There are rarely second chances for SMEs in the cyber security game. In the United States, the National Cyber Security Alliance published a study in 2012 showing that 60% of SMEs that suffered a cyber incident did not survive beyond the following six months. While there have been advances in cybersecurity since then, cybercriminals have also become more sophisticated and organized, and the truth is that one attack is enough to put a small business out of business for good. And when they recover is rarely without scars.
SMEs can often be complacent when it comes to cyber security, thinking that only large organizations are at risk, or that our remote island of Australia is not a strategic priority for hackers. That may have been true to some degree five years ago, but macroeconomic factors have put Australia under the radar of more cybercriminals, and studies show that small organizations with lower levels of cyber-attack preparedness are low hanging fruit. hand in hand for them.
The digital supply chain under fire
The development of digital services has practically become a requirement for small businesses. To remain competitive or create competitive advantage, most are looking to digitize at least parts of their organization, including their products, services, internal processes, customer support, and experience. In doing so, SMEs often prioritize speed of implementation and overlook cybersecurity aspects, especially if they are on a budget. In the end, they create a digital footprint and heritage that can instantly become a target for cyber villains.
Just as the physical supply chain is the ecosystem for the production of goods, the digital (or software) supply chain is the digital environment in which millions of commercial and consumer applications are developed and used around the world. Hackers are very interested in compromising software supply chain (SSC) environments, because it essentially allows them to inflict damage on a larger scale, whether we’re talking in terms of attacks or data theft. They are entering through weak links in companies’ software development processes.
Receive daily business news.
The latest stories, financing information and expert advice. Free to sign up.
Engaging the SSC not only gives them the key to the company’s crown jewels, but potentially their entire ecosystem of customers, partners, or employees, where they too can wreak havoc.
When hackers compromise a given software supply chain, they can inject malicious code and infiltrate various systems in the process of creation.
Basically, the back door they’ve created in the supply chain acts as an entry point to more systems, and they typically create this entry point by identifying the weakest link.
The SolarWinds case is a perfect illustration of the potential damage of a highly successful SSC attack.
SolarWinds is an American IT management software company. A well-known group of Russian hackers managed to exploit a vulnerability in one of their software supply chains, which they set up to gain access to the systems of US government agencies and corporations that use the software, including the Department of Homeland Security. National, the Treasury Department and Microsoft. .
The group managed to spy on and steal information from these organizations for months before they were finally detected. Their motives apparently had to do with intelligence, and while this motive probably wouldn’t apply to small businesses, the mechanism is the same.
More access, more information, more money
So what exactly are these hackers looking for? Its goal is to spread to as many systems as possible by compromising a single environment. By gaining access to more systems, they can potentially launch large-scale attacks and hold multiple companies for ransom.
Knowledge is power, so more often than not, hackers are looking to steal sensitive company data and information, which they can threaten to sell on the dark web for money. If they manage to navigate freely within company systems, they can also gain the ability to delete them, halting essential operations. In this scenario, companies pay a double price: financial loss from business interruption and a ransom to pay hackers for system restoration.
Unfortunately, small businesses often panic and pay the ransom in order to resume operations as quickly as possible and mitigate the financial impact. But it is often too late. Larger companies can take this kind of financial hit, but it’s often fatal for small businesses. It is worth noting that in many cases of data theft, the organizations that pay the ransom never recover the stolen data.
The bottom line
Basically, small businesses should not underestimate their exposure to cyber threats or underestimate the potential ramifications of a cyber incident. In the case of SSC attacks, it is also about protecting the entire ecosystem of an organization, not just the applications in production.
Developing digital services is great, but it needs to be done with strong security standards in mind. And for organizations that are tight on budget for technology investments, the government recently launched an incentive to help small businesses with their technology investments in the form of tax breaks until July 2023, which can be helpful in adding the layer of adequate security in addition to digital. developments