Diving back into SMB breaches

Small (Less than 1,000 employees)

Frequency

1,037 incidents, 263 with confirmed data disclosure

Top Patterns

System Intrusion, Miscellaneous Errors, and Basic Web Application Attacks represent 80% of breaches

Threat Actors

External (57%), Internal (44%), Multiple (1%), Partner (0%) (breaches)

Actor Motives

Financial (93%), Espionage (3%), Fun (2%), Convenience (1%), Grudge (1%), Other (1%) (breaches)

Data compromised

Credentials (44%), Personal (39%), Other (34%), Medical (17%) (breaches)

One size fits all-most 

The first thing we noticed while analyzing the data by organizational size this year was that the gap between the two with regard to the number of breaches, has become much less pronounced. Last year, small organizations accounted for less than half the number of breaches that large organizations showed. Unlike most political parties, this year these two are less far apart with 307 breaches in large and 263 breaches in small organizations. 

Another interesting finding was that the top patterns have aligned across both org sizes. For the first time since we began to look at this from an organizational size perspective, the two groups are very similar to each other and, at least pattern-wise, this seems like a ‘one size fits all’ situation. 

Last year, small organizations were greatly troubled by Web Applications, Everything Else and Miscellaneous Errors. The changes in our patterns account for a good bit of what we see this year in small organizations, since the Everything Else pattern was recalibrated, and the attacks that remain are largely Hacking and Malware, thus fitting into the System Intrusion pattern. In contrast, large organizations saw a fair amount of actual change. The top three last year were Everything Else, Crimeware and Privilege Misuse. The pattern recalibration means that most of the Crimeware type events went into System Intrusion and Basic Web Application Attacks, but Privilege Misuse is not a pattern that saw any substantial degree of change. Therefore, this is an indication that we saw less Internal actors doing naughty things with their employer’s data.

Large (More than 1,000 employees)

Frequency

819 incidents, 307 with confirmed data disclosure

Top Patterns

System Intrusion, Miscellaneous Errors and Basic Web Application Attacks represent 74% of breaches

Threat Actors

External (64%), Internal (36%), Partner (1%), Multiple (1%) (breaches)

Actor Motives

Financial (87%), Fun (7%), Espionage (5%), Convenience (2%), Grudge (2%), Secondary (1%) (breaches)

Data compromised

Credentials (42%), Personal (38%), Other (34%), Internal (17%) (breaches)

Since the patterns have now largely aligned between the two organizational sizes, we can talk a little about what that means for both. First, both are being targeted by financially motivated organized crime actors. This isn’t a news flash to anyone (or shouldn’t be) because professional criminals do tend to be motivated by money. For that matter, we’d wager most amateur criminals are as well (if we were the wagering type, which, of course, we aren’t. As far as you know). 

Concerning the common patterns of System Intrusion and Basic Web Application Attacks, those run the gamut of simple to complex attacks, frequently focused on web infrastructure. The Hacking action of Use of stolen creds followed by Malware installation is the playbook these actors prefer to follow. Increasingly, we see ransomware deployed by the actor after access; sometimes after they have taken a copy of the data to incentivize their victims to part with their hard-earned Bitcoin. 

When we turn to Discovery timelines, we see a difference between the organizational sizes (Figures 123 and 124 respectively). Last year we reported that smaller organizations seemed to be doing better in terms of discovering breaches more quickly than their larger counterparts. This year’s data shows that large organizations have made a shift to finding breaches within ‘Days or less’ in over half of the cases (55%), while small organizations fared less positively at 47%.