Cyber-attacks against medium-sized companies on the rise

In the last two years, cyberattacks against mid-sized companies have seen a 150% growth and even tripled in some sectors in the same period. However, these companies’ cyber defense schemes against the growing intrusions have not been sufficiently armed. The combination of larger and increasingly audacious attackers and stagnant adoption of cybersecurity solutions has resulted in a bleak prognosis for mid-sized companies for 2022, according to a Coro study.

According to the research, growing businesses are being bombarded by cyberattacks with a similar frequency to the invasions targeting large companies. Before the pandemic, an average of around 6,300 attacks per medium-sized company were seen throughout 2019. In 2020, that number increased to approximately 17,500 and to 31,000 in 2021. These jumps represented a 174% growth between 2019 and 2020 and a 79% growth between 2020 and 2021. If the percentage increase between 2021 and 2022 stays within those ranges, attacks are expected to be between 56,000 and 86,000 times per company throughout 2022.

In addition, no industry is escaping the attention of cybercriminals; all are experiencing a large increase in the volume of attacks, putting businesses in all areas at risk. For example, attacks against educational institutions doubled between Q1 2020 to Q4 2021. Meanwhile, intrusions on professional services, manufacturing, and retail companies increased 2.5 times, and attacks on healthcare and transportation businesses nearly tripled in the same period. By the end of 2021, hospitals and other healthcare companies emerged as the most targeted institutions, according to the study.

There are several factors contributing to the growth in attacks, but one of the most important changes highlighted by Coro is the expansion of attack vectors. Phishing and malware-laced intrusions now have many more variants than before the pandemic, opening up new avenues for malicious actors to infiltrate company networks.  

For example, phishing through cloud apps and over WiFi has increased, leading more unsuspecting users to visit fake websites or join fraudulent networks. On other fronts, early in the pandemic, types of malware delivered via the cloud emerged as a major threat vector. Cloud file-sharing platforms such as Google Drive or Dropbox became vehicles for malware.

The study reports that phishing and malware attacks against retail businesses increased more than 2.5 times from the beginning of 2020 to the end of 2021.

More than growing in variety, attacks on medium-sized companies have also become significantly more sophisticated. Before the pandemic, attacks that could be classified as naive, which do not change much among their targets, predominated. They may take the form of waves of malicious emails that reach millions of recipients, hoping that only a small fraction will actually become victims. They can also take the form of automated bots that randomly generate credentials.

During the pandemic, however, attacks became more complex, using low-cost malware products and services that spread quickly. This opened the door to the launch of more targeted and personalized attacks against medium-sized companies. So-called naive attacks dropped by 21%, while more sophisticated attacks grew geometrically in popularity among cybercriminals.

Another element that contributed to this growing wave of attacks is the automation tools used in the attacks. Automation and commoditization created economies of scale that allowed attackers to think of mid-sized companies as potential victims of their actions. No wonder, botnet attacks have more than doubled in the last two years. In addition, initiatives have emerged that offer malicious tools-as-a-service that allow virtually anyone to trigger sophisticated, automated campaigns.

In addition, digital transformation processes accelerated by the COVID-19 pandemic have also led mid-sized companies to adopt remote working models, to free up the use of personal equipment in professional activities, and to embrace more corporate applications in the cloud, without often thinking that cybersecurity procedures would need to be re-evaluated.

What is worrying is that the vast majority of the mid-sized companies surveyed still lack adequate protections against attacks in increased numbers and greater sophistication. Of the more than 4,000 surveyed, very few had security solutions against malware and phishing, let alone for other threat vectors that have emerged in the last two years. To make matters worse, the few that do use some sort of cybersecurity system don’t configure it properly, resulting in a false sense of security.