The greatest security threats aren't necessarily the most complex. Basic attacks pose the greatest risk to small- and midsized businesses (SMBs) as attackers realize they don't need advanced methods to exploit victims.
This is one of the findings in the 2016 Midmarket Threat Summary Report from the eSentire Security Operations Center (SOC), which detected nearly 5 million attacks across multiple industries. It found SMBs are often victims of cybercriminals seeking low-risk, high-reward targets.
"What we're seeing from the data, the majority of attacks are not sophisticated," says Viktors Engelbrehts, director of threat intelligence at eSentire. "They are really basic, and [attackers] are using basic tools as a means to achieve objectives."
The most frequent threat categories were intrusion attempts, information gathering, and policy violations, which collectively represented 63% of all observed attacks. Intrusions, primarily web attacks, marked the top threat category at nearly 30% of all events.
"It's the most logical entry point apart from users," says Engelbrehts of web intrusions, where attackers have recognized the benefit of a larger attack surface. "It's always easy because you have millions of web applications with poor security controls."
Cybercriminals don't need to use sophisticated malicious code attacks when methods like ransomware can successfully exploit "low-hanging fruit" and web applications are written without security in mind. Only 12% of detected attacks involved malicious code, indicating a growing preference for inexpensive and automated strategies.
Interestingly, this research discovered timing may also affect whether or not your organization is breached. "Seasonal correlation was a surprise," admits Engelbrehts. Attacks rose between March and April, fell in June and July, and picked up again in September and October.
While he could not give a definitive reason for this, Engelbrehts noted there are several factors that could affect timing of attacks. Announcements about a breach, or the prosecution or indictment of cyberattackers, could influence activity.
Rudimentary attacks are expected to remain a threat so long as these techniques are effective. The problem is, cybercriminals know where they're mostly likely to find success -- and their top targets don't know how to defend themselves.
"Unfortunately, security is not generally a strong side," says Engelbrehts of SMBs. "Traditional small businesses don't have resources, don't have personnel, don't have expertise."
Large corporations have been targeted, and many have been breached, for years and can afford the right security measures. Major banks may prove attractive targets but might also require attackers to procure a tremendous amount of resources to be successful.
Businesses that fail to implement basic security best practices will continue to be vulnerable.
Many organizations, driven by a combination of hype and fear, have tried to solve security problems by "checking boxes" in recent years, says Engelbrehts. This tactic provides temporary relief but doesn't work in the long term without a strong foundation.
The answer is in basic security hygiene, he explains. If you're using web servers and web applications, check to ensure you're running the latest version. Realize passwords are guessable and don't use weak or default credentials. Enable two-factor authentication where possible.
"The majority of attacks could have been prevented by applying common best practices," he emphasizes. "That's the key message here."