Research: the Danger of Attacks on Brazilian Startups and SMEs

Brazil recorded 31.5 billion attempted cyber attacks in the first half of 2022, an increase of 94% compared to the same period in 2020, according to a survey by FortiGuard Labs. This volume corresponds to more than 241,000 attacks per day, and cybercriminals do not spare Small and Medium-sized Enterprises (SMEs) or startups. On the contrary, attackers operate using a “fishing trawler” logic, automating the discovery of known vulnerabilities and attempting to exploit these security flaws in as many companies as possible, regardless of size.

A survey by Unxpose reveals that Brazilian SMEs are considerably exposed to cyber attacks and present an average of 172 vulnerabilities in their infrastructure. Each one can be viewed as a potential entry point for unauthorized access to a company's data, applications, networks, or computers. These data result from monitoring the attack surface of 170 SMEs and startups in the country.

According to Unxpose's Exposure Score, ranging from A to F and functioning as an indicator of the cybersecurity health of each company, the average score for Brazilian SMEs and startups is C, indicating that the level of exposure requires immediate attention. "The most common vulnerabilities are related to security gaps in the companies’ websites, such as a login area without validation against bots, like captcha technology. This allows an attacker to automate login attempts by inserting as many credential and password combinations as possible until one works," explains Josemando Sobral, a cybersecurity specialist, CEO, and founder of Unxpose.

Another prevalent attack vector among Brazilian SMEs is leaked corporate credentials. According to Unxpose's survey, 62% of Brazilian SMEs and startups have at least one organization email present in a recent leak. "Employees register on third-party sites using their work email. When attackers leak databases from these sites, they are filled with corporate credentials, and in many cases, passwords. Since most people reuse passwords, these leaks end up opening the front door of companies for cybercriminals," points out Sobral.For the cybersecurity expert, many SMEs believe that, because they are not multinational corporations and do not have massive media presence, they will not be targeted by cybercriminals. "The problem is that attackers are always looking for the easiest path and therefore exploit flaws that recur across different websites. Thus, there needs to be a shift in the mindset of these companies. Unfortunately, it is no longer a question of whether there will be an attack attempt, but when and what the consequences will be," he reflects.

For companies that have begun to worry about cybersecurity, the challenge remains significant due to the lack of specialized professionals in the market. A survey by the non-profit organization (ISC)² reveals a shortage of 600,000 cybersecurity professionals in Latin America, hindering these companies in building teams and significantly increasing the salaries of the few existing professionals, presenting another barrier for SMEs in hiring.

Where to Start
According to Sobral, several processes can be adopted by companies that are just starting to help mitigate exposure and decrease the likelihood of attacks. The first is the adoption of a password manager by all employees in the company. As previously mentioned, password reuse is quite common since it is very challenging to create and, more importantly, remember a strong password for each website/service used. A password manager solves this problem by creating complex and unique passwords, with each employee needing to remember just one main password.

The second process is the implementation of periodic training for the entire team to familiarize them with best cybersecurity practices. These trainings assist employees in recognizing attack attempts, identifying sensitive data, and avoiding actions that could expose the company.

Finally, it is crucial to create a catalog of all digital assets of the company; after all, it is necessary to understand what needs to be protected before beginning to implement protection measures. Each asset, such as a website, server, or cloud service, can present hundreds of vulnerabilities. Dynamic companies, which are always innovating, or even more traditional ones rapidly digitalizing, are constantly creating new products or features, which may inadvertently introduce potential new entry points for attackers.

Not keeping track of all the company’s digital assets creates blind spots that significantly increase the exposure surface—a term referring to the sum of all cybersecurity risks that expose the business.Regarding the catalog of digital assets, there are solutions today capable of automating the work of a security team, such as Unxpose. The startup offers a SaaS that continuously monitors companies' digital assets and identifies and prioritizes vulnerabilities found—all in an automated manner. In addition, the solution provides a tutorial on how to correct these vulnerabilities, designed for those lacking cybersecurity expertise. "The company was founded with the mission of democratizing access to Information Security; therefore, automation and educational resources are foundational to the product. More companies with access to cybersecurity equate to a safer business environment," concludes Sobral.CopyRegenerate