Small businesses are new target for criminals as attacks double, report warns

The assault by cybercriminals against big businesses continued this year – 93% of big companies suffered a data breach in 2012, and 78% were attacked by outsiders, according to a report by Price Waterhouse Cooper. But small businesses – those with less than 50 employees – are rapidly becoming a target, with attacks by outsiders doubling in one year.

Overall, the cost to British business has tripled in the past year, the report said – with large businesses facing attack every few days, and smaller businesses every few weeks.

“Small businesses used not to be a target, but are now also reporting increasing attacks,” the British report warned, saying that breaches suffered by small businesses had increased nearly by half. This year, 63% of small businesses suffered a security breach – last year, that figure was 41%.

The report, commissioned in partnership with the British government’s Department for Business, Innovation and Skills, based on a survey of 1,400 people, found that attacks by outsiders against small businesses had more than doubled – up to 15% from 7% a year ago.

“Outsider attacks also increased substantially, especially against small businesses,” the report said. “ Large organizations still bear the brunt of attacks, with the average company having a serious attack every few days. But, small businesses are rapidly becoming a target too, on average suffering a serious attack once every six weeks.”

The IB Times reported that the sheer number of breaches meant that security spending was rising steadily – to what PWC described as “the highest level ever recorded in this survey.” Companies now spend 10% of their IT budget on security, according to the report.

“Overall, the survey results show that companies are struggling to keep up with security threats, and so find it hard to take the right actions. The right tone from the top is vital – where senior management are briefed frequently on the potential security risks, security defences tend to be stronger.”

ESET Senior Research Fellow David Harley says, “I doubt if there’s any business that hasn’t experienced some sort of breach (which may or may not have been noticed). But some kinds of attack probably work better against small businesses (which don’t usually have dedicated security staff).”

PWC also observed that larger businesses tended to be better at ‘vetting’ third-party companies such as suppliers, saying, “Large organisations are generally more diligent at ensuring third parties have adequate security. For example, they are three times as likely as small businesses to obtain audit rights and twice as likely to carryout penetration testing.”

Many breaches still occur due to staff error – 36% of the year’s worst breaches were due to “human error”, PWC say, and a further 10% due to deliberate misuse of systems.

“There’s a clear payback from investing in staff training. 93% ofcompanies where the security policy was poorly understood had staff-related breaches versus 47% where the policy was well understood,” PWC says.

ESET’s Stephen Cobb explores many of these issues – and some of the pitfalls facing smaller businesses – in a We Live Security post entitled, “Why your small business needs an information security policy.”

Author , We Live Security

  • Jammer

    Ive done some work on small networks (<50 or <10) and a lot of the problems are with setting all users with Admin rights, they also use weak and i mean very weak passwords for mail and domain logins (Allowing SMTP from the internet and not filtered). When you question them why, the response is always seems to be of "ease of use". Once you tell them that you could access their entire network (Create some Ruby/Python scripts) and take ownership of every file/domain account with in 10 minutes sitting on a laptop, the look on there face is something for instagram. Funny enough though, usually there response is we dont care because we dont want to spend the cash "We have backups" but then explain that backing up to do this all over again wont fix it as there needs to be change! Im sure you guys would have some horror stories as well but sometimes you can tell them untill you are blue in the face but they just wont listen. ISP's should eb responsible for setting passwords on Modem/Routers as well but thats another story.

Follow us

Copyright © 2017 ESET, All Rights Reserved.