Small-biz exemptions will threaten large businesses with breach-notification blind spot

Small businesses accounted for 61 percent of cybersecurity breaches during 2016 but their exemption from looming mandatory breach disclosure laws could perpetuate a hidden epidemic of unrecognised vulnerabilities and underfunded security strategies, a Verizon security expert has warned as the company releases its 10th annual Data Breach Investigations Report (DBIR).

With so many small businesses targeted during the year – an onslaught led by surges of breaches against financial (which suffered 24 percent of breaches), healthcare (15 percent) and public sector organisations (12 percent) – Verizon’s analysis of 42,068 security incidents and 1935 confirmed breaches found that commonly highlighted vulnerabilities continued to be exploited by attackers en masse.

Fully 62 percent of breaches included hacking and 81 percent of those leveraged either stolen or weak passwords, for example, while 43 percent were social attacks and 51 percent included malware – which was installed using malicious email attachments in two-thirds of cases.

The preponderance of ‘low and slow’ attacks, perpetrated by a growing number of professional cybercriminals who have displaced ‘script kiddies’ as primary criminal actors, has increased the proportion of espionage-related incidents, Verizon Enterprise Solutions Asia-Pacific and Japan managing principal for investigative response Ashish Thapar told CSO Australia.

“Cybercrime gangs are really hogging cybercrime,” he said, noting DBIR findings that 73 percent of analysed breaches were financially motivated, 51 percent involved organised criminal groups, and 21 percent involved espionage. “We’re seeing more and more organised operations.”

Many of those operations involved internal actors, who were credited with 25 percent of analysed breaches in a category that surged over the previous year. Yet protecting against threats, whether internal or external, remained a particular challenge for the smaller businesses that comprise particularly high proportions of industries like financial services and healthcare.

“Smaller businesses are not as well resourced and don’t have the expertise” of larger businesses, Aaron Sharp, security consultant with Verizon Enterprise Solutions, warned. DBIR figures noted that small businesses were particularly susceptible to point-of-sale attacks and ransomware, which doubled in prevalence during 2016 and comprised 72 percent of malware incidents in the healthcare industry alone.

“Smaller businesses are probably proportionally hit harder by ransomware attacks because they probably don’t have the enterprise backup to effectively recover from ransomware attacks,” Sharp noted. “If you’re a small business trader and are taken offline whilst dealing with one of these attacks, it could really impact your cashflow.”

Despite the very real consequences for small businesses, their exclusion from the scope of impending mandatory breach disclosure legislation – which will soon be introduced via the Privacy Amendment (Notifiable Data Breaches) Act 2017 but only applies to Australian businesses with turnover of $3m or more.

Smaller businesses, with revenues below this cutoff, will face no mandatory reporting obligation – which, extrapolating from the DBIR figures, suggests that nearly two-thirds of security breaches will go unreported once the legislation kicks in on 23 February 2018.

This may well focus the new legislative instrument on presumably larger data breaches at larger organisations – but it could also leave those larger organisations problematically uninformed about breaches at smaller suppliers and other organisations within their networks.

That would leave them exposed to laterally-focused breaches that use compromised partners as pivots to attack the larger organisations – as famously happened when US retailer Target was breached by an HVAC contractor in 2013.

Indeed, DBIR figures suggested that 2 percent of breaches involved partners (although the figure was as high as 6 percent within the healthcare industry) and that 27 percent of breaches were discovered by third parties; these figures, however, don’t include cases where partners were hacked as conduits to breach a company they deal with – typically through theft of credentials, which were noted in over half of breaches.

Many small businesses had begun investing in cybersecurity insurance to protect themselves from these and other security incidents, Thapur said, as the insurance industry ramps up its release of small business-focused policies.

Yet despite this reactive security gaining ground, more proactive approaches were still offering less guidance: “the national Cyber Security Strategy is almost silent on the SMB sector,” Sharp said.

“I understand why they are focused on the big end of town because there can be systemic issues if there is a problem. But the DBIR data is highlighting the threat that SMBs can be impacted too, and that this can have a real impact on the productivity of the national economy.”