Small businesses often lack the IT staffing resources and expertise that are commonly found in larger organizations. As such, it’s hardly surprising to find that SMB systems--including security systems--may not be configured in quite the way that they should be or may be missing altogether.
In the not-so-distant past, a dearth of skills for cybersecurity (and IT in general) might have been tolerable. Not OK, mind you, but tolerable. This is not to say that small businesses were immune to security threats, but it seems fair to say that smaller organizations were not targeted in the same way as larger companies. Unfortunately for SMB owners, this trend is rapidly changing.
It isn’t that the hackers have suddenly given up on attacking large enterprises and have started going after mom-and-pop businesses instead. Rather, small businesses are now much more at risk than before because attacks are becoming increasingly automated.
One of the biggest reasons why this is happening is because the bad actors are exploiting resources that were intended for a completely different purpose. Cloud services, for example, can be used to launch an attack at scale. While it is true that cloud providers such as Amazon and Microsoft bill their customers for the resources that they consume, these and other providers offer free trials. It’s easy for someone to set up a “burner” account, receive hundreds of dollars worth of free cloud services for opening the new account, and then use the available resources to launch an attack at scale. Yes, the cloud providers try to prevent this from happening, but the providers’ defenses are not perfect.
Another resource that the bad actors exploit is security patch information. When software vendors release a security patch, they are acknowledging that their software contains a security vulnerability. Not only that, but software vendors commonly disclose the very nature of the vulnerability. The bad actors use this information to figure out what types of exploits are likely to be effective against a particular piece of software. If, for example, a software vendor releases a patch for a remote code execution vulnerability, hackers know there is a way to exploit an unpatched version of the software and execute unauthorized code.
Even if one particular hacker isn’t sophisticated enough to figure out how to exploit a known vulnerability, there is strength in numbers: There are countless websites and (and Dark Web sites) dedicated to hacking how-to’s, and Hackers often pool their knowledge.
So with that said, let’s go back to my original point about attacks being automated. If an attacker knows how to detect and exploit a known vulnerability within unpatched software, then the only thing left for the attacker to do is to find instances of the unpatched software. To do so, the attacker may create a bot that scans the Internet looking for the software and attempting to breach any networks where the software is found to exist
The reason why this is such a problem for small businesses is that hackers are no longer targeting a specific victim. Instead, they are casting a wide net and probing for a known vulnerability. Therefore, an attack that is based on the vulnerability is as likely to hit enterprise-class organizations as it is to hit small businesses.
Smaller organizations are increasingly being subjected to the same attacks as major enterprises, simply because of the random and automated nature of the attacks. The No. 1 thing that small businesses can do to avoid being victimized is to keep all software patched and up to date and follow basic security best practices. Automated attacks target the most vulnerable networks. Taking a few basic security precautions will help small businesses avoid falling victim to such attacks.