When I ask small and medium enterprise (SME) business owners and IT executives which security issues they are most worried about, the answer typically includes ransomware, data theft, and DDoS attacks. Each is conceptualized as a one-off catastrophe, the risk of which can be mitigated by following security best practices — updating software, maintaining strong firewalls, and defense-in-depth security systems. And they’re exactly right about that approach. But there’s a blind spot that goes unconsidered: the advanced persistent threat (APT).

APTs are targeted attacks that take place over a prolonged period of time. The aim is often to gain information — private documents, intellectual property, user data — that can be used by the criminals to make money.

APTs follow a fairly predictable path, although the details are different in every case. First, attackers target low-level systems — the personal computers of non-technical employees or executives — with phishing attacks and other techniques. The goal is a malware infection that exploits software vulnerabilities to give attackers control over the machine. The information needed to target the right people is freely available online from social media networks and other sources.

Once they control a single machine inside the network, they quietly gather data about the business’s networks and systems, looking for a way to extend their influence. Through a careful process of information analysis and hacking, they can “island hop” from machine to machine until they have sufficient control to exfiltrate valuable data.

APTs are thought of as something only larger companies have to worry about. The thinking goes something like this: APTs represent a significant investment of time and resources for criminal groups, so it makes economic sense for them to ignore smaller companies. Focusing on corporations stands to generate the best return on investment.

However, there is more than enough money in SMEs to attract the targeted attention of online criminals. SME security tends to be weaker than that of large corporations. SMEs have fewer internal controls than corporations. And it’s a lot easier to “hijack” the identity of a small business than a large one (or an individual — you’d be shocked how easy it is to get a line of credit for a small business you have no connection to.

What can small businesses do to protect themselves? The only real protection is a multi-layered security strategy that starts with employee education and includes encryption, data control policies, firewalls, malware scanning, and server hardening by an experienced professional.

Many of the most spectacular attacks of the last few years fall into the category of an APT, including Ashley Madison, Sony, and the devastating Equifax data leak — and every one was caused by simple security errors such as failing to update software or storing critical data on servers with absurdly easy-to-guess passwords. In 2017, SMEs have to improve their security game. They can’t afford to ignore the risk of APT.


This article was originally posted “SMEs Need To Know The Dangers Of Advanced Persistent Threats” from Cloud Strategy Magazine.