I heard this so many times: “My company is too small to be the target of an advanced attack”. Unfortunately, this is not true and the recent cyber-attacks on Microsoft Exchange servers clearly show it. Compared to the recent SolarWinds Orion security breach that directly affected mostly large organizations, the Exchange vulnerabilities were used to attack in excess of 30.000 organizations in the US alone, mostly small businesses and local government offices.
Here are the three lessons that a small business should learn from this incident:
- Every organization (and person) is a potential victim of advanced cyber-threats. This highly automated attack that used four zero-day vulnerabilities shows that virtually no organization (large or small) is safe. Either to be used as a pivot point toward larger targets or simply by chance, it is only a matter of time until a sophisticated attack will “knock” on the doors.
- Cloud services are a safer choice, especially for small organizations. This is due to at least two reasons. First, many software providers (Microsoft included) have a “cloud-first” policy. That means the cloud solutions will get the new features, enhancements, and even bug fixes first. For example, in this case, the Microsoft Exchange Online is not affected by the attack. Additionally, the large cloud infrastructures benefit from the most advanced security options in the market and are staffed with the “creme-de-la-creme” in terms of cybersecurity personnel. Does this make them bullet-proof? No, but the likelihood of a breach is smaller. Second reason: small organizations are typically slow in applying security patches even when these become available. Many of the Microsoft Exchange servers affected by the zero-day vulnerabilities exploited in this attack will remain unpatched for months, leaving them vulnerable to attacks.
- Cybersecurity is getting professionalized. Highly professionalized. Advanced attacks are becoming increasingly common and are affecting a large number of organizations around the world. Basic cybersecurity skills are no match for the security challenges of today’s world. Small organizations cannot typically afford to spend resources on skilled cybersecurity professionals (not to mention that we are currently facing a significant shortage of cyber defense talents). Alongside the use of cloud services instead of on-premises infrastructure, an SMB should also consider relying on Managed Security Services and Managed Detection and Response Services to keep their IT infrastructure running and secure.
These three points should be considered for increasing the cyber-resiliency of the organization. But they are NOT replacing the actions required to check if your infrastructure was affected by the attack. For more context on the breach and the recommended remediation steps check this Microsoft blog post.