The intellectual property of small and medium sized businesses (SMB) has never been more at risk from cyber attacks.

In just the last two years, we have seen a dramatic evolution wherein ultra sophisticated attacks commonly referred to as the Advanced Persistent Threat (APT), which had heretofore been largely confined to nation states and defence establishments, have now become common throughout industry.

APT has begun to focus increasingly on small and medium sized-businesses, which are far less likely to have sophisticated cyber defendes or the staff to run them. A recent study by Symantec revealed that the largest growth area for attacks in 2012 was businesses with fewer than 250 employees.

We are not just dealing with ‘hackers’ any more

The sorts of attacks now broadly used throughout the economy are perpetrated by well-organised, well-funded, highly sophisticated attackers. Ninety-five percent of these attacks are economically motivated and thus squarely in the province of senior management (not just IT) to address the issue.

These attackers commonly use multi-dimensional attack methods in unique combinations based on the surveillance of the particular system that they have decided to attack.

They have at their disposal thousands of custom versions of various malware that are used in tandem with clever social engineering, such as targeting end-users with spear phishing techniques (a technique called ‘whaling’, wherein they go after the ‘big fish’, i.e., C-Level executives, is often used).

People, the real weak link in the cyber defence chain, are often the primary targets, not the networks themselves. This allows attackers to maintain their presence within a system, even if they are initially eradicated via technical means, as they retain access to individuals who they use to reacquire their network targets.

Apr-Jun 2014 Issue

Internet Security Alliance (ISA)