Small and medium business owners’ prurient interests are being exploited by a surprisingly large population of spear phishers as a growing flurry of attacks compromises SMBs at an alarming rate, the regional CTO of security giant McAfee has warned.
Not only had nearly two-thirds of Australian SMBs been hit by a virus, worm or Trojan over the past 12 months, according to McAfee’s new State of Cybersecurity in Australian SMBs research – but 51.5% had been hit three or more times over the same period.
The repeat victimisation of small companies suggests that despite broad education campaigns about modern cybersecurity threats, most small business owners still click freely on emails offering celebrity pictures, free videos, and the like.
“Spear phishing attacks are not complex, but they work,” McAfee CTO Michael Sentonas tells CSO Australia. “It’s pleasing from one perspective to see that people are a lot more savvy to know these things are happening in the first place.”
“A lot of the attacks are very much opportunistic because they don’t have to be complex,” he adds. “Most people’s networks are being compromised because some of the security basics are not being done. These numbers are very high largely because it’s so easy for attackers to carry out these types of attacks.”
While large enterprises and governments implement sophisticated techniques to filter, analyse and block malware attacks, the report’s results suggest systematic ignorance on the part of SMB owners continues to make them easy prey – particularly when it comes to ransomware, in which malicious code locks systems or encrypts data until a ransom is paid.
While ransomware can be foiled in large businesses by careful backups, small businesses are often proving less than vigilant in protecting their data – and find themselves at the mercy of ransomware operators as a result. Some 30.5% of McAfee respondents said they had been hit with ransomware in the past 12 months, with 36.1% of those afflicted paying cybercriminals to retrieve their data.
“The reason why there’s such a bad problem with ransomware targeting SMBs is because it works, it’s so simple, and there’s a very low risk of getting caught,” Sentonas says.
“Many SMBs find out in very serious circumstances that their backup didn’t work – or that they didn’t have one at all. The human element remains one of the biggest security challenges.”
Indications are that things aren’t going to get any better, with 78% of respondents already running bring your own device (BYOD) policies – and 74% indicating they are either not using protective security measures, or aren’t sure if they are.
Fully a quarter of respondents indicated they already suspect their love of mobiles is going to cause them headaches, naming mobile device security as their #1 challenge for the coming year.
Yet even without mobile security issues, data breaches were taking their toll: 46.5% of respondents had experienced the theft of proprietary information via a data breach, while 23% of those hit by theft had been hit three or more times in the past year.
Robbie Upcroft, SMB lead at McAfee Asia Pacific, wasn’t impressed by the results: “Whether SMBs need education the kind of threats to their business that are out there,” he said in a statement, “or whether it’s something even more practical, such as a managed service provider taking over their security operations, the sector appears to need all the help it can get.”