SMBs are increasingly exposed via their cloud infrastructure, with over half experiencing an increase in the volume (56%) and complexity (59%) of attacks over the past year, according to Sophos.
The findings come from the security vendor’s new report, The Reality of SMB Cloud Security in 2022, which is based on a survey of 4984 IT professionals across 31 countries whose organizations use Infrastructure as a Service (IaaS).
Most (53%) respondents claimed they also experienced an increased impact from the attacks they suffered over the past year, while two-thirds (67%) admitted that they were hit by ransomware.
The report offered a few clues as to why this might be: only 37% of respondents said they track and detect resource misconfigurations, and only 43% routinely scan IaaS resources for software vulnerabilities.
Two-thirds (66%) don’t have visibility of all resources and their configurations, while just a third (33%) said they’re able to continuously detect, investigate and remove IaaS cyber-threats.
Securing access to cloud resources is also an issue for many. Only two-thirds (40%) of surveyed SMBs have intrusion prevention (IPS) in place and only slightly more (44%) use a web application firewall (WAF) to protect their web-facing applications and APIs.
With the market for public cloud services set to grow to nearly $600bn next year, SMBs must prioritize security, according to Sophos senior security advisor, John Shier.
“This includes implementing traditional threat-based protections, as well as risk-based mitigations. Unpatched vulnerabilities and misconfigured resources are both preventable mistakes and avoidable risks that make life easier for attackers,” he added.
“The survey found that more advanced IaaS users are twice as likely to report a decrease in attack impact than beginners, suggesting the appropriate defense mechanisms can go a long way in deterring threat actors.”
By making just modest improvements to their security posture, SMBs could see a big return by dissuading opportunistic attackers.
Shier argued that “most attackers are not unstoppable criminal masterminds, but rather opportunistic cyber-thugs looking for an easy payday.”