Cyberattacks against the country’s largest companies tend to garner the most press coverage and generate the most cybersecurity anxiety. For example, such high profile companies as eBay, JP Morgan, Home Depot and Target are often cited as examples of particularly spectacular cybersecurity breaches involving millions of customers. The temptation is to assume that cyberattackers focus primarily on these types of companies, which can lull smaller companies into a false sense of comfort.
Outgoing SEC Commissioner Luis Aguilar made this point clear in a recent eye-opening article in the Cyber Security Review (which, according to its web site, focuses on identifying emerging cyber threats and facilitating information exchange between stakeholders, industry, academia and security experts worldwide).
In his article, Commissioner Aguilar noted the proliferation of cyberattacks at small to midsize businesses (SMBs), which he categorized as those having fewer than 2,500 employees. He also noted that SMBs are often the primary point of entry to large companies, making SMB vulnerability an issue for everyone. In fact, he noted that it is believed that Target’s cyberattackers accessed its network through a small business that Target used for heating and air conditioning services. In his words, large companies are “in effect, a ‘sprawling network’ of interconnected business partners, any one of whom could serve as the vector for a cyberattack,” which is a sobering yet accurate characterization.
Here are a few of his points that I thought were the most interesting:
- Known cyberattacks rose by 48% in 2014.
- 60% of cyberattacks struck SMBs in 2014.
- 33% of SMBs took at least three days to recover from an attack.
- Owners of SMBs handle cybersecurity issues without the assistance of cyber experts more than 80% of the time.
- Companies with less than $100 million in revenues actually reduced their cybersecurity spending in 2014.
- 27% of SMBs have no cybersecurity protocols.
SMBs are easier cybersecurity targets for the reason you would expect: they do not have the resources available to larger companies to invest in the design and maintenance of increasingly sophisticated defenses. Cyberattackers are, of course, aware of this and are using it to their advantage. As a result, this is an issue not only for SMBs, but also for the larger companies that do business with them. The reality, it seems, is that the list of cyber worries just keeps getting longer for everyone.