Small business, big impact
As one of the topics in the AnnualSecurity Report we analyzed the attack patterns according to organization size. This is what we found.
The big picture has changed somewhat. Considering last year’s numbers the first notable change was that 9.72% of the incidents were tracked in small businesses. That’s an increase from last year’s 8%.
A significant shift has occurred when it comes to medium and large organizations. Last year we found large companies were the ones hit the most by far. Generally, it is still true that most incidents occur in companies with more than 10,000 employees.
What we saw this year is a dramatic rise in attacks on medium -sized businesses. 2019, we tracked 31% of the incidents here, which is a significant increase from last year’s 19%. At the same time, incidents in large organizations dropped from 73% to 58.8%.
Apparently threat actors have massively shifted their focus, now targeting medium-sized businesses with 1,000-10,000 employees, much more than in previous years.
Types of incidents versus business size
We see the same tendency as in the averages of the overall funnel of incidents. The major change in comparison to 2018 can be observed in large organizations, who had to deal with extensive amounts of malware last year. This year, all business sizes had network & application anomalies as the top-ranked incident type.
Two factors stick out, though: small organizations suffer much more from Account Anomalies (33% as compared to 21% for medium/15% for large) and large ones still have to fend off almost twice as many malware attacks as smaller ones.
For organizations with under 1,000 employees we, once again, observed a sharp increase in the incident ratio. On average, the incident count per head is about twelve times higher than in large organizations. This is confirming a trend we observed last year. By October we found the incidents per head in small businesses four times higher than for larger ones, and by the time we reviewed the statistics for November and December, we found this had increased to a factor of six.
With the factor doubling for this year, we see this tendency rapidly picking up speed.
Prevention, detection, response
So, you know that you have to increase your ability to detect threats, but how do you do this? We predict that the focus on just log-based detection will shift to also include network-based and endpoint-based detection. You should select a detection and protection strategy based on your environment and your requirements.
- If you want to quickly eliminate a lot of the threat that malware poses, AI-based endpoint protection is the way to go.
- If compliance driven detection is most important, then logs are for you.
- If you want rapid time-to-value and really advanced detection and response capabilities, endpoint detection is for you.
- If you cannot install any sensors on your endpoints, network-based detection is for you.
- If you have high requirements of security you need a combination or all of the above.
One trend that is very clear when it comes down to it: cyber security is really a big data problem. Regardless of if you are analyzing endpoint data, network data or log data. To solve this, customers will increase investments in technology that have good implementations of AI/ML to help analyze this massive amount of data. First results are yielded in the field of Next-Gen endpoint protection, as we will see in the next post.
Now you’ve sorted out the technology approach. What’s next? You need people and processes to analyze and classify anything that is detected, 24×7. Most customers struggle with the cost and time of building this themselves, so they will buy this as a service (MDR).
Prevention will go a long way. But as mentioned above, the risk for your business will also depend on how quickly you can detect and respond to a threat. Just detecting it will not be enough. During 2019 many customers have called our CSIRT hotline to get emergency help with incidents. We predict that in 2020, customers will start becoming more proactive, and figure out their internal ability to quickly respond to threats. Then, they will compliment this with subscription based retainer services from security providers that they trust.