How Cyber-Attack Automation Turned SMEs into Sitting Ducks: And How to Change This

Small and medium-sized enterprises (SMEs) are the backbone of most countries’ economies. According to the World Trade Organization, in developed economies, SMEs represent over 90% of the business population, 60-70% of employment, and 55% of the GDP. Now, these organizations are under a dark and threatening cloud, as they are increasingly becoming the targets of sophisticated cyber-attacks. What has changed? And how should SMEs adapt to this new threat?

A Sudden Change for SMEs – New Cyber-Attack Threats

Historically, sophisticated cyber-criminals went after the big names: large enterprises were targeted successfully, resulting in “mega breaches.” SMEs were typically off the radar of cyber-criminals when it came to ransomware, phishing and other types of threats – until recently. Alarmingly, a recent report showed that 43% of all cyber-attacks target SMEs. Moreover, according to Ponemon’s State of Cybersecurity in SMBs Report, two-thirds of SMEs have experienced a cyber-attack in the last year, and 63% have been victims of a data breach over this period.

Another major threat to SMEs is ransomware. Not only is the financial cost a business-threatening burden (for businesses under 500 employees the average cost of a ransomware attack is $2.5m), but so are the costs in downtime and loss of productivity due to the time-consuming recovery that must follow an attack. Research shows that SMEs remain the top targets for ransomware attacks

The obvious question is why this shift? With SMEs being easier targets, why has it taken this long for cyber-criminals to heavily target them? The answers to these questions lie in the technology used by attackers.

Automation: Not Only for the Good Guys

Automation has enabled businesses to reduce manual work and make processes more efficient, faster and less expensive. It wasn’t long before cyber-criminals began using automation for exactly the same reasons. 

Why is automation such a big deal? Traditional cybersecurity solutions – particularly email security solutions – have to first encounter a threat, then analyze it, then validate that it is indeed a threat, then classify it, and only then can they recognize it the next time they see such a threat, and deal with it. Attacks can now be automated to constantly mutate, meaning that security solutions don’t see the same attack twice. Such attacks thus evade security solutions, which are now scrambling to play catch-up.

Moreover, automation started a process that later on made these attacks cheaper to produce. As a result, it became easier to “spray” these relatively sophisticated attacks widely. In the past this would not have been possible – sophisticated attacks had to be very targeted, required proper research, needed to be manually set up and were therefore also expensive to produce. 

Thanks to automation and AI – leveraged by attackers to learn about targets’ online behavior and create automated phishing campaigns that can be exceptionally challenging to detect – sophisticated attacks can now be highly targeted and launched at scale, with minimal costs. Less “lucrative” victims can be targeted, bringing SMEs firmly into the sights of cyber-criminals. 

Targeting SMEs makes the potential "market" much larger, so it has come as no surprise that attackers shifted to targeting SMEs. 

What SMEs Should Be Thinking to Address Cyber-Attack Automation

A recent Forrester study found that 88% of security professionals expect AI-driven attacks to become mainstream in the near future. 

Attack automation is a new technique with enormous potential to pose novel challenges and thus needs to be treated differently. The old way of doing things is no longer relevant. Clearly, a fresh and effective approach is required.

New, sophisticated attacks aimed at SMEs are produced on a daily or even hourly basis, and research shows that reputation-based security solutions miss many of them. This is the right time to use a different approach for business security – one that is independent of the knowledge of past threats. 

What’s Hot on Infosecurity Magazine?