The line between consumer, small business, and multinational org is shrinking.
2020 narrowed the gap between consumers, small businesses, and multinational organizations. Attacks on smaller groups and individuals are becoming more common, while larger organizations are better equipped to handle attacks.
These relative changes are caused by three large trends. One, consumers are losing more money to Internet Crime. Two, large companies are paying less in damage control, relative to small companies. And lastly, recent cybercriminal activity has begun to focus on numerous targets simultaneously, using a breach in larger orgs to reach smaller companies.
The end result is rising cost of cybercrime for everyone with consumers and small businesses taking on significantly more risk than they have before.
Let’s take a closer look at what’s happening.
1. Consumers lost exponentially more money from Internet Crime.
In the first half of the 2010s cybercrime trended upwards, but it trended on a straight line. That has changed dramatically in the last three years.
Source: Federal Bureau of Investigation. Internet Crime Report: 2011–2020. https://www.ic3.gov/Home/AnnualReports
At least for consumers Covid-19 does not seem to have made a noticeable difference. Last year only continued the trend established in 2018 and 2019.
2. Data breaches cost small businesses almost as much as enterprises.
Defensive and recovery tools are more sophisticated in large organizations even though from a survival standpoint these larger organizations need them less to survive. Recent security innovations like AI-driven security and Zero-Trust help to reduce the likelihood of a breach but also to compartmentalize successful attacks so that they do less damage.
If you look at the average cost of a breach, you see that companies under 500 employees paid slightly less than half of what 25,000+ companies paid in 2020. For a company of 250 employees, $2.35 million can be challenging to find. $4.25 million on the other hand is hardly felt across 25,000 employees.
IBM Security. (2021). Cost of a Data Breach Report. https://www.capita.com/sites/g/files/nginej291/files/2020-08/Ponemon-Global-Cost-of-Data-Breach-Study-2020.pdf
3. Cybercrime rose significantly for EVERYONE, costing almost $1 Trillion globally.
“Cybercrime is increasing because it pays, it can be easy, and the risk to cybercriminals can be low.“
— McAfee (The Hidden Costs of Cybercrime, 2020)
McAfee, Smith, Z. M., Lostri, E., & Lewis, J. A. (2020, December). The Hidden Costs of Cybercrime. https://www.mcafee.com/enterprise/en-us/assets/reports/rp-hidden-costs-of-cybercrime.pdf
Over the last few years we have seen the scale, scope, and consequent payoff from cybercrime rise. In the last year alone we have seen two of the largest-scale heists of all time. One of these was the SolarWinds Hack. No worries for small businesses there; SolarWinds is an IT Management and remote monitoring company. They were the initial target and leveraged as part of a cyber-espionage operation. Once the initial target was breached the elite hacker org was able to infect federal government, utilities, and a list of Fortune 100 organizations.
The Microsoft Exchange Hack hit much closer to most homes. The number of small and mid-sized businesses continues to rise even months after the initial vulnerability was discovered. At last count over 30,000 businesses had been impacted.
In a world where one compromise or vulnerability can result in dozens of breaches in elite organizations, or tens of thousands of breaches in smaller businesses, everyone cares about cybersecurity.
In both cases we see a severe acceleration in scope and damages. These are made possible in part by the “investments” made by last year’s victims, and partly by the increasing convenience and sophistication of software. Technology like bloodhound allows cybersecurity professionals and hackers alike to explore and analyze large networks very quickly, exposing security loopholes without very much human labor. These technologies drive cybercriminal efficiency while the possible gains increase, enticing more malicious actors to prepare for the next opportunity.
What cybersecurity measures do SMBs need?
As a managed service provider with 18 years of experience and proven success, we recommend that Small and Mid-Size Businesses (SMBs) take a proactive stance toward their security. We ourselves have increased our investment in cybersecurity processes and solutions over the last few months in response to the current threat landscape. We would recommend similar preventative actions to every business.
But possibly the most important, easy action you can take is to spread awareness of the increasing threat to SMBs. When everyone cares about cybersecurity, we stop feeding malicious organizations. Starving these orgs is the best way to reduce the threat level.