Checkmarx is a Leader in the 2021 Gartner Magic Quadrant for Application Security Testing

SMBs: ‘Too Small To Be A Target’ Thinking Won’t Cut It Anymore

With big name brands like Target and Neiman Marcus getting hit left and right these days, it would be easy to make the assumption that hackers are mostly interested in hacking the big guys, especially with further breached retailers soon to be named. It simply is not the case. Small and medium sized businesses still pose plenty of advantages to hackers.

It’s a double edged sword: Not only can SMB’s be easier or less risky for hackers to hit than large corporations with huge IT departments, but the general public usually won’t hear or pay attention to the news of smaller businesses getting hit. The incidents just aren’t the same caliber and the enormity of the most infamous data breaches – TJ Maxx, Heartland Payment Systems, PlayStation, etc. – dominate in the news and muffle any of the hardships also suffered by stricken SMB’s.

So while we will always hear about the big breaches are going that affect millions of people, just realize that you’re not hearing about the 71% of breaches that affect businesses under 1,000.

This week, network security company Fortinet, published research looking into a frequently hacked industry, especially for SMB’s: The retail sector.  

“Based on findings from an independent U.S.-based survey of 100 SMB retail organizations with less than 1,000 employees, the survey revealed that a majority of retailers are aware of an increasingly complex threat and regulatory environment and are applying best security practices and compliance policies to keep safe. However, more than one in five retailers (22 percent) are not PCI DSS compliant, and an additional 14 percent don’t know if they are PCI compliant or not.”

Smaller and medium sized businesses have been steadily making the jump to online systems using digital records and more advanced technology, without large IT teams and a more limited security budget. At the same time, hackers are getting smarter and are realizing that SMBs don’t necessarily have the same level of security as bigger companies do.

As a small or medium sized business, you may hold valuable data, from intellectual property information to client names and payment information to account details like usernames and passwords and more. With 70% of hackers financially motivated, there’s a lot of reward a hacker could attain from either using or selling the data they steal, and it makes it more worth it when there’s less of a risk of detection, as there is within many small businesses.

Nearly two-thirds of retailers surveyed said they do have some kind of data disposal policy in place, but 29% have none, and another 12% couldn’t respond whether they do or not.

In a study done by Verizon, researchers found that the most common methods of hacking into smaller businesses are ‘ransomware’ and malicious software, using unpatched vulnerabilities or weak passwords to gain entry into the system before wreaking havoc. Its holes like the 40% of organizations who don’t require employees to change their passwords at least annually that act as open invitations to hackers looking for some cold, hard customer data. One weak password, one stolen laptop, one employee who clicked on an email link thinking they won the lottery and the race is on.

Another troublesome finding was the lack of knowledge respondents had of their states requirements when reporting a breach. Fortinet found that 55% of SMB’s don’t know the requirements set in place in case of a breach, and 40% lack a solid policy for adhering to state requirements. If businesses don’t follow a specified timeline for investigating a breach, they’re opening themselves and their customers at risk of further issues down the line. Not only would customers be unaware of the incident in which their personal and/or financial details could have been exposed, but their loss of trust and loyalty of the organization could do considerable damage in the future. With a minimum average cost of a breach at $1.3 million and the max coming in around $58 million, these aren’t numbers most smaller businesses could throw around easily.  

It wasn’t all bad news though, the study found. The study participants noted that they’d like to learn more about big-data analytics to help both understand customer data better and find enhanced ways of protecting it. There is also a desire for SMB’s to connect their physical security infrastructure to the network for better oversight.  

So while the study doesn’t give the brightest outlook on today’s security infrastructure in SMBs, there is a strong indication of a desire for improvement. It takes more than just wanting to have a secure business, though, and there are lessons to be learned from those mega corporations that do have the 50-man IT team. One thing is clear: hacking technology will continue to evolve and strengthen, so it’s up to SMBs to beat malicious actors at their own game and evolve not only their technology, but the way they protect that technology.

Read the whole study and report here

Jump to Category