Are SMEs a Valuable Target?

Advances in online commerce and payment systems, cloud computing and big data have rendered this world vision entirely obsolete. According to security vendor Symantec1, in 2015, more than half of the targeted attacks (that is, attacks directed at specific, well-known targets, conducted after a thorough surveillance, rather than at random) struck small and medium-sized organizations.

What caused this rapid development?

Increased value of SME-owned data. The fundamental reason behind this shift in perspective is the fact that data owned by small and medium-sized businesses has increased tremendously: SMEs now hold credit card data, valuable customer information such as financial or healthcare data, as well information related to services used by the companies themselves, such as login data or keys for cloud hosting accounts, which can be used as a base for further attacks.

Increased security measures by large organizations. Large organizations have not only the data but also the resources required to protect it. For example, last year, J. P. Morgan’s budget provisioned no less than $500 million for cybersecurity2 – a figure that is dwarfed by the $19 billion destined for investment in cybersecurity by the US Cybersecurity National Action Plan for the FY 2017 budget3. Furthermore, large organizations have the personnel required to implement these measures, as well as a solid base to start from – physically

secure office facilities, training facilities for employees, and several years (or even decades) of accumulated knowledge regarding cybersecurity.

Increased security measures by large organizations. Large organizations have not only the data but also the resources required to protect it. For example, last year, J. P. Morgan’s budget provisioned no less than $500 million for cybersecurity2 – a figure that is dwarfed by the $19 billion destined for investment in cybersecurity by the US Cybersecurity National Action Plan for the FY 2017 budget3. Furthermore, large organizations have the personnel required to implement these measures, as well as a solid base to start from – physically secure office facilities, training facilities for employees, and several years (or even decades) of accumulated knowledge regarding cybersecurity.

Insufficient control over outsourced security activity. Outsourcing security activity is not inherently bad. In fact, even for large organizations, it can be faster and more efficient to outsource cybersecurity strategy and core implementation to a company specialized in this field, as the required know-how is highly domain-specific and difficult to acquire internally. However, many SMEs view outsourcing these activities strictly as a measure that reduces costs, rather than making spending more efficient, and outsource security activities to

unqualified contractors or companies that hire unqualified system administrators. This results not only in reduced security but also means reduced response times in case of crisis. Furthermore, since attackers are usually careful to leave backdoors after a successful attack, once an insecure network has been compromised, it can remain insecure for a long time.

Insufficient control over outsourced security activity. Outsourcing security activity is not inherently bad. In fact, even for large organizations, it can be faster and more efficient to outsource cybersecurity strategy and core implementation to a company specialized in this field, as the required know-how is highly domain-specific and difficult to acquire internally. However, many SMEs view outsourcing these activities strictly as a measure that reduces costs, rather than making spending more efficient, and outsource security activities to unqualified contractors or companies that hire unqualified system administrators. This results not only in reduced security but also means reduced response times in case of crisis. Furthermore, since attackers are usually careful to leave backdoors after a successful attack, once an insecure network has been compromised, it can remain insecure for a long time.

SMEs, which hold increasingly valuable data, are often unable to commit too many resources to protect themselves. They have to carefully account for their spending at critical stages of their growth, and can rarely afford lengthy investigation and legal proceedings. They are the most lucrative targets for the vast majority of cyber-criminals today.

Leave a Reply

Your email address will not be published. Required fields are marked *

0 Comments