If you were to take a look at the cybersecurity news cycle, you’d be forgiven for thinking that it’s only large enterprises with expansive customer bases and budgets that are the most vulnerable to attacks. But that’s not entirely true. Even if it’s at a much smaller scale, small- and medium-sized businesses (SMBs) still have stores of sensitive information that’s appealing to bad actors — and they’re often much less equipped to protect that data.
In its recent Small and Medium-Sized Business Vulnerabilities Report (SMBVR), Vancouver-based CyberCatch sheds light on the state of security in this business segment — and it’s not looking good. According to the report, 8 in 10 Canadian SMBs are at risk of an attack. In addition, many of these businesses operate in critical industry segments, including finance and healthcare. These and other key data points in the report all indicate one thing: there’s an increasing need for robust cybersecurity efforts in the SMB space.
The SMBVR series is unique in that it’s the first report of its kind to focus on SMBs. Its purpose is to provide quarterly updates to SMBs so that they have a better sense of the state of security in their sector — and how to stay ahead of threats. For the purpose of the report, SMBs are classified as businesses with less than 500 employees and are recognized as key players in the global supply chain.
The Q2 2022 SMBVR showcases critical cybersecurity data based on a review of 3,200 Canadian SMBs, and 16,175 based in the US. These organizations represent 16 different industry segments, including six that are new in this quarter’s report: physicians, hospitals, utilities, banks & credit unions, mortgage brokers, and investment advisors.
To collect the data, CyberCatch used their proprietary vulnerability scanner and reviewed these randomly selected SMBs for common security weaknesses in their websites, software, or applications exposed to the internet. These commonly exploited weaknesses include cryptographic failures, injection, security misconfigurations, server-side request forgery, ID and authentication failures, outdated components, data integrity issues, and monitoring failures.
Here’s a closer look at what they found.
In its review of Canadian and US-based SMBs, the Q2 2022 SMBVR found a high incidence of three key vulnerabilities across all sectors. The first of these is spoofing. In a spoofing attack, a bad actor can spoof content from a website and trick users by redirecting them to a similar site that they control, asking them to input sensitive information. Alternatively, an attacker can send scripts that fool the web server to produce usernames, passwords, or a whole new customer database. Across North American SMBs, the potential for spoofing vulnerabilities is a whopping 82%.
The second vulnerability is clickjacking, which was identified as a potential vulnerability in 64% of organizations. Clickjacking is caused by a weakness that allows bad actors to insert stylesheets and text boxes and subsequently hijack portions of a web page. The purpose of this is to entice users to add their credentials in corrupted text boxes or forms, so that they can gain access and install malware.
The third most prevalent vulnerability is session riding, at 53%. In a session riding attack, the bad actor forces a user to unknowingly submit a malicious request when they’re already authenticated. Typically, the request will be to change the user’s password, so that the attacker can access their session and steal data or install ransomware.
Of note, particularly critical segments including hospitals, utilities, banks & credit unions aren’t far off the average for these three vulnerabilities.
This is concerning given the breadth and depth of sensitive customer information that these sectors hold — as well as the robust networks of interconnected technologies in hospitals and utilities. A successful ransomware attack, for instance, could stall organizations in these sectors from delivering highly critical services.
A look at 16 segments within Canada’s SMB landscape shows that there’s a high number of vulnerabilities across the board.
In the healthcare space, the report reviewed hospitals, dental practices, physicians, and medical practices in Canada. Across these areas, spoofing vulnerabilities were particularly prevalent for physicians (90%) and hospitals (87%). Hospitals are also most at risk of clickjacking (79%), while physicians are most at risk of session riding (63%). Dental and medical practices are currently less exposed to risk in all areas.
This quarter’s report included a case study of a hospital that faced a ransomware attack. During the attack, the hospital was forced to issue a “code black” — they couldn’t handle any patient intakes and there was a high risk of loss of life in the ER. They responded by diverting patients in critical conditions to other medical facilities, thus putting increased pressure on an already struggling emergency response sector. In addition, the hospital ordered all staff to log out of and turn off all electronic systems, directing them to use paper records for the days that followed. The attack rendered the hospital almost useless and put many patients’ lives at increased risk, and now they’re facing a class action lawsuit as a result.
This goes to show just how vital it is to secure these organizations and mitigate the vulnerabilities outlined in the report.
Financial services are another key area to observe given the sheer amount of personal and financial data these organizations hold for their customers. CyberCatch reviewed SMBs in the following areas: banks & credit unions, investment advisers, mortgage brokers, accountants, and law firms. Canadian law firms saw a surprisingly high vulnerability potential, with spoofing at 82%, clickjacking at 73%, and session riding at 63%. While accountants are less exposed to session riding (49%), they are prone to spoofing vulnerabilities (87%) and clickjacking (74%). Investment advisors also proved to be particularly vulnerable to spoofing at 89%, and are tied with banks for a potential incidence rate of 57% in session riding.
Within the education sector, the report includes data from post-secondary institutions. Colleges and universities in Canada appear to be particularly prone to spoofing attacks (84%), at a much higher rate than in the US (59%). They also present a high potential for session riding attacks (69%), compared to the cross-industry average of 53%. Given the number of people these institutions serve — and their access to educational records and financial information — there’s a need for further cybersecurity investment in this space.
Focus areas in the infrastructure space include utilities, manufacturing, transportation & shipping, defense contractors. Of note, defense contractors in Canada have the lowest vulnerability rates in the report, even when compared to the defense contractors in the US. Only 19% of SMBs in this space have spoofing vulnerabilities, matched with 18% for clickjacking and 12% for session riding. Canadian manufacturers, meanwhile, have one of the highest rates for spoofing vulnerabilities (91%), followed closely by the utilities segment at 88%.
When it comes to the Canadian tech sector, the SMBVR report covers both service providers (MSPs and ISPs) and software developers. Although one would expect tech companies to be more attuned with these threats, they still had high rates across the board: spoofing at 84%, clickjacking at 76%, and session riding at 55%. MSPs and ISPs didn’t do a whole lot better, with 88%, 70%, and 49%, respectively. Tech companies — and all companies, really — increasingly run on user data. Having this data compromised can not only negatively impact the company’s reputation, it can also infringe on user privacy.
The Q2 2022 SMBVR should serve as a wake-up call for SMBs in critical sectors that haven’t yet prioritized cybersecurity. With 80% of SMBs at risk, the potential impact to both these businesses and their customers can’t be ignored. To move forward, SMBs need to be proactive, implementing the right security tools and processes, and building a culture of security that all employees contribute to.
For a more detailed review of this quarter’s insights and the cybersecurity vulnerabilities common to SMBs, download the full report.
About the Author: Ali Cameron is a content marketer that specializes in the cybersecurity and B2B SaaS space. Besides writing for Tripwire’s State of Security blog, she’s also written for brands including Okta, Salesforce, and Microsoft. Taking an unusual route into the world of content, Ali started her career as a management consultant at PwC where she sparked her interest in making complex concepts easy to understand. She blends this interest with a passion for storytelling, a combination that’s well suited for writing in the cybersecurity space.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor and do not necessarily reflect those of Tripwire, Inc.