Cyber threats to small businesses prompt pleas to report attacks

Protecting critical infrastructure from cyberattacks has become a growing national concern, but small businesses remain vulnerable and attractive to hackers.

Why it matters: Small to medium-sized businesses (SMBs) face a rising number of threats — and many keep attacks under wraps.

• Ransomware attacks are the most common cyber threats to small businesses, but stolen credentials, phishing emails and malicious texts are other ways that hackers can infiltrate SMBs.

What they’re saying: "Small-business breaches are somewhat the neglected and underreported arena," Sohail Iqbal, chief information security officer for Veracode, tells Axios. "Financially motivated adversaries find SMBs a soft target due to the insufficient security controls and shortage of skilled resources at their disposal."

• "SMBs do not report breaches very often, and they are not the ones making headlines on a national level," Iqbal says.
• "The large businesses continue to invest in their cybersecurity and enhance their cybersecurity posture," FBI supervisory special agent Michael Sohn said at a CNBC event in December. "So what the cybercriminals are doing is they’re pivoting, they’re evolving and targeting the soft targets, which are the small and medium businesses."

By the numbers: 43% of all cyberattacks target small businesses, according to data Score compiled in 2017. And some reports show the problem getting worse.

• Insurance provider Hiscox's 2022 Cyber Readiness Report found that attacks fell slightly for larger companies in 2021, but at "most other size groupings it has actually increased as the hackers have directed more of their attention to mid- and small-sized businesses."
• Hiscox's report, released last May, found that businesses with 10 to 49 employees saw a nearly fourfold rise in the average number of attacks.
• The FBI’s Internet Crime Report found the cost of cybercrimes to small businesses reached $2.4 billion in 2021.

Yes, but: Many small-business owners believe they are not in great danger of a cyberattack.

• A CNBC survey released in the fall of 2021 found that 56% of small-business owners were not concerned about being the victim of a hack in the next 12 months.
• Additionally, 59% said they could quickly resolve a cyberattack and 42% had no plan for responding to an attack.

Between the lines: The prevalence of cyberattacks has been difficult to fully grasp because many, if not most, go unreported.

• Businesses may fear the bad press that reporting a breach might bring. And attackers might leak data or personal records if it's discovered that businesses have contacted law enforcement.
• "Victims — especially businesses — often decide not to report cyber incidents for a variety of reasons, including concerns about publicity and potential harm to the company's reputation or profits," a 2018 U.S. Justice Department Cyber-Digital Task Force report found. "Regardless of the reason, lack of reporting is a significant impediment to the Department’s efforts to thwart cybercriminals and to address threats to national security.”

The intrigue: Addressing cyber threats and pushing organizations to report attacks has been an increasingly public effort from the Biden administration, as seen in the touted FBI takedown of the Hive ransomware gang.

• "We must rebalance the responsibility to defend cyberspace by shifting the burden for cybersecurity away from individuals, small businesses and local governments, and onto the organizations that are most capable and best positioned to reduce risks for all of us," a spokesperson with the Office of the National Cyber Director told Axios.
• "The bottom line is that small businesses should not have to defend themselves on their own," the spokesperson said.
• In December, Biden signed the SBA Cyber Awareness Act, which mandates that the Small Business Association file an annual report on the state of the threat landscape and strategies to strengthen cyber defense.

Reality check: Keeping defenses current, whether through business practices or the most up-to-date software, takes time and money. Many SMBs lack the resources to optimize their cybersecurity and instead have to trust in the products or services they use.

• "SMBs' frequency of patching is way behind on most occasions," Iqbal says. "To keep up with the vulnerabilities, patching and refreshing systems periodically requires serious budgets and efforts, a luxury SMBs can't afford. This is where the adversaries are well aware and take advantage of SMBs.”

The bottom line: CISA outlines practices that small businesses can adopt to enhance their security, like mandating strong passwords, auto-updating software and creating a response plan.