Contrary to common perception, small and medium-sized businesses (SMBs) are often the target of cyberattacks. That’s understandable, as in the US and UK, they comprise over 99% of businesses, a majority of private sector jobs and around half of earnings. But if you’re an IT or business leader at a smaller organization, how to do more with less is a critical challenge.

With fewer resources to devote to cyber-risk mitigation, the focus must be on effectively prioritizing where they are directed. As the recent ESET SMB Digital Security Sentiment Report found, 69% of SMBs reported a breach or a strong indication of one in the past 12 months, highlighting the need for urgent action.

For this, you need hard data. Where are attackers focusing their efforts? Who are they? And how successful are they being? While there are various sources of such information, one of the most rigorous analyses of the threat landscape is the annual Verizon Data Breach Investigations Report (DBIR). Its latest edition is a gold mine of information that SMBs can use to enhance security strategy.

The 2023 DBIR is based on analysis of 16,312 incidents, of which around a third, or 5,199, were confirmed as data breaches. One of the benefits of this long-running series, now in its 16th year, is that readers can also evaluate current trends against historical patterns. So what’s of interest this edition?

Here are some key takeaways for SMBs:

Attack surfaces converge: Despite their many differences, SMBs and larger organizations are actually becoming more alike, according to Verizon. Increasingly they use the same infrastructure and services, such as cloud-based software, which means their attacks surfaces share more in common than ever before. In fact, in terms of factors like threat actor types, motivations and attack patterns, the report’s authors admit “there is so little difference based on organizational size that we were hard-pressed to make any distinctions whatsoever.” As an example, system intrusion, social engineering and basic web application attacks account for 92% of SMB breaches today, compared with a slightly lower share (85%) in large firms that boast over 1,000 employees. Additionally, 94% of threat actors are external, compared to 89% in large organizations, and 98% of breaches are financially motivated (versus 97%).
External attackers are the biggest threat: Third-party threat actors account for 83% of breaches today overall, rising to 94% in SMB attacks. That’s compared to a 19% of overall breaches where internal actors were responsible, falling to just 7% for SMBs. Interestingly, 2% of SMB breaches could be traced to “multiple” sources, which Verizon claims means a combination of internal, external and partners working in collusion. However, overall insider risk is minimal for smaller firms.
Financial motivation is number one: The vast majority (95%) of breaches are financially motivated, increasing to 98% for SMB attacks. It’s a clear indication that organized crime as opposed to nation states is the top threat to small firms. In fact, espionage accounts for just 1% of SMB breaches.
Humans are the weakest link: The main method of entry into victim networks is stolen credentials (49%), followed by phishing (12%) and exploitation of vulnerabilities (5%). This indicates employees as a persistently weak link in the security chain. In fact, humans play a role in 74% of breaches. This could be due to use of stolen credentials and phishing, or other methods like misconfiguration or misdelivery of sensitive data. This also chimes with the 2022 ESET SMB Digital Security Sentiment Report, which finds a lack of employee cyber-awareness (84%) as the top driver of risk.
Business email compromise (BEC) doubles: The volume of “pretexting” cases (which Verizon says is akin to BEC) doubled across all incidents since the previous DBIR. It has made pretexting a bigger threat than phishing, although the latter is still more prevalent in actual data breaches. In BEC, the victim is tricked into wiring large sums to an attacker-controlled bank account. This type of fraud is another sign of how important the human factor is in attacks. Although there are no SMB-specific stats here, the median amount stolen via BEC has increased to $50,000.
Ransomware remains a top threat as costs surge: Ransomware is now a feature of a quarter (24%) of breaches, thanks to double extortion tactics which mean data is stolen before it is encrypted. That share is not much changed from last year, but Verizon warned that the threat “is ubiquitous among organizations of all sizes and in all industries.” Median costs more than doubled annually to $26,000, although this is likely to be an underestimate.
System intrusion tops attack types: The top three attack patterns for SMB breaches in order are system intrusion, social engineering and basic web app attacks. Together they represent 92% of breaches. System intrusion refers to “complex attacks that leverage malware and/or hacking to achieve their objectives,” including ransomware.

RELATED READING: Toward the cutting edge: SMBs contemplating enterprise security

Using the DBIR to enhance cybersecurity

The question is how you can turn this insight into action. Here are some best practice controls which can help to mitigate system intrusion attacks:

Security awareness and training programs designed to mitigate various threats, including the insider threat.
Data recovery processes which can help in the aftermath of ransomware attacks.
Access control management, including processes and tools to create, assign, manage and revoke access credentials and privileges. This could include multi-factor authentication (MFA).
Incident response management to rapidly detect and respond to attacks.
Application software security to prevent, detect and remediate software flaws.
Penetration testing designed to enhance resilience.
Vulnerability management to help mitigate other threat types such as web application attacks.
Endpoint detection and response (EDR), extended detection and response (XDR) or managed detection and response (MDR), which 32% of SMBs use and another 33% plan to use in the next 12 months, according to ESET.

This is by no means a comprehensive list. But it’s a start. And often that’s half the battle.

In order to learn more about SMBs’ perceptions of cybersecurity, including about where the growing security needs are driving them, head over to the 2022 ESET SMB Digital Security Sentiment Report.