There are rarely second chances for SMEs in the cyber security game. In the US, the National Cyber Security Alliance published a study in 2012 showing that 60% of SMEs suffering a cyber incident didn’t survive beyond the following six months. While there has been progress in cyber security since then, cyber criminals have also grown more sophisticated and organised, and the truth is that one attack is enough to put a small company definitively out of business. And when they pull through, it is rarely unscarred.
SMEs can often display some complacency when it comes to cyber security, thinking that only large organisations are at risk, or that our remote island of Australia is not a strategic priority for hackers. That may have been true to an extent five years ago, but macroeconomic factors have put Australia under more cyber criminals’ radars, and studies show that small organisations with lower levels of preparedness to cyber attacks are low-hanging fruit for them.
The digital supply chain under fire
Developing digital services has pretty much become a requirement for small businesses. To stay competitive, or create a competitive advantage, most are looking at digitalising at least parts of their organisation, including their products, services, internal processes, customer support and experience. In doing so, SMEs often prioritise speed of implementation, and overlook the cyber security aspects, especially if they are on a budget. In the end, they create a digital footprint and estate that can instantly become a target for the cyber villains.
Just like the physical supply chain is the ecosystem for the production of goods, the digital (or software) supply chain is the digital environment in which the millions of business and consumer apps used around the world are developed. Hackers are taking a keen interest in compromising software supply chain (SSC) environments, because it essentially enables them to inflict larger-scale damage, whether we talk in terms of attacks or data theft. They are getting in through weak links in companies software development processes.
Compromising the SSC not only gives them the key to the company’s crown jewels, but also potentially to its whole ecosystem of customers, partners or employees, where they can also wreak havoc.
When hackers compromise a given software supply chain, they can inject malicious code and infiltrate various systems in the build process.
Essentially, the backdoor they have created in the supply chain acts as an entry point to more systems, and they usually create this entry point by identifying the weakest link.
The SolarWinds case is a perfect illustration of the potential damage of a highly successful SSC attack.
SolarWinds is a US IT management software company. A well-known group of Russian hackers managed to exploit a vulnerability in one of their software’s supply chain, which they weaponised to access the systems of US government agencies and corporations using the software, including the Department of Homeland Security, the Treasury Department and Microsoft.
The group managed to spy on and steal information from these organisations for months before they were finally detected. Their motives were seemingly about intelligence, and even though this motive would likely not apply to small businesses, the mechanism is the same.
More access, more information, more money
So what are those hackers looking for exactly? Their objective is to spread to as many systems as possible by compromising a single environment. Gaining access to more systems, they can potentially launch large-scale attacks and hold multiple companies to ransom.
Knowledge is power, so more often than not, hackers are looking to steal sensitive company data and information, which they can threaten to sell on the dark web in exchange for money. If they manage to navigate freely within company systems, they may also gain the ability to take them down, putting essential operations to a halt. In this scenario, businesses pay a double price: the financial loss from a halt in operations, and a ransom to pay hackers for systems to be restored.
Unfortunately, small businesses usually panic and pay the ransom to resume operations as quickly as possible, and mitigate the financial impact. But it is often too late. Larger companies may be able to take this kind of financial blow, but it is often fatal for small companies. It is worth noting that in many cases of data theft, organisations that pay the ransom never actually recover the stolen data.
The bottom line
Essentially, small businesses shouldn’t underestimate their exposure to cyber threats, or underestimate the potential ramifications of a cyber incident. In the case of attacks on the SSC, it is also about protecting an organisation’s whole ecosystem, not just securing the apps in production.
Developing digital services is great, but it should be done with strong security standards in mind. And for organisations that are short on budget for technology investments, the government recently launched an incentive to help small businesses with their tech investments in the form of tax breaks until July 2023, which may be helpful in adding the right security layer on top of digital developments.