Jacksonville Business Journal: Hackers focused on SMBs: The “Ostrich” Approach doesn’t Work for Cybersecurity

Over the last 6 months, executives across America have been dealing with ramifications from Covid-19 while working to keep their businesses afloat. Adding to the mix of challenges is recent news from the FBI that cybercrime has quadrupled during the pandemic.

Hackers focused on SMBs: The “ostrich” approach doesn’t work for cybersecurityFor small- and medium-sized businesses the spike in cybercrime should be especially concerning. Reports show, these smaller firms often don’t think they’ll be the victim of an attack and therefore don’t properly focus on cyberdefenses or allocate enough resources toward security initiatives. While cybercrime is increasing in general because of the pandemic, hackers are also increasing their focus on small- and medium-sized businesses as targets. Cyberattacks have increased by more than 20% since 2016 on SMBs, according to the Ponemon Institute.

One Florida doctor, for example, was recently hacked and the intruder placed ransom demands on the business and then expanded the attack by using personally identifiable information obtained in the breach to threaten their patients as well, Health IT Security reported.

Doug Goodall, managing director of Emtec Inc., a Jacksonville-based information technology consulting firm, said there are several steps small- and mid-size firms can take to immediately improve their cyberposture. The first step is to pay attention to the issue and educate themselves.

“It’s simply not true that your firm isn’t well-known enough or big enough to become a target,” Goodall said. “Hackers consider small- and mid-size firms especially ripe targets because their defenses are perceived as being weaker than large businesses. Your brand is not the target, your data is. Awareness is important. It’s a mistake to think your chances of being targeted are slim.”

Opportunity is everywhere

As the FBI revelation showed, Covid-19 introduced a huge opportunity for cybercriminals to take advantage of the chaos caused by the pandemic. Many companies pivoted quickly to get employees set up to work remotely from home where home networks and devices are more easily breached. Remote employees are more likely to click on a suspicious link that may seem like a legitimate company update when it’s actually crimeware (i.e. malware or ransomware).

Employees working in their traditional offices are also not immune. In June, an employee at the tax collector’s office for Polk County clicked on what turned out to be a malicious email attachment disguised as an invoice, resulting in a malware attack that affected about 450,000 residents and potentially exposed driver’s license numbers to an anonymous third party, Info Security magazine reported.

“There’s an ever-increasing spiral of threats,” Goodall said. “We want small- and medium-sized businesses to increase their awareness about the trends and the facts that are out there. The hugely disruptive impact of Covid-19 has made the dynamics surrounding cybersecurity even more complex and confusing.”

Economics of hacking

“Large scale hacking incidents are rarely performed by a teenager in his basement trying to score a huge payday”, said Keason Drawdy, a senior cybersecurity solutions consultant at Emtec. On the contrary, the amount of time and resources criminals invest to create, test and deploy crimeware is staggering. There’s fierce competition among criminal organizations in deployment of cyberattacks. There’s an entire sub economy where personal information like driver’s licenses, customer databases, and employee passwords are traded and sold for thousands of dollars in untraceable cryptocurrencies like bitcoin. Many businesses have their data or customer information on the dark web and don’t even know it, he said.

“Your organization has information that’s highly valued within criminal enterprises,” Drawdy said. “A list of customers who buy furniture at a furniture store could be worth $5,000. It doesn’t matter how big your company is when it comes to the economics of hacking. It’s about the value of the data that you hold and all businesses have valuable data that hackers want.”

Drawdy said when it comes to safeguarding technology infrastructure and customer information, a company’s IT department must be 100% right, all the time. A criminal only has to be right 1 time to get what they want from your organization. While a small customer list might go for only $5,000, larger databases could be sold for seven figures, he said.

Insurance carrier Hiscox reported cyber-attacks now cost businesses of all sizes $200,000 on average and 60% go out of business within six months of being victimized.

Mechanics change constantly

Fifty years ago bank heists were carried out by criminals and organized crime through “shakedowns” and “hustles.” Today, those activities are carried out in the cyber landscape through ransomware, malware, SMS phishing and social engineering, said Colwyn Warner, managing director, commercial infrastructure at Emtec.

Artificial intelligence and machine learning are making attacks more efficient and emerging threats such as quantum computing attack traditional encryption. The rise in audio and video deep fakes, which are manipulated digital material that can make people appear to say something they didn’t actually say, are some of the newest threats on the scene driving personalized corporate extortion, he said.

What’s also changed is the way companies do business. Gone are the days where a business interacts only with a business it knows. In a digital world, transactions happen with businesses all over the world, giving an exploiter an avenue to create a cyber entity that looks like a legitimate business relationship. Using artificial intelligence, cybercreations can mimic the behavior of a real business and intercept critical data such as customer banking information and personal data.

Goodall said a trusted partner can help companies and their leadership navigate this constantly changing threat environment. “Something as simple as partnering with a firm to understand your risk score can jump start the right conversations internally about investments and gaps in security posture”, Goodall said.

“Organizations may feel they need a compelling reason to take action,” he said. “What’s more compelling than knowing a cyberattack could put you out of business? An ostrich approach to cyber security – especially in this uncertain world we live in – is no longer a good defense.”

To learn more about how risk score cards can help organizations evaluate their current cybersecurity measures, visit Emtec.

Emtec, headquartered in Jacksonville FL, provides a full suite of cybersecurity services to keep predators out of your network and thwart both internal and external threats that infiltrate.

By Laura Newpoff – Contributor with The Business Journals Content Studio. This article first appeared in Jacksonville Business Journal on August 20, 2020.



Deanna Evers
Phone : 973.232.7897
Email : [email protected]


Bridgenext combines outstanding talent and deep expertise across an expansive set of exceptional solutions to help clients realize their digital aspirations in ways that propel their businesses forward. Its global consulting and delivery teams across the U.S., Canada and India facilitate highly strategic digital initiatives through digital product engineering, automation, data engineering, and infrastructure modernization services, while elevating brands through digital experience, creative content, and customer data analytics services. Connect with us at https://www.bridgenext.com.