researchHQ’s Key Takeaways:
- As the most common targets of cyberattacks, small and midsized enterprises should make a particular effort to implement an effective endpoint security program.
- Despite the financial hurdles raised by the pandemic, failing to invest in cybersecurity will likely end up costing substantially more in the long run.
- Cost-effective steps to improve security include employee password hygiene and email training, basic encryption and multi-factor authentication (MFA).
Now the prime targets of cybercriminals, SME security teams need to get scrappy while IT budgets are tight.
In July 2020, when employees at Boyce Technologies — a New York–based provider of network technology solutions — logged onto their computers and tried to open files, they got an alarming message. Their data had been encrypted, a tipoff that cybercriminals had breached their network.
The attackers had extracted hundreds of documents, which they were threatening to post to the dark web, according to a report in Cointelegraph, a cryptocurrency and fintech news site, and interviews with several security analysts. In order to restore network access and return Boyce’s files, cybercriminals demanded a ransom.
The attackers — part of the DoppelPaymer gang believed to operate in Russia — knew they were hitting the 150-person company at a critical time. Back in the spring, when New York City was a COVID-19 epicenter, Boyce pivoted from making transit communication systems to making low-cost, FDA-approved ventilators for COVID patients.
Boyce has not commented publicly about whether it paid the ransom and declined to respond to questions for this article. But at the time of the attack, it was shipping several hundred units a day to hospitals around the country. A company in that situation has a tough choice to make, says Larry Ponemon, founder of Ponemon Institute, a cybersecurity and privacy research organization. They must either pay up or endure life-threatening production delays in the middle of a pandemic.
“Sometimes the consequences of not paying are just too high,” says Ponemon. “This was a worst-case scenario, where you could have people dying.” He adds, “When there’s desperation, the bad guys are more likely to get their money.”
Smaller companies, bigger targets
Although cyberattacks on large companies dominate the headlines, small and midsized enterprise firms (SMEs) like Boyce are now the most common targets of attacks. But unlike big companies, which boast sizable IT budgets and remain on high alert for new threats, many smaller organizations aren’t even aware of the threat — a vulnerability that cybercriminals prey upon.
“Many companies think it’s the big companies that get hit,” says Alex Holden, founder of the Wisconsin-based security consulting firm Hold Security. “When they’re attacked, they’re always surprised and wonder, Why us?”
Cybercriminals also target SMEs for another reason: They provide an easy path to an SME’s high-profile customers — so-called supply chain attacks. Several months before the cybercriminal group hit Boyce’s systems, it reportedly found its way into Visser Precision, a Denver-based manufacturer and defense contractor, and stole sensitive data on its customers. These included Boeing, Lockheed Martin, Tesla and SpaceX, according to a TechCrunch report.
Remote work has made the problem for SMEs even worse. Employees who were once in the office on a company-owned device and always connected to the network are now at home, in some cases using a personal device that’s not connected to a VPN or that other members of the household, and lots of other unsecured household devices, also use. Cybercriminals know this — so they are increasingly targeting remote employees and their unsecured endpoint devices. According to a recent report by Malwarebytes, 20% of cybersecurity leaders say they have faced a security breach in 2020 that was the result of a remote worker.
Stop the phishing expeditions
Many SMEs would like to beef up their cybersecurity defenses, but say the pandemic has put up major major financial hurdles. In a September 2020 survey by network security firm Untangle, one-third of SMEs identified the lack of a sufficient IT budget as their greatest challenge to securing their networks, with 38% saying they allocate just $1,000 or less to IT security.