Are small businesses less likely to be hacked than large enterprises? Does the type of attack differ for these organizations compared to their larger counterparts? In the latest episode of our six-part podcast series, Get IT: Cybersecurity insights for the foreseeable future, you’ll get the answers to these questions plus more insights on how the threat landscape small businesses operate within requires a different way of thinking.
In Episode three, Theo van Wyk, head of cybersecurity at CDW, and Sean Earhard, advanced threat solutions specialist at Cisco Systems Canada, discuss the differences and similarities between small business and large enterprise cybersecurity threats and strategies. Here are some topics they tackle in episode three:
Everyone is at risk
It may be surprising to some, but small businesses are just as likely to be targeted by attackers as large enterprises. It’s not necessarily the organization size that is targeted, but rather the software; no matter an organization’s size, user error results in network vulnerabilities that bad actors can exploit and, to a great extent, most organizations use common software systems.
Small business’ cybersecurity advantage
There are pros and cons in mitigating and remedying cyberincidents for both large and small businesses, but the latter has certain security advantages due to the way they’re targeted.
Looking first to the enterprise level, many large organizations are more susceptible to targeted, tailored and under-the-radar attacks where the prizes are highly valuable data and assets. One example of this is Maze ransomware, where the bad actor picks an environment compiled on a per-target basis and relentlessly attacks, oftentimes selling the infiltration ability to the highest bidder.
In addition, large organizations typically aren’t as agile as their smaller counterparts and can have complex processes and procedures that can fragment response protocols. On the other hand, these organizations do have ample resources which can allow for a multitude of experts and tools to protect infrastructure.
Turning to smaller organizations, opportunistic attacks are the likeliest threat. Attackers typically write ransomware or blast out an email attack, occasionally targeting an entire series of platforms in the hopes of finding a security gap. The advantage for small businesses lies in their size and attack surface area, both of which are much smaller. Fewer devices that are more concentrated, with simpler underlying infrastructure and dynamic processes, makes a network easier to secure before and in the event of a cyberincident.
The primary drawback for cybersecurity preparedness and response at small businesses is resource constraints and access to the type of toolsets. While a small business’ dynamic processes may be a cybersecurity boon, an IT professional who wears too many hats could miss important signs of an impending or active breach.
While no two cybersecurity incidents are the same, the fundamental elements in responding to a breach are similar for small and larger businesses.
Looking at organizations that experience ransomware attacks, the crucial first step is containment. The next steps, usually executed in parallel, are beginning the remediation process and examining the affected system to find the root cause. Merely restoring the breached sections of a network, environment, system or assets to a trusted state does not reveal how the attackers infiltrated it in the first place; as such, it’s critical to determine the entry point, attack method and most effective patch. If this isn’t possible, the chances of reinfection from the same ransomware program are extremely high.
When personal identifiable information or customer data are impacted, there are potentially a number of federal, provincial and international government regulations that companies have to consider regardless their size. For small businesses that may have a generalist IT staff, the twin challenges of finding the root cause and identifying the exact threat, all the while ensuring regulatory compliance, can be prohibitive. A high degree of sophistication and specification is required when it comes to threat hunting, incident response and cyberforensic analysis – resources that many small businesses may not readily have at their disposal.
The impact of cloud-based remote work
There is a very clear divide between where organizations originated and how the pivot to remote work has impacted cybersecurity – including small business networks. For those organizations that already had flexible working policies and were utilizing cloud, the impact has been much less drastic than one might expect. Office-centric organizations, however, likely still have a plethora of data locally on a server.
Office centrism typically means that there were a limited number of remote access toolsets ready to deploy at the onset of the pandemic – and new tools can come with steep learning curves. The rapid push to remote work and proliferation of IoT corporate, BYOD devices and vulnerable home Wi-Fi networks has strained cybersecurity and cloud security not optimized for remote access.
At CDW, we’ve seen a strong surge in the number of small businesses who have transitioned to the cloud. While it does make organizations more efficient and maintains businesses continuity amid the ongoing pandemic, it’s important to remember that transition to the cloud combined with an increased attack surface area increases avenues for attackers. When adopting cloud services, it’s critical to keep cybersecurity in mind.
Discussion instead of fearmongering
Small business employees are equally as likely to face security breaches as employees of larger companies. It’s important for every organization – no matter the size – to dedicate part of the onboarding process to breaches and cybersecurity risks. When employees have a sense of where they sit in the chain and what could potentially happen, it promotes understanding, ownership and organizational responsibility. Fearmongering has a detrimental effect and can minimize employees’ emotional response and willingness to learn or participate.
Cybersecurity next steps for small businesses
It’s important to understand the context of what cybersecurity means to a small business. There is a variety of frameworks and toolsets, but the first thing to do is take a step back. Knowing the answers to questions like “what is critical to protect?”, “do you know where that data is?” and “how do your employees work with this incredibly vital information?” should be the starting point. Once you can answer these questions and truly understand what your organization is doing with data, then you can apply appropriate security controls. Otherwise, it’s easy to get overwhelmed and potentially lose your way in a security maze.
It’s also important to consider the time you can dedicate. Small business owners are unlikely to have the hours required to dedicate to cybersecurity, and there is a huge opportunity for you to chain different, automated solutions together to free up employees’ time for other tasks.
Don’t shoehorn your business into a framework or a security model. Instead, take the intent behind the model and ensure you embed it in your organization.
For more insights on the cybersecurity risks for small businesses, listen to episode three now.