Cybercrime goes after these two primary attack surfaces of SMBs.
You’ve probably heard countless terms relating to cybersecurity, but here we are going to focus on just one: attack surface. An “attack surface” is simply the number of possible ways an attacker can get into a device or network and extract data. It’s an especially important measurement for SMBs because most think they are too small to be a target, but a quick look at their attack surface shows that it is in fact quite large, increasing their exposure to risk.
To provide the proper protection for SMBs, it is important to align your security services with these two primary attack surfaces: devices and people.
The number of devices SMBs use is growing, which is resulting in more gateways for cybercriminals to carry out attacks. Predictions are that by 2020, businesses will account for six billion devices connected to the internet, ranging from laptops and phones to internet of things (IoT). This inevitably means that the use of vulnerable operating systems and applications will increase as well.
The #1 threat to devices: hybrid ransomware attacks
A ransomware attack on its own is bad enough. It allows hackers to take control of a device, after which they demand a ransom for you to get control back again. Nowadays ransomware is also spread in a hybrid form. By combining ransomware with the capabilities of a worm, it does not just infect one device, but easily spreads through the entire network.
Cyberattacks are becoming more sophisticated every day and are mostly targeted at employees, because they are the weakest link in the digital security chain. In fact, 37% of security breaches can be attributed to human error. Password policies and other safeguards designed to protect people, such as multi-factor authentication, are not standard practice within most SMB organizations.
The #1 threat to people: targeted social engineering
An increasing number of businesses have to deal with advanced social engineering tactics that trick employees into handing over confidential company data. The cybercriminal often contacts employees via email, pretending to be a credible organization such as FedEx, a bank, or even a colleague. Most employees do not have the knowledge to defend themselves against these innovative social engineering attacks.