The cyberattacks that make news headlines almost always involve global companies with thousands of employees. This makes sense from the perspective of a media organisation trying to engage its audience with cybercrime-related topics. While the idea that cybercrime has increased by 300% since the pandemic began might be hard to grasp, a story involving a household name company like Apple being breached is much more understandable — and likely to gain public attention.
To the casual observer, reporting biases towards large-scale cyber-attacks might make it seem like massive organisations are the only ones bearing the brunt of cybercrime’s rise. Unfortunately, this is far from the truth. Research from telecom provider Verizon shows that almost half (43%) of cyberattacks are now targeting small businesses.
However, while enterprises are not the only ones on the firing line, the question of how an organisation’s size impacts the likelihood that threat actors will successfully attack it is still an important one. According to recent research, it does seem like the threat level for larger organisations is rising comparatively fast. While in 2020, enterprises (organisations with more than 1,000 employees) faced a 23% probability of falling victim to a cyberattack, in 2021, this figure almost tripled to 61%.
On one level, the idea that bigger organisations are more vulnerable than their smaller counterparts seems obvious. The greater the number of people working in an organisation, the larger the number of network-connected devices, such as desktops, laptops, and mobile devices, that its security team has to worry about. Unsurprisingly, endpoints are where over 84% of security professionals are sure an attack will begin.
What’s making things even worse is that threat actors are getting better at compromising endpoints. In a 2021 report from HP, over 79% of IT teams said that they had seen an increase in the number of devices they have had to rebuild each month — a clear sign that hackers are becoming more efficient. Among the IT professionals interviewed, the highest average number of repair reports came from organisations with more than 1,000 staff. This shows not only that endpoints are more vulnerable than ever but also that as endpoint numbers grow, security does not always scale at the same rate.
The biggest threat to endpoint security is users themselves, so having a larger headcount can increase an organisation’s vulnerability further. Real-world phishing campaign simulations conducted by Terranova in 2020 show that over 15% of IT users are now likely to click on a phishing email. Of the almost 1 in 6 people who click on phishing emails, over 67% enter their credentials on the malicious sites they are redirected to. In contrast, in 2019, the same study saw a credential submission rate of only 2%. Whether due to more sophisticated phishing techniques or more digitised working environments, this dramatic increase in phishing success rates indicates that having more employees may compound an organisation’s phishing risk rather than grow it linearly.
Employing more people also increases the risk of other bad security habits, such as “shadow IT,” exposing organisations to even more vulnerabilities. Worryingly, up to 43% of employees rely on this practice, using applications and devices of their own choosing to get their jobs done. For IT teams, this means that visibility into the true extent of their IT suite is often far lower than they think. Case in point: one in five organisations has experienced a breach as a result of shadow IT. It doesn’t help that the more applications are in use, the higher the chances of compromise. Office apps were the most commonly exploited apps in Q3 of 2020.
It is true that the number and variety of potential threat vectors facing an organisation tend to grow with size. However, this doesn’t mean that smaller organisations are any safer, particularly when you take the point of view of cybercriminals picking targets. This situation can be compared to how electricity flows through a circuit.
When designing a circuit, engineers aim to take advantage of the fact that electricity will follow all viable paths, with most current flowing through the path of least resistance. They’ll use resistors, diodes, capacitors, and other means of influencing the resistance of various paths to create scenarios where the right amount of electrical current flows through the right areas. Cybercriminals are a lot like the electrical current in this regard. Target networks are their paths, and security tools are the resistance. This means that cybercriminals will frequently go after organisations with less advanced IT security. Particularly with small and medium-sized organisations now managing ever more extensive and complex IT systems, they are becoming increasingly attractive targets.
Take the uptake of cloud computing, for example. Currently, at least 78% of SMBs have strategically adopted this technology. This is a dramatic increase from the 55% of SMBs who used cloud computing in 2019. Unfortunately, although cloud use has surged, cloud security awareness is lagging. Among organisations that use the cloud, 84% are worried they have already been compromised but do not know it, and almost 30% know they have been hacked already. While organisations have rushed to adopt cloud-based applications and processes, many of them have misconfigured their cloud servers, and few are clear about who is responsible for what when it comes to using public clouds.
Regardless of an organisation’s size, today’s threat level makes finding and remediating vulnerabilities more imperative than ever. For small and large businesses alike, this requires investing in an increasingly scarce and expensive asset — cybersecurity professionals.
In the UK, the Department for Digital, Culture, Media, and Sport estimates that there will soon be an annual recruitment shortfall of at least 10,000 cybersecurity professionals. This drought of individuals skilled in cybersecurity is also being felt at the IT coal face, with over 57% of IT professionals now saying that the cybersecurity skills shortage is impacting their organisation. Because both small and large-scale organisations are accelerating their reliance on digital technologies at a similar pace, this impact is also size agnostic.
Ultimately, this means that while digital transformation is leading to mounting vulnerabilities, both SMBs and enterprises are faced with a critical security question — who within their organisations should deliver on their cybersecurity goals? Because recruiting new security staff looks likely to be a costly and increasingly impossible endeavour, the answer typically lies within an organisation’s existing IT team.
Securing the increasingly complex varieties of endpoints, applications, and server configurations at play in a modern organisation entails maximising what individuals skilled in cybersecurity can do. Yet seeing how over half (54%) of UK security professionals have left their job because of burnout, few organisations appear capable of utilising lean teams without compromising staff retention.
Solving this problem means giving IT teams a way of doing more with less. Rather than the stacks of disparate tools that are regrettably common across big and small organisations, IT teams need a single comprehensive security platform that can automatically sift through security noise and reduce mundane tasks. At SenseOn, our platform leverages developments in threat triangulation to deliver these capabilities to lean teams in organisations ranging from leading legal firms to boutique real estate developers. Easy to scale, SenseOn acts as another member of the security team, delivering measurably better security at a fraction of the cost.
Although organisations of all sizes are vulnerable to cyberattacks, giving security and IT teams back their capacity to be proactive is something every organisation can benefit from.
Explore our collection of eBooks, webinars, articles, and more to help you maximize your understanding of emerging threats, adversary techniques and how to detect cyber attacks.Visit resource hub
Join thousands of like-minded professionals who are already receiving our blog updates and best practice guides.