Source: Unsplash / Freestocks.
There are rarely other opportunities for small and medium enterprises in the game of cyber security. In the U.S., the National Cyber Security Alliance released a 2012 study showing that 60% of SMEs that suffered a cyber incident did not survive longer than the next six months. Although progress has been made in cybersecurity since then, cybercriminals have also become more sophisticated and organized, and it is true that one attack is enough to make a small company definitely out of work. And when they are pulled out, they are rarely left without scars.
SMEs can often show complacency when it comes to cyber security, thinking that only large organizations are at risk or that our remote island of Australia is not a strategic priority for hackers. That may have been true five years ago, but macroeconomic factors have put Australia under more cybercrime radars, and studies show that small organizations with lower levels of preparedness for cyber attacks are the fruit for them.
Digital supply chain on strike
The development of digital services has become quite a prerequisite for small businesses. To stay competitive or create a competitive advantage, most look to digitize at least parts of their organization, including their products, services, internal processes, customer support, and experience. In doing so, SMEs often prefer speed of implementation and neglect aspects of cybersecurity, especially if they have a budget. In the end, they create a digital imprint and property that can immediately become a target of cyber villains.
Just as a physical supply chain is an ecosystem for the production of goods, a digital (or software) supply chain is a digital environment in which millions of business and consumer applications are developed and used worldwide. Hackers are very interested in compromising the software supply chain environment (SSC), because it essentially allows them to cause damage on a larger scale, whether we are talking about attacks or data theft. They enter through weak links in the company’s software development processes.
Get daily business news.
Latest stories, funding information and expert advice. Sign up for free.
Compromising the SSC not only gives them the key to the company’s gems, but also potentially for its entire ecosystem of customers, partners or employees, where they can also wreak havoc.
When hackers compromise a given software supply chain, they can infiltrate malicious code and infiltrate various systems during the construction process.
Basically, the backdoors they create in the supply chain act as an entry point for multiple systems, and they usually create this entry point by identifying the weakest link.
The SolarWinds case is a perfect illustration of the potential damage from a very successful SSC attack.
SolarWinds is an American IT management software company. A well-known group of Russian hackers managed to exploit a vulnerability in one of its software supply chains, which they armed to access the systems of US government agencies and corporations using software including the Ministry of Homeland Security, the Ministry of Finance and Microsoft.
The group managed to spy on and steal information from these organizations for months before it was finally discovered. Their motives were seemingly related to intelligence, and although this motive would probably not apply to small businesses, the mechanism is the same.
More access, more information, more money
So what exactly are these hackers looking for? Their goal is to expand to as many systems as possible by compromising one environment. By gaining access to more systems, they can potentially launch large-scale attacks and keep more companies in the buyout.
Knowledge is power, so hackers more often than not want to steal sensitive company data and information, which they can threaten to sell on the dark web in exchange for money. If they manage to move freely within the company’s system, they can also get the opportunity to demolish them, stopping basic operations. In this scenario, companies pay a double price: a financial loss due to downtime and a ransom to pay hackers for systems that will be restored.
Unfortunately, small businesses usually panic and pay the ransom in order to continue working as quickly as possible and mitigate the financial impact. But it is often too late. Larger companies may be able to withstand such a financial blow, but it is often fatal for small companies. It is worth noting that in many cases of data theft, ransom-paying organizations never actually recover stolen data.
Conclusion
In essence, small businesses should not underestimate their exposure to cyber threats, or underestimate the potential consequences of a cyber incident. In the case of an attack on the SSC, it is also about protecting the entire ecosystem of the organization, and not just about ensuring applications in production.
Developing digital services is great, but it should be done with strong security standards in mind. And for organizations that don’t have enough budgets for technology investment, the government recently launched an incentive to help small businesses in their technology investments in the form of tax breaks by July 2023, which could help add the right security layer over digital developments.
Comments are closed.