Symantec: More than one-third of cyber-attacks aimed at SMEs

Attackers turn away from big business to focus on easier targets

More than one-third of global targeted cyber-attacks are aimed at small and medium enterprises (SMEs), according to a report by security firm Symantec.

The June 2012 Symantec Intelligence Report found that 36 per cent of all targeted attacks during the last six months were directed at businesses with 250 or fewer employees, amounting to an average of 58 attacks per day.

The level of targeted attacks is two times the amount (18 per cent) found in Symantec's Internet Security Threat Report last December.

Although larger enterprises of 2,500 employees or more are receiving the greatest number of attacks with an average of 69 being blocked each day, there has been a drop in the number of attacks to larger enterprises in total.

Symantec's cyber security intelligence manager Paul Wood said that it could be because attackers are diverting their resources to attack smaller organisations, perhaps as a gateway to a larger business' data – or just because they represent easier targets.

"There appears to be a direct correlation between the rise in attacks against smaller businesses and a drop in attacks against larger ones. It almost seems attackers are diverting their resources directly from one group to the other," he suggested.

"It may be that your company is not the primary target, but an attacker may use your organisation as a stepping-stone to attack another company. You do not want your business to be the weakest link in the supply chain. Information is power, and the attackers know this, and successful attacks can result in significant financial advantage for the cyber criminals behind them."

He added: "Access to intellectual property and strategic intelligence can give them huge advantages in a competitive market."

The most targeted industry has been the defence sector – part of the public sector which has incurred an average of 7.3 attacks per day. With 20 per cent of all attacks, the chemical/pharmaceutical sector is second, while the manufacturing sector takes third, taking 10 per cent of all recorded attacks.

Wood said that although targeted attacks were increasing, they were still very rare, but warned that they are integral to a new phase of social engineering.

"Targeted attacks use customised malware and refined targeted social engineering to gain unauthorised access to sensitive information. We regard this as the next evolution of social engineering, where victims are researched in advance and specifically targeted," he added.

In the report's other findings, the global spam rate had decreased overall with the UK's rate of 67.2 per cent behind Hungary (74.3 per cent), Germany (66 per cent), the US (66.4 per cent) and Canada (66.5 per cent).

In the UK, one in 209.9 emails was identified as malicious, compared with South Africa where one in 414.1 emails was found as malicious.

The global spam rate and targeted phishing attacks were similar for both SMEs and larger enterprises, but malicious email-borne attacks destined for SMEs accounted for one in 360.8 emails, compared with one in 269.0 for large enterprises.