The percentage of targeted attacks aimed at small businesses doubled in the first half of 2012, an indication that hackers are dedicating more resources to what they see as the most vulnerable marks, a major security vendor said.
In the first six months of the year, more than a third of targeted attacks on businesses were pointed toward companies with fewer than 250 employees. That was twice the percentage of attacks aimed at similar sized companies at the end of 2011, Symantec said in its mid-year Intelligence Report.
A targeted attack is one that's tailored to a specific company. Cybercriminals customize malware to particular vulnerabilities and use information gathered publicly -- or stolen from other companies -- to create emails with malicious attachements that have a higher chance of being opened by employees. That type of social engineering has proved successful despite corporate efforts to bolster security training and warn workers away from opening potentially dangerous emails.
Companies in the defense industry are the top targets of such attacks, followed by chemical and pharmaceutical firms and manufacturing companies, respectively. Large companies with more than 2,500 employees remain the most popular targets, however, accounting for 44% of all targeted attacks in the first half of the year, Symantec says.
Hackers are shifting resources toward small companies because they often partner with large businesses in fulfilling major contracts. Because smaller companies can be the weakest link in the chain, cybercriminals use them to gain information they can use to penetrate the defenses of their larger partners.
Other factors are also contributing to more attacks on small businesses. More of them are online, interacting with customers on social networks, which increases their visibility to hackers, said IDC analyst Raymond Boggs. In addition, an increasing number of employees are using mobile devices that provide more open doors to hackers.
"It's not quite a perfect storm of bad news for smaller companies, but close to it," he said.
"They (small businesses) are not as prepared, because they don't think they have to be, and that's left them vulnerable," Kevin Haley, director of Symantec's Security Response unit, said Friday.
Small businesses also lack the money of larger companies to buy expensive technology that can bolster defenses. "SMBs (small and medium-sized businesses) tend not to have the resources to implement the same types of security programs large enterprises do," Eric Maiwald, an analyst for Gartner, said in an interview via email.
Small businesses can greatly improve their chances of fending off attacks by just following basic best practices, such as having a process in place to ensure all software is up-to-date and patched. In general, hackers go after known vulnerabilities, so having the latest version of an application goes a long way towards protecting company data.
"They don't have to be genius hackers, because the basic steps to protect themselves are not being taken by a lot of small businesses," Haley said.
In terms of the number of targeted attacks, Symantec blocked an average of 58 a day aimed at small businesses in the first half of the year. Overall, the number of daily attacks on all businesses increased about 24% to around 154.