Does size matter? 
A deep dive into SMB breaches

Summary

While differences between small and medium-sized business (SMBs) and large organizations remain, the movement toward the cloud and its myriad web-based tools, along with the continued rise of social attacks has narrowed the dividing line between the two. As SMBs have adjusted their business models, the criminals have adapted their actions in order to keep in step and select the quickest and easiest path to their victims.

A trip down memory lane

Several years ago (the 2013 edition of the report to be precise), we took a look at some of the differences and similarities between small businesses (under 1,000 employees) and large businesses (1,000+ employees). Since a lot can change in seven years, we thought we would once again compare and contrast the two and see what story the data tells us. After all, now more than ever due to the proliferation of services available as commodities in the cloud, including platform as a service (PaaS), software as a service (SaaS) and any other *aaS of which you can conceive, a small business can behave more like a large one than ever before. Therefore, we asked ourselves the question, “Have the differences in capabilities evened the playing field out a bit between the two with regard to the detection of and response to security incidents?” Since you’re reading this section, you’ve probably already guessed that the answer is “Yes!” Let’s dive in and examine how much has changed, and in what ways the song remains the same.

The first thing we noticed when populating the Summary table is the wide chasm between the two when it comes to numbers of incidents and breaches. Breaches are more than twice as common in the larger companies than in the small ones. Does this mean the small organizations are flying under the radar, or are they simply not aware they’ve received visitors of the uninvited variety? And the inequality between the two when it comes to number of incidents is staggering. Is it an obvious case of “mo’ money, mo’ problems” for large enterprises? Is it due to increased visibility or perhaps a much wider attack surface? We find ourselves in the same position that some professional sports referees have been in recently as we realize it’s hard (maybe more so in the Big Easy) to make the right call. 

We call out the top attack patterns in the table at the beginning of this section, but the pattern concept wasn’t born yet the last time we focused on organization size. In looking back, we can tell you there have been some changes in the most frequent causes (or as we like to call them in VERIS, action varieties) since 2013. The top 20 threat actions figure from the 2013 DBIR (Figure 109) lists the top 20 threat action varieties of the year, broken out into small and large organizations.

You can see that for large organizations, the top action was Physical tampering (wait, what?). For small organizations, in contrast, it was Spyware, although Brute-force hacking and Capturing stored data was not far behind. Skipping ahead seven years to our current dataset, we see that both large (Figure 110) and small (Figure 111) organizations have a top threat action of Phishing, with the Use of stolen credentials and Password dumpers in the top three for both (only in reverse order). Regardless, the same three contestants are leading the pack in both and that is an interesting finding. Phishing was considerably further down the list in 2013, as compared to the prime position it holds now.

Give me your keys and your wallet

In 2013, far and away the favorite data type to steal was Payment card information. Back in those days, criminals would walk a long way (barefoot, in the snow, uphill both ways) to obtain this type of data (and they were thankful for the opportunity!) Following that, Credentials were a fan favorite, and Internal and Secret data were also very much in vogue. Examining the types of data stolen today, in both small and large organizations, we see that Payment card data is so last year. Today’s criminal (lacking the work ethic of 2013) is primarily concerned with obtaining Credentials, regardless of the target victims’ size. Personal data also seems to be highly sought after, irrespective of the size of an organization. After those two heavy hitters, it becomes too close to call between Medical, Internal or Payment data. 

Another change from 2013 is the types of assets commonly attacked. The top asset for large companies (47%) was an ATM, while Point of Sale (PoS) controllers (34%) (followed closely at 29% by the Point of Sale terminal) were the top assets for small organizations. All of those assets have now fallen entirely off the list for both org types. Nowadays, organizations regardless of size are troubled with attacks on User devices, Mail servers and People (social attacks).
 

No time like the present

Moving on to the differences in the dataset for this year alone (otherwise we can’t talk about patterns), the top attack patterns for small organizations were Web Applications, Everything Else and Miscellaneous Errors, with none of them emerging as the obvious winner. Meanwhile, large organizations are contending with Everything Else, Crimeware and Privilege Misuse as their main issues. Web Applications attacks are self-explanatory, while the Everything Else pattern is a pantechnicon stuffed with bits and bobs that do not fit anywhere else. Packed away in here you will find attacks such as the business email compromise—a social attack in the form of phishing, purporting to be from a company executive who is requesting data or a wire transfer. Miscellaneous Errors is a wide-ranging pattern that encompasses the many means (and they are legion) by which someone you employ can hurt your organization without malicious intent. The Crimeware pattern is your garden-variety malware and tends to be deployed by criminals who are financially motivated. Finally, Privilege Misuse is an act (usually malicious in nature) in which an Internal actor can ruin both your day and your brand.

When examining Timeline data, we noticed that the number of breaches that take months or years to discover is greater in large organizations (Figure 113) than in small organizations (Figure 114). This seems a bit counterintuitive. On the one hand, large organizations have a much larger footprint and could possibly be more likely to miss an intrusion on an internet-facing asset that they forgot they owned, but small orgs have a      reduced attack surface so it might be easier to spot a problem. On the other hand, large orgs typically have dedicated security staff and are able to afford greater security measures, whereas small businesses often do not. Whatever the reason, there is a rather marked disparity between them with regard to Discovery.