Protecting critical infrastructure from cyberattacks has become a growing national concern, but small businesses remain vulnerable and attractive to hackers.

Why it matters: Small to medium-sized businesses (SMBs) face a rising number of threats — and many keep attacks under wraps.

• Ransomware attacks are the most common cyber threats to small businesses, but stolen credentials, phishing emails and malicious texts are other ways that hackers can infiltrate SMBs.

What they’re saying: "Small-business breaches are somewhat the neglected and underreported arena," Sohail Iqbal, chief information security officer for Veracode, tells Axios. "Financially motivated adversaries find SMBs a soft target due to the insufficient security controls and shortage of skilled resources at their disposal."

• "SMBs do not report breaches very often, and they are not the ones making headlines on a national level," Iqbal says.
• "The large businesses continue to invest in their cybersecurity and enhance their cybersecurity posture," FBI supervisory special agent Michael Sohn said at a CNBC event in December. "So what the cybercriminals are doing is they’re pivoting, they’re evolving and targeting the soft targets, which are the small and medium businesses."

By the numbers: 43% of all cyberattacks target small businesses, according to data Score compiled in 2017. And some reports show the problem getting worse.

• Insurance provider Hiscox's 2022 Cyber Readiness Report found that attacks fell slightly for larger companies in 2021, but at "most other size groupings it has actually increased as the hackers have directed more of their attention to mid- and small-sized businesses."
• Hiscox's report, released last May, found that businesses with 10 to 49 employees saw a nearly fourfold rise in the average number of attacks.

Yes, but: Many small-business owners believe they are not in great danger of a cyberattack.

• A CNBC survey released in the fall of 2021 found that 56% of small-business owners were not concerned about being the victim of a hack in the next 12 months.
• Additionally, 59% said they could quickly resolve a cyberattack and 42% had no plan for responding to an attack.

Between the lines: The prevalence of cyberattacks has been difficult to fully grasp because many, if not most, go unreported.

• Businesses may fear the bad press that reporting a breach might bring. And attackers might leak data or personal records if it's discovered that businesses have contacted law enforcement.
• "Victims — especially businesses — often decide not to report cyber incidents for a variety of reasons, including concerns about publicity and potential harm to the company's reputation or profits," a 2018 U.S. Justice Department Cyber-Digital Task Force report found.

The intrigue: Addressing cyber threats and pushing organizations to report attacks has been an increasingly public effort from the Biden administration, as seen in the touted FBI takedown of the Hive ransomware gang.

• "We must rebalance the responsibility to defend cyberspace by shifting the burden for cybersecurity away from individuals, small businesses and local governments, and onto the organizations that are most capable and best positioned to reduce risks for all of us," a spokesperson with the Office of the National Cyber Director told Axios.
• "The bottom line is that small businesses should not have to defend themselves on their own," the spokesperson said.

Reality check: Keeping defenses current, whether through business practices or the most up-to-date software, takes time and money. Many SMBs lack the resources to optimize their cybersecurity and instead have to trust in the products or services they use.

• "SMBs' frequency of patching is way behind on most occasions," Iqbal says. "To keep up with the vulnerabilities, patching and refreshing systems periodically requires serious budgets and efforts, a luxury SMBs can't afford."

A report from Trend Micro released yesterday provides some new insights into how small, medium and large cybercrime organizations function.

The big picture: Operating outside of the law can make hacking group structures seem inscrutable. Understanding how they operate on different scales can aid in buttressing defenses against potential attacks.

Driving the news: Trend Micro’s Inside the Halls of a Cybercrime Business report looks at three different hacking groups and uses them as case studies to explore management structures, employee responsibilities and more.

• The report found that small cybercrime businesses typically have one to five part-time employees, lack a defined leader, and have moderate annual revenues.
• Medium-sized organizations have between six and 49 employees, have basic management reporting structures, and earn enough revenue for many employees to be full time.
• The report found that large criminal businesses can have annual revenue of more than $50 million, but are harder to manage, have greater overhead, and are subject to office politics that can cause fragmentation.

The intrigue: According to the report, the larger a cybercrime organization gets, the more it resembles legal businesses of a similar size.

• Using the notorious Conti group as its case study for a large organization, Trend Micro found that the business had a human resources department, with six HR specialists on staff.
• Conti also offered regular performance and retention bonuses.
• Fascinatingly, the report notes that Conti also had an employee-of-the-month program.

What they’re saying: "The criminal underground is rapidly professionalizing — with groups beginning to mimic legitimate businesses that grow in complexity as their membership and revenue increases," Jon Clay, vice president of threat intelligence at Trend Micro, said in a statement.

• "However, larger cybercrime organizations can be harder to manage and have more 'office politics,' poor performers and trust issues. This report highlights to investigators the importance of understanding the size of the criminal entities they're dealing with."

🗓 The Cybersecurity and Infrastructure Security Agency kicked off its Emergency Communications Month on Saturday, encouraging partners to enroll in the agency's free priority telecommunications services. (CISA)

🤔 A surveillance contract between NSO Group and the U.S. government reportedly contradicts the Biden administration's public stance on commercial spyware. (New York Times)

🛍 A CNN investigation found that one of China’s most popular shopping apps, Pinduoduo, contains significant evidence of intrusive malware. (CNN)

🇨🇳 China's government has opened an investigation into U.S. semiconductor company Micron, citing national security threats. (The Register)

🔓 Computer drive maker Western Digital has disclosed a security breach and says it is coordinating with law enforcement. (BleepingComputer)

🤺 Internal clashes are reportedly impacting the Biden administration's cyber goals, leading to the resignation of the country's first national cyber director, Chris Inglis. (Bloomberg)

Nothing has been more fun for me over the past week than watching my many house plants get as excited about spring as I am.

• Hopefully, you can tell by how thrilled I and my newly repotted avocado plant appear to be.
• I'm sure Sam wouldn't mind if you shared some happy plant pics of your own with us 🪴.