Share This:

Target SMBsSecurity-focused managed service providers (MSPs) know that small to midsize businesses (SMBs) often take a more cavalier approach to cybersecurity than larger organizations. They often believe that because they are small and less well-known, they’re less likely to draw the attention of cybercriminals. 

The message to these companies has always been that, despite their small size, they are just as likely to be targeted – or maybe even more likely – because they often have fewer protections in place, are more likely to pay out in the event of a ransomware attack and are more vulnerable to cybercriminals seeking bigger payouts through lateral attacks targeting larger enterprises. 

For example, in a 2014 data breach impacting Home Depot, attackers used stolen credentials from a third-party vendor to access customer credit card data and e-mail addresses. The previous year, Target Corp. suffered a significant data breach after an attacker stole login credentials from a small, third-party HVAC vendor and accessed the big box retailer’s security and payment systems.

Data from Barracuda reveals some of the ways that smaller firms face a greater danger from email-based cyberattacks than their larger counterparts.

Small firms seeing 6X the email attacks as enterprises

Email-based attacks are widespread and proliferating. Barracuda’s email threat detection data from June 2023 to May 2024 shows that companies of various sizes have different risk profiles regarding the types of email attacks they face. 

According to the Barracuda data, the largest organizations – those with 2,000 or more mailboxes – received an average of around 7,500 phishing threats over 12 months. Small firms with fewer than 100 mailboxes received fewer threats (around 180) in the same period. 

However, while individual mailboxes at the largest firms faced an average of only one attack in 12 months, the smallest firms experienced six incidents per mailbox.

Why? It could be due to several factors, including organizational structures and the likelihood that more individuals within a small company may have privileged access to data, applications, and networks. 

The type of email attack also varies based on company size. Conversation hijacking and business email compromise (BEC) are consistent regardless of company size – just one to two percent of attacks for the former and between 14 percent and 21 percent for the latter. 

However, smaller companies are much more likely to be targeted by phishing attacks (71 percent for the smallest companies, 41 percent for the largest) and extortion (seven percent compared to two percent). This could be because smaller companies are less likely to have robust email security in place.

42 percent of email attacks on large companies were lateral phishing

Larger firms face more significant lateral phishing attacks from a compromised internal email account. Around 42 percent of email attacks detected for the largest companies were lateral phishing, compared to 2 percent for the smallest companies. This may be because larger companies are a more valuable target and offer large distribution lists of employees who already receive a high volume of emails.

For MSPs, knowing the differences between the threats companies face based on size can open opportunities for more nuanced conversations about which security measures clients should invest in. By discussing the high frequency of phishing attacks targeting their employees and the specific types of emails they might receive, MSPs can help SMBs recognize the need for more advanced threat detection and security technology.

Some specific strategies and technologies can help MSPs direct smaller clients to the proper cybersecurity hygiene practices. Those include: 

  • User education and training should be tailored to the threats these clients are likely to face. Security awareness should not just focus on the latest and most common threats. It should also focus on the types of widespread phishing scams SMBs are most often the target of and how to identify them. MSPs can also help these companies alter their structure (when possible). This way, fewer employees will have privileged access, and we can limit privileges based on roles.
  • Artificial intelligence (AI) and machine learning (ML) technology should be part of the security mix. These solutions can help quickly detect unusual email activity (like that related to an account takeover or compromise) and put automated tools in place to stop the attack before it spreads. The email solution should also monitor internal and outside mail.
  • Implement multifactor authentication (MFA), edge protection, and Zero-Trust strategies to help keep data and applications safe.

By engaging in informed conversations with clients about the specific security threats they face, MSPs can highlight how company size affects vulnerability to attacks. This tailored approach allows MSPs to address the unique needs of businesses of all sizes. Ultimately, it can lead to increased business opportunities while enhancing clients’ cybersecurity measures.

This article was originally published at ChannelBuzz.

Photo: Actsdata Studio / Shutterstock


Share This:
Chris Crellin

Posted by Chris Crellin

Chris Crellin is Senior Director of Product Management for Barracuda MSP, a provider of security and data protection solutions for managed services providers, where he is responsible for leading product strategy and management. Chris joined Barracuda MSP from Backupify/Datto, Inc. where he was responsible for product strategy and execution of their cloud backup SaaS portfolio. Prior to Datto, he spent 14 years with RSA, the Security Division of EMC. He was the lead product manager for the RSA SecurID portfolio after having started his career as a software engineer.

All Posts

Leave a reply

Your email address will not be published. Required fields are marked *