by Rohan Sinha (’23) | November 18, 2022
The Colonial Pipeline cyberattack in May 2021 was a wake-up call to many government and corporate officials. DarkSide, a criminal hacking group, had conducted a ransomware attack on a pipeline transporting gasoline, shutting down a major source of fuel along the East Coast. To many experts, the success of this relatively unsophisticated cyberattack highlighted the vulnerability of large government and industrial institutions to cyberwarfare.
But Colonial Pipeline was lucky: the cyberattack on this critical infrastructure received widespread media attention and was investigated by Congress and the US Department of Justice. Moreover, Colonial Pipeline, owned by large oil companies, has the resources to implement safer security practices. Other smaller institutions would not have been as fortunate.
Despite the lack of media coverage, small businesses have been a more frequent target of cybercrime, with researchers at the firm Barracuda Networks estimating that they are three times more likely to be attacked by cybercriminals than large businesses are. Over the past two years, cyberattacks on medium-sized enterprises have spiked by more than 150%, according to researchers at the cybersecurity firm RiskRecon. While hackers certainly target critical American infrastructure, they often direct insidious, more subtle attacks towards local business.
Small corporations’ vulnerability is typically a result of their management structure. Ever since the start of the pandemic, the shift to online work has led to the storage of sensitive corporate data on personal devices such as phones and laptops. Local companies often lack the resources to provide either secure professional devices or antivirus software, leaving sensitive data on personal computers easily vulnerable to a cyberattack.
Moreover, small businesses are particularly susceptible to spear-phishing attacks, when a hacker impersonates a known sender of an email to induce someone to reveal corporate data. Social engineering attacks exploit targeted individuals by observing employee behavioral patterns to gain access to confidential systems and networks. These forms of cyberattacks rely on manipulating specific individuals: the Barracuda report found that a local company’s employee will face 350% more social engineering attacks than one at a larger corporation.
The frequency of these cyberattacks may only increase with cyberwarfare between Russia and Ukraine. According to Western intelligence, the Russian military carried out a distributed denial of service cyberattack against major Ukrainian government and banking websites, overwhelming their networks—just before Moscow began its invasion of Ukraine early this year. This combination of cyber and military forces has alarmed American intelligence, who expressed concern about Russia or associated criminal hacking groups also carrying out cyberattacks against American critical infrastructure. Given small enterprises’ susceptibility, Russia’s cyberwarfare likely also poses a threat to them.
But few non-corporate businesses can afford antivirus software or enforce software updates and multifactor authentication. These security measures, fundamental for many large corporations, impose significant burdens on local companies: owners are reluctant to spend their limited resources on cybersecurity, which many rate as their lowest business concern, according to a survey by CNBC and SurveyMonkey.
Still, the damage from cyberattacks on small corporations pose a serious threat, even if some owners do not prioritize it. The same CNBC poll found that 55% of Americans would be less likely to support small businesses victimized by cyberattacks; cyberattacks thus damage the national economy as well.
Many experts have called for small businesses to update security practices, comparable to those found at larger corporations. But crucially, these calls must also come with an acknowledgment of the resource inequity between small enterprises and larger companies: small businesses often need financial support to implement costly security measures.