Are SMEs a valuable target?

Advances in online commerce and payment systems, cloud computing and big data have rendered this world vision entirely obsolete. According to security vendor Symantec, in 2015, more than half of the targeted attacks (that is, attacks directed at specific, well-known targets, conducted after a thorough surveillance, rather than at random) struck small and medium-sized organizations.

What caused this rapid development?

Increased value of SME-owned data

The fundamental reason behind this shift in perspective is the fact that data owned by small and medium-sized businesses has increased tremendously: SMEs now hold credit card data, valuable customer information such as financial of healthcare data, as well as information related to services used by the companies themselves, such as login data or keys for cloud hosting accounts, which can be used as a base for further attacks.

Increased security measures by large organizations

Large organizations have not only the data but also the resources required to protect it. For example, last year, J.P. Morgan’s budget provisioned no less than $500 million for cyber-security2 – a figure that is dwarfed by the $19 billion destined for investment in cyber security by the US Cyber-security National Action Plan for the FY 2017 budget3. Furthermore, large organizations have the personnel required to implement these measures, as well as a solid base to start from – physically secure office facilities, training facilities for employees, and several years (or even decades) of accumulated knowledge regarding cyber-security.

Insufficient control over outsourced security activity

Outsourcing security activity is not inherently bad. In fact, even for large organizations, it can be faster and more efficient to outsource cyber security strategy and core implementation to a company specialized in this field, as the required know-how is highly domain-specific and difficult to acquire internally. however, many SMEs view outsourcing these activities strictly as a measure that reduces costs. rather than making spending more efficient, and outsource security activities to unqualified contractors or companies that hire unqualified system administrators. This results not only in reduced security but also means reduced response times in case of crisis. Furthermore, since attackers are usually careful to leave back doors after a successful attack, once an insecure network has been compromised, it can remain insecure for a long time.

SMEs, which hold increasingly valuable data, are often unable to commit too many resources to protect themselves. They have to carefully account for their spending at critical stages of their growth, and can rarely afford lengthy investigation and legal proceedings. They are the most lucrative targets for the vast majority of cyber-criminals today.