Small and medium-sized businesses, which are often overlooked, are ill equipped to confront emerging cybersecurity threats such as artificial intelligence (AI), according to Yigal Unna, a former head of cyber in Israel. Unna highlighted that despite their role in the supply chain and infrastructure, governments and insurance providers tend to neglect the cybersecurity needs of small and medium-sized enterprises (SMEs), leaving them vulnerable as "easy prey" for cybercriminals.
Instead of targeting more secure entities, threat actors opt for volume attacks against weaker targets like SMEs. This approach can be just as profitable for them while being less risky. Research from the British Insurance Brokers Association reveals that 96% of all cyberattacks are directed at SMEs. Additionally, a study by Barracuda, a security company, indicates that smaller businesses are three times more likely to be targeted compared to larger corporations.
Unna suggests that if governments recognize this vulnerability represented by SMEs and incentivize companies to enhance their cyber defenses, it could transform into a strength against cyber threats. However, he acknowledges that this issue is not widely acknowledged among his colleagues across the globe. After serving as the General Director of Israel's National Cyber Directorate for four years until 2022, Unna stepped down from his position.
He currently collaborates with CyFox, a company specializing in providing cybersecurity solutions driven by AI.
Unna emphasizes that AI poses a threat and can greatly facilitate social engineering. In an interview, he further highlights the dominance of ransomware as a major threat while also noting the increasing utilization of denial of service (DoS) attacks by the private sector to cause reputational harm.
Why do you think medium-sized enterprises (SMEs) tend to be overlooked in terms of cybersecurity?
Throughout my journey within government work, I had limited exposure to the private sector, specifically SMEs, until I assumed the role of Director General at the National Cyber Directorate in Israel.
Governments naturally prioritize protecting infrastructure, which primarily consists of large-scale enterprises. However, what I discovered is that the vast majority of our nation's attack surface encompasses tens or even hundreds of thousands of SMEs.
These SMEs are both parts of the supply chain for critical infrastructure and contributors to its development. They embody our country's essence. Yet due to their number and relatively smaller scale, they often receive insufficient attention from governments and even insurance companies.
That presents a significant issue.
The situation worsens when we consider not only the market size of these companies but also their role in the supply chain of larger players. This can set off a chain reaction, making medium-sized enterprises (SMEs) vulnerable targets.
What makes SMEs susceptible to attacks?
As someone who oversees Israel's entire national cyberspace, I realized it was crucial to find solutions that would address the majority of potential attack points. However, upon investigation, I discovered a lack of options. SMEs struggle with understanding cybersecurity practices.
Fortunately, from a perspective, once you provide them with a solution, they quickly become adept at handling cyber threats. They start discussing cybersecurity and incorporating it into their mindset. The overall impact is an improvement and a transformative change for the country.
Companies' offers of cyber insurance are another factor to take into account. Currently, it is safe to say that cyber insurance has not seen development—an understatement at best. The existing policies offered by insurance companies are inadequate when it comes to cybersecurity. To rectify this situation, focusing on improving offerings through SMEs is key.
Insurance companies tend to be hesitant about entering into partnerships with banks or large corporations. While such partnerships exist, they often do not yield results.
Instead, if insurance companies focus on insuring thousands of businesses, they can manage their risks more easily. This approach would make insurance companies more prepared and willing to offer cyber insurance.
This process will have a feedback loop because, as insurance companies gain expertise in insuring small businesses, the quality of the coverage will improve. Eventually, this could completely transform the market, which is not possible with just one or two large enterprises.
During your time as the director of Israel's National Cyber Directorate, what initiatives did you support or implement to benefit small and medium-sized enterprises (SMEs)? What actions should governments take to assist them?
Firstly, it is crucial to recognize the need and acknowledge that this problem is often neglected. Many of my colleagues and peers around the world do not fully appreciate its importance.
Secondly, implementing regulations should start with encouraging measures rather than imposing strict rules from the outset. Governments can provide subsidies, discounts, or other incentives to encourage businesses to adopt cybersecurity practices.
Companies offering cyber solutions could receive special treatment when it comes to government contracts. It makes sense for any government to have a supply chain.
If more strict rules are required, they can come after this type of regulation.
My first step would be to collaborate closely with the insurance industry in order to address regulatory and related issues.
Could you provide some insights into the cybersecurity challenges that small and medium-sized enterprises (SMEs) face as compared to larger corporations?
Hackers find SMEs an easier target as they search for vulnerabilities. While big companies are continually strengthening their security measures, this inadvertently makes smaller companies attractive targets.
While each individual attack on an SME may yield money, hackers can carry out multiple attacks in a day, which is not feasible with larger corporations. Threat actors focusing on SMEs opt for volume attacks that target sectors. They can accumulate large amounts of money through sheer quantity.
In both the US and Israel, hundreds of thousands of businesses heavily rely on computers. They all possess servers and financial resources.
On the other hand, if one were to attack a major bank, for instance, it could lead to severe consequences as they have ample resources to track down perpetrators with the assistance of law enforcement agencies. In contrast, when targeting SMEs, there is a likelihood of evading capture.
"We must increase our speed in this race just to keep up with the challenges," Unna remarked.
The list of threats associated with the rise of AI keeps growing. We continue to discover new ways it can be utilized for launching cyberattacks. Have you noticed any instances of AI being used in cyberattacks? What are some common methods that threat actors employ?
I have been discussing the intersection of AI and cybersecurity since around 2018. Initially, people didn't comprehend my concerns. Now everyone recognizes the significant threat posed by generative AI. It enables individuals to impersonate CEOs, CFOs, or anyone else without relying on deep-fake technology. This ease of execution makes social engineering much simpler.
As our digital reliance increases, the world becomes progressively more perilous with the advent of generative AI. Regrettably, defense solutions always lag behind threat actors in terms of development speed. To keep ourselves on track, we must strive to outpace them in this race.
How can companies protect themselves from these dangers?
Organizations should seek out cybersecurity solutions that leverage cutting-edge AI technologies like CyFox. It is particularly relevant for businesses due to its affordability.
AI solutions offer the advantage of being cost-effective as they leverage technology to save resources, particularly in cybersecurity, where the workforce is highly valuable and expensive.
I would advise companies to opt for AI-driven solutions that are not only swift in addressing emerging threats but also adaptable to changing circumstances. While we can't predict what lies ahead, it's always better to be well prepared.
Apart from AI, what other potential threats should companies be mindful of? Ready themselves for?
We have observed a growing prevalence of denial-of-service (DoS) attacks that aim to influence rather than solely focus on financial gain. These cyberattacks intend to inflict psychological harm.
While DoS attacks were previously more targeted at government entities and public agencies, we now witness an increase in attacks targeting private sector organizations as well. If executed effectively, a cyber-influence attack can trigger panic among clients and shareholders, leading to repercussions such as bank runs or substantial damage to a company's reputation.
Although this issue primarily affects corporations, it remains a concern. Furthermore, there is an emerging trend where DoS attacks are frequently combined with extortion tactics.
That being said, what do you think is the challenge in terms of cybersecurity right now?
Ransomware still holds the top spot, although the types of ransomware are evolving. Unfortunately, phishing is still a concern. The human element remains the most vulnerable aspect of any system and serves as the weakest link in our defense.
That's precisely why AI is so concerning. It mimics behavior but does it more effectively and efficiently. The combination of AI being used for purposes along with the human factor poses a significant threat that we must consider.