Leading cybersecurity firm issues Q1 Small and Medium-Sized Business Vulnerabilities Report (SMBVR), identifies vulnerabilities that can be exploited by attackers at 82% of U.S. SMBs, 78% of SMBs in Canada
For the first time, CyberCatch’s SMBVR detected significant vulnerability to “session riding” attacks among North American SMBs
SAN DIEGO and VANCOUVER, BC, May 31, 2022 /PRNewswire/ — CyberCatch today announced the publication of its quarterly Small and Medium-Sized Businesses Vulnerabilities Report (SMBVR) for Q1 2022 to alert small and medium-sized businesses (SMBs) to an alarming rise in vulnerabilities detected in Internet-facing websites, servers and applications. Of greatest concern, CyberCatch’s SMBVR has detected – for the first time in the report’s history – substantial levels of vulnerability among both U.S. and Canadian SMBs to “session riding” attacks, an insidious tactic that forces authenticated users to unknowingly submit malicious requests that can have drastic consequences.
The SMBVR is a quarterly research study focused on SMBs in North America to detect vulnerabilities that a cyber attacker can identify and exploit to break into a business, steal data and or infect its systems with ransomware. The Q1 2022 SMBVR was comprised of scans of a random sample of 12,050 SMBs (10,878 in U.S. and 1,172 in Canada) in ten high-value target segments. Key findings of the Q1 2022 study include:
The high levels of vulnerabilities detected – across all ten segments both in the U.S. and Canada – is very concerning.Tweet this
- 82% of U.S. and 78% of Canadian SMBs have spoofing vulnerabilities that attackers can easily exploit.
- CyberCatch’s report detected significant levels of session riding vulnerability among SMBs, with 50% of such businesses in the U.S. demonstrating this vulnerability and 49% in Canada. This is the first time this vulnerability has reached such critical levels in the research report.
- Spoofing, clickjacking, session riding and sniffing are the four key vulnerabilities that SMBs are susceptible to in the U.S. and Canada.
- Spoofing, clickjacking and sniffing vulnerabilities levels more than doubled in the U.S. when compared to Q4 2021.
- Defense contractors, manufacturers, managed service providers (MSPs), technology companies, colleges and universities, legal and accounting firms and medical practices have significantly higher rates of vulnerabilities both in the U.S. and Canada.
“The Q1 2022 SMBVR should be a wake-up call for all types of SMBs. The high levels of vulnerabilities detected – across all ten segments both in the U.S. and Canada – is very concerning. It indicates that large numbers of SMBs have security holes that can be easily exploited remotely to steal data and install ransomware. This is an existential threat to SMBs – and to the overall economies of the U.S. and Canada,” said Sai Huda, founder, chairman and CEO, CyberCatch. Mr. Huda is a globally recognized risk and cybersecurity expert and author of the best-selling book, “Next Level Cybersecurity.”
“Given its size, limited knowledge about cybersecurity and resources, an SMB may never be able to recover from a cyberattack. Foreign adversaries and criminal gangs view SMBs as the weakest link in the chain and are increasingly targeting SMBs for the initial payout but also to get to the eventual larger target who the SMB may be a supplier to (upstream risk), or to the SMB’s customers (downstream risk) and in the process, they don’t care a bit about any collateral damage caused or if the SMB survives or not,” continued Mr. Huda.
“In fact, two Joint Advisories issued in May 2022 from International Cyber Authorities, confirm the risk identified by CyberCatch. The May 11 Joint Advisory from the U.S. CISA, NSA, FBI and International Cyber Authorities (Canada, UK, Australia and New Zealand) warns of expected increased attacks targeting MSPs focusing on their customers (downstream risk). The majority of MSPs are themselves SMBs and CyberCatch’s SMBVR identified MSPs as one of ten segments with significant vulnerabilities that could be exploited. The May 17 Joint Advisory from U.S. CISA, NSA, FBI and International Cyber Authorities (Canada, UK, New Zealand and Netherlands) warns of missing or ineffective cybersecurity controls that are commonly exploited by attackers, which includes failing to scan for vulnerabilities and failing to perform ongoing testing of controls, so SMBs need to take enhanced risk mitigation action as recommended in the Joint Advisories and in the SMBVR,” said Mr. Huda.
To download a copy of the SMBVR, please visit CyberCatch’s website.