SMEs have not historically been the target of cybercrime but in 2015 something drastically changed,” says Toni Allen, UK head of client propositions at the British Standards Institute (BSI).
“The latest Government Security Breaches Survey found that nearly three-quarters (74%) of small organizations reported a security breach in the last year; an increase on the 2013 and 2014 survey. SMEs are now being pinpointed by digital attackers.”
According to the latest statistics released by cyber security firm Symantec, more than half (52.4%) of spear phishing attacks, carried out using fake emails – carried out in December last year were against SMEs, with November showing a massive spike.
Small Business Cybercrime Link to Corporate Cybercrime
Not only that, but small business cybercrime is providing a direct link for criminals to corporate cybercrime.
The information that hackers can gather during their attacks against smaller businesses can often provide them with information to use against larger businesses.
Take contractors, for example. Many companies are turning to specialized contractors to perform some of their business duties. This is most often the case for more administrative-type duties, of which many may consider security a part (i.e., duties that relate more to the administration of the business as opposed to the core business function and purpose).
Corporations are no different in this respect. Many big corporations contract out services to smaller vendors.
If one of these smaller vendors suffers an attack, the hackers could gather information either directly about the corporations the company serves or information that could enable the hackers to institute phishing campaigns against those corporations.
For example, if a hacker takes over email accounts at the smaller company, he or she could use those accounts to begin phishing campaigns against the corporation to gather information he or she could then use directly in an attack against the corporation.
No Hiding in Anonymity
Small companies may not think they’re vulnerable to cybercrime because of their size and relative anonymity. Yet they are.
In fact, small business cybercrime is more common than corporate cybercrime. It’s something that every business, no matter the size, needs to address. And quickly, if they haven’t already.