Midsize Companies Face a Hacking Epidemic in 2022

Cyberattacks against mid-market companies are growing at an unprecedented rate—but most such businesses are completely unprepared.

A midsize or mid-market business is generally defined as a company employing 1,000 to 2,000 employees with annual revenues between $10 million and $1 billion. There are more than 200,000 such businesses in the US, and they account for around one-third of our annual gross domestic product (GDP), according to Dun & Bradstreet’s database of commercially active US firms. That's a healthy portion of our economy, and yet most of these firms seem to have what amounts to digital tissue paper between themselves and a cyber attack.

Security technology provider Coro just completed a study of security preparedness in the mid-market space, and the numbers are truly disturbing. According to Coro's research, midsize businesses were targeted at least 50% more in 2021 than in 2020. Some sectors, notably healthcare and transportation, experienced up to 125% more attacks in that span, and others, including retail and manufacturing, saw increases up to 90%.

The volume of attacks isn't the only thing on the rise. What's really scary is that the sophistication of hacking attempts and the overall attack surfaces have gone up, too. Coro's research shows that compared to 2020, the kinds of attacks being leveled at smaller businesses have spanned the gamut of cyber sliminess, including traditional endpoint malware but also Wi-Fi phishing, insider threats, and especially, ransomware.

Coro says that a big reason smaller companies were targeted more in 2021 is the new normal of hybrid work. This trend has many mid-market companies relying almost entirely on third-party cloud services for productivity software while managing a nearly 100% remote workforce that's also using a large number of unmanaged devices. In other words, your software and data is in the wild and wooly web, while your endpoints are, well just about anywhere.

Add to that the scarcity of competent IT security specialists, and it's easy to see why many mid-market companies are adopting the hermit-crab approach to cybersecurity: Keep your head down, and hope the threats just pass you by. This isn't entirely unreasonable, since there are so many more small businesses than enterprises operating today. What are the odds the bad guys will single out your little firm? Well, starting this year, the odds have gotten better, and the attacks have become a lot smarter.

(Chart: courtesy of Coro)

And because most midsize companies lack a security specialist, many aren't even aware of the new threats that face them. For example, Coro's numbers show the volume and types of email attacks has risen 154% between 2020 and 2021, yet only 1% of midsize companies have actual email protection in place. And of those, 88% have their security settings misconfigured according to current best practices. The more sophisticated or uncommon an attack type is, the worse these numbers become.

A good example is Wi-Fi phishing. This is when the bad guys set up a Wi-Fi router or access point that looks like it's a legit contact point to your company network. Employees connect to the device, and cybercriminals now have access to every packet of data going through it. Most smaller companies don't consider this kind of attack, because it usually involves some on-site criminal presence, either someone outside with a wireless device or even someone who has snuck into the office and planted a fake access point that looks just like a real one.

This is where the hermit-crab mentality can hurt you. Most smaller companies don't consider themselves large enough to warrant such in-person attacks, so they don't protect themselves effectively. Regarding Wi-Fi phishing, Coro says these attacks have increased by a jaw-dropping 203% against mid-market companies with, again, only 1% having any kind of protection in place and a misconfiguration rate within that 1% of around 90%.

Midsize companies need to accept that the most insidious digital danger facing them in 2022 is that the bad guys actually know who they are.

Coro terms non-targeted attacks as "naive," and its research shows these attacks have dropped from 86% against smaller companies in 2020 down to 68% in 2021. Meanwhile, targeted attacks within that same period have grown between 2 and 4 times. Even more granular than incursions against a specific company are attacks that target a specific role or even a certain person. Against companies without adequate identity management, these attacks have risen from 12% in 2020 to 26% in 2021.

Bottom line: In only one year, the criminals that smaller companies are defending themselves against haven't just gotten smarter—they're now looking at you in particular. Watch your back.

Source