Report Shines Light on Extent of SMB Insecurity

Small-to-medium businesses (SMBs) have emerged as the weakest cybersecurity link mainly because so many of them continue to rely on antiquated software that is easy to exploit. That’s the finding of a recent report from managed security services provider Alert Logic

The research report, based on an analysis of 4,000 small to large organizations, finds 66% of the devices deployed in an SMB environment are either running an instance of Windows that is either no longer supported or scheduled for end of life by the beginning of next year. Perhaps not surprisingly, the report also discovered that almost a third of the top email servers detected were running Microsoft Exchange 2000, which has been unsupported for nearly 10 years.

In total, Alert Logic analyzed more than 1.3 petabytes of data, 10.2 trillion log messages, 2.8 billion intrusion detection events and 8.2 million verified security incidents. The report finds that, in addition to the antiquated software, 75% of unpatched vulnerabilities discovered in SMB environments are more than a year old.

Jack Danahy, senior vice president for security at Alert Logic, said given the interconnected relationships between businesses in the digital age, cybercriminals now routinely scan for exploits regardless of the size of the company. Cybercriminals know that once they compromise an SMB’s IT environment, it becomes easier for them to leverage the breach to gain access to IT systems run by larger companies that an SMB engages, he said.

Unfortunately, too many SMBs still don’t appreciate the risks involved, Danahy noted. There’s often a sense that many of these organizations are too small to be targeted by cybercriminals. This issue that most SMBs don’t fully appreciate is that cybercriminals now routinely launch indiscriminate automated attacks against IP address that affect all organizations regardless of size, he said.

Less clear for now is to what degree Microsoft and larger enterprises in general will require the smaller organizations they do business with to modernize their IT environments. Microsoft is committed to forcing organizations to migrate to a Windows 10 platform that delivers security updates as part of a subscription. Larger enterprises, meanwhile, are starting to impose more rigorous cybersecurity stress tests on their smaller trading partners.

If those twin efforts gain more momentum, Danahy said more SMBs would opt to rely on managed cybersecurity services simply because the task of securing even a small IT environment remains too daunting for most SMBs. A large number of them can’t even afford to hire a dedicated cybersecurity professional, preferring to rely on the same IT generalist who is managing their applications and infrastructure. Most IT generalists, however, don’t have access to sophisticated cybersecurity tools, much less have the time required to keep pace with the rate at which new threats emerge.

Of course, many SMBs are only one serious cybersecurity incident away from being put out of business. The trouble is when evaluating cybersecurity risks to the business, not enough SMBs fully appreciate just how lethal a cybersecurity breach can be. In fact, most of them are hoping that with such a larger herd of SMB prey available, they’ll simply be lucky enough to survive. The problem with that thinking, however, is SMB owners don’t realize that cybersecurity criminals now can leverage automation to take down an entire herd anytime they like.

Michael Vizard

Avatar photo

Michael Vizard

Mike Vizard is a seasoned IT journalist with over 25 years of experience. He also contributed to IT Business Edge, Channel Insider, Baseline and a variety of other IT titles. Previously, Vizard was the editorial director for Ziff-Davis Enterprise as well as Editor-in-Chief for CRN and InfoWorld.

mike-vizard has 747 posts and counting.See all posts by mike-vizard

One thought on “Report Shines Light on Extent of SMB Insecurity

Comments are closed.