SME’s Are Increasingly Targeted by Rational Cyber Criminals

Cybercrime is becoming a serious existential threat for many small to medium-sized businesses.  Attacks against large organizations get most of the publicity, but for smaller businesses, they can be even more devastating. When some of  the largest corporations in the world cannot protect themselves – then what SME’s possibly do? Criminological crime prevention models can provide very simple but effective solutions.

A fifth of British SME’s report being a victim of cybercrime in the past two years¹. Not only the prevalence but also the cost of SME cybercrime victimization has increased. In a 2019 study by security firm Webroot², 46% of respondents identified cybercrime as something that could put their SME out of business. And it is a reasonable concern. SME’s are now storing increasingly valuable data, the loss of which costs £65,000 to £115,000 on average for small businesses, according to UK government estimates¹.

Recently, the EU’s General Data Protection Regulation (GDPR) has further increased the stakes for SME’s, since IT security breaches that can compromise customer data must be reported to the Information Commissioner’s Office. Many GDPR infringements lead to hefty fines. The GDPR regulation sets a maximum fine of €20 million (about £18 million) or 4% of annual global turnover – whichever is greater – for infringements. This can also involve expensive investigations and legal fees. 

But for most SME’s – the biggest blow is dealt to the company’s reputation. In another recent UK government survey¹, a third of affected SME’s claim to have lost clients following a data breach, while nine out of ten felt that their reputation had been damaged. 

Rational criminals make rational choices

What can explain the increase of cyber-attacks against smaller businesses? In the field of criminology, crime prevention models based on rational choice theory have been very successfully applied to most types of so-called “white-collar crime”. The majority today’s cyber criminals fit neatly into that category. 

In a study done by Verizon³, 51% of analyzed cybercrimes were committed by organized groups. According to an investigation by Raconteur⁴, these groups often organize in pseudo-corporate structures. The larger ones have more resources at their disposal than most SME’s, some even employing their own call centers to deal with ransomware victims. Smaller criminal organizations often outsource parts of their work to specialized service providers in a vast eco-system of cyber criminals. Countless^5,6 examples of how quickly these organizations have adapted their strategies to the Covid-19 pandemic further illustrate their rational nature. 

The reasons for targeting smaller businesses are clear. Instead of being locked into a never-ending arms race against large corporations who have big war chests to use in their fight against cyber crime, many rational criminals would rather set their sights on SME’s who do not have the time, money or knowledge that is needed to set up formidable defenses. And the increasing value of SME data makes them even juicer targets. 

Rational choices for SME’s

So, what can SME’s do to protect themselves when even some of the biggest corporations have suffered from cyber crime? The good news is that SME’s do not need to compete with these major organizations nor with the cyber criminals of the world in order to vastly decrease their risk of victimization.

Following the rational choice model of crime prevention – they just need to turn themselves into less attractive targets. Or at least less attractive then other organizations. Such measures will not solve the global cybercrime problem, since cybercriminals will just move on to more suitable victims, but they will protect the individual companies who chose to implement them. 

There are several cloud-based or on-premises solutions that can provide even the smallest companies with enterprise-level data protection, acting as a powerful deterrent to outright hacking. Making any rational cyber criminal choose someone else to pick on. With such defenses in place, smaller organizations will only be left with the same weakness as the largest ones – human error, which is the biggest cause of data breaches according to Raconteur¹. This can be strongly mitigated by the consultancy, configuration and staff training offered by Wolberry –  discouraging cyber-attacks by ensuring that the juice isn’t worth the squeeze. 

Contact Wolberry for free professional advice on how you can turn your organization into a less attractive target for cybercriminals. We are helping many organisations in their change in ways of working during Covid and the new normal.

References:

1. How small firms can beat the hackers – Raconteur
2. SMB-MSP_Survey_US.pdf (webroot.com)
3. (PDF) 2020 Verizon Data Breach Investigations Report (researchgate.net)
4. How organised is organised cybercrime? – Raconteur
5. How Cyber Criminals Are Taking Advantage Of COVID-19 – (theonebrief.com)
6. Criminals Have Ramped Up Covid-19 Related Attacks coronavirus NCSC (cybersecurityintelligence.com)