Experts blast SMBs' “head in the sand” approach to cyber security
From failing to patch exposed VPNs to meeting ransom demands, businesses are playing a role in fuelling the threat landscape
Experts have criticised the lax approach to cyber security that many small and medium-sized businesses (SMBs) adopted prior to COVID-19, and have, to some extent, kept up during the pandemic.
Cyber criminals are increasingly targeting SMBs because they’re becoming more and more aware of the widening gaps in their IT systems, fuelled by a “head in the sand” culture that predates COVID-19. This, according to CEO and founder of the UK Cyber Security Association, Lisa Ventura, manifested in 2020 as an uptick in phishing attempts, malware, ransomware, ‘man in the middle’ attacks and CEO fraud.
She was speaking on a panel hosted by Orange Cyberdefense and joined by the company’s head of security research Charl van der Walt as well as its UK director Stuart Reed. The trio agreed that some SMBs were effectively undermining security efforts by failing to patch newly-adopted technologies, as well as paying ransom demands against the advice of security experts. These attitudes, however, are beginning to shift as SMBs begin to realise they’re just as viable a target as large enterprises.
“Prior to the pandemic, we saw that many small businesses and SMBs had very much a ‘head in the sand’ approach to cyber security, with a lot thinking they didn’t need to take it seriously or even have it on their radar in many cases,” Ventura said.
“But today, with the move to getting everybody working from home quickly last year, from a business continuity perspective, we’re seeing more small businesses and SMBs finally starting to take their cyber security posture much more seriously.”
The rush to support remote workers
Describing the nature of a swelling attack surface, Charl van der Walt pointed to a surge in malware attacks against small businesses last year. This hasn’t historically been the case and has changed to the extent that malware detections in small businesses have now caught up with detection rates in larger organisations.
The essential cyber security toolkit for SMBs
Practical tips for cyber security trainingDownload now
He added that, per employee, we’re seeing more attacks against smaller organisations than in large businesses, which puts to bed this entire “too small to care” debate.
The attack surface also increased in 2020 due to a number of drivers such as the massive shift to remote working, with many UK-based SMBs experiencing cyber security incidents as a result. Alarmingly, according to Lisa Ventura, as many as two in five smaller organisations admitted that they suffered multiple breaches.
These tools, the panel agreed, have suddenly elevated from peripheral services used by a small number of employees to mission-critical systems. Van der Walt observed one business, for example, renegotiating its VPN licenses from just five to 10,000 overnight.
He added there was an immense surge in vulnerability research into remote access tools and VPNs, many of which businesses were rushing to tack onto their IT estates.
Although these relatively young services are now deemed mission-critical, “nobody had the energy or the appetite” to patch them as flaws were discovered and updates released. This resulted in a significant number of attacks.
'Myth-busting' the ransomware surge
One of the most notable changes to the threat landscape in 2020 was a surge in ransomware with research by SonicWall, for example, showing that 121 million attacks were recorded in the first half of 2020 - a 20% increase.
While there’s been a surge in detections, as far as Orange Cyberdefense is concerned these should be attributed this less to the efforts of cyber criminals, and more to the practices of security teams.
Ransomware, Charl van der Walt explained, is a multi-staged attack that comprises network infiltration, reconnaissance, data theft and other forms of monetisation including granting other hackers access to compromised systems.
While Orange Cyberdefense can detect these attacks at any stage, the team only records these attacks as ‘ransomware’ when they detect a final payload and the launch of an encryption event.
Ransomware incidents certainly increased during the pandemic, van der Walt continued, but reports only rose in line with figures for early-stage indicators, including the presence of droppers and downloaders, falling. These figures, therefore, are “not a reflection of the activities of the attacker” so much as they’re “a reflection of the level of focus of our clients”.
“We believe that as everyone was scrambling to deal with the ‘new normal’ what happened was customers were less able, less willing, to respond to early-stage incidents,” he said.
“So when we told them: 'Hey, we’ve detected what looks like an incident', they were less likely to respond to it, and as a result, that attack would evolve and mature into full-blown ransomware.”
Following the first wave, IT teams were responding more readily to early-stage incident reports to confirm the presence of indicators like droppers and downloaders, pushing those numbers up again while recorded ransomware incidents once again fell.
Exposing yourself to future attacks
The panel also echoed the views of the UK National Cyber Security Centre (NCSC) in urging organisations not to pay ransom demands following an attack.
Due to rapid changes to business structures during COVID, gaps were often left in the IT systems of SMBs, giving rise to opportunistic attacks in which hackers would encrypt hundreds of thousands of files and knock customer-facing services offline in the process.
“In many cases,” Lisa Ventura lamented, “we saw that SMBs just simply preferred to pay the ransom instead of dealing with those encrypted files, recovering their IT systems, and this, in turn, created a vicious cycle. So the more that those types of attacks succeeded, the more frequently that they occurred, particularly within SMBs.”
The tendency for businesses to pay ransom demands even gave rise to a new tactic called ‘double extortion’. Prior to encrypting victims’ databases, attackers would first look to extract sensitive data and threaten to publish this information unless a ransom demand was paid. Driven by that fear, many SMBs “would rush to pay that ransomware immediately” to avoid having their data exposed and potentially suffer any reputational damage.
There’s also an argument to suggest that businesses that pay ransomware demands, as well as the insurance companies that compensate them, are consciously funding organised crime, as the former head of the NCSC Ciaran Martin alluded to recently.
Orange Cyberdefense’s UK director Stuart Reed said he was very sympathetic to the temptation to pay up, but that his company’s advice has always been firmly against paying any ransom demands.
“It could be argued that you’re actually funding this cycle of criminal behaviour, albeit inadvertently,” he said. “Certainly, by paying the extortion there is naturally going to be an incentive to use that money-making mechanism time and again.
“The danger is that if you do pay that ransom, firstly, you’ve got the dubious question of whether you get your information back or not or whether the extortionists are going to say true to their word, and there’s no reason they should do.
But if you do get that back, it arguably makes you a target for future attacks because you’re known to be paying out or coming good on demands. So there’s a real danger or risk that you’ll expose yourself further for future attacks.”
Choosing a collaboration platform
Eight questions every IT leader should askDownload now
Performance benchmark: PostgreSQL/ MongoDB
Helping developers choose a databaseDownload now
Customer service vs. customer experience
Three-step guide to modern customer experienceDownload now
Taking a proactive approach to cyber security
A complete guide to penetration testingDownload now