The great cybersecurity flaw of SMEs
While criminals are intensifying their use of artificial intelligence and the cloud, many companies lack adequate means to defend themselves
3' min read
3' min read
When it comes to digital transformation and the adoption of state-of-the-art technologies to gain competitive advantages, one is confronted with a reality that is patchy: few companies manage to keep up with technology and the opportunities it brings, while most remain at the mercy of products and procedures that they do not understand how to incorporate into their business processes. But there is an exception. A whole sector is working very well with new technologies and managing to take advantage of them: cybercrime. Criminals, in fact, have created real 'cloud first' crime companies that make intensive use of automation and artificial intelligence. And if we look at the situation out there, it is almost like shooting on the Red Cross. A recently released research study commissioned by Clusit (Italian Association for Information Security), the Chamber of Commerce of Modena and Unimore outlines a disastrous situation in SMEs with regard to IT defences.
The cybersecurity teams
.The number of people dedicated to cybersecurity in companies grows with the size of the company, but it starts very low. In companies with less than eleven employees, in fact, in 80% of the cases there is no dedicated person in the IT department and they turn to external personnel (in 64% of the cases just one person) who are asked to manage the infrastructure and do cybersecurity. Obviously, in micro-companies it is very rare to find personnel specialised in IT security, but the surprising fact is that it is also scarce in larger companies, where the survey finds only about a third of the companies can boast at least one person with such a formalised position, even if in a third of the cases it is only related to privacy practices.
The Skills Node
.The skills shortage, therefore, is a serious problem, and even if the managed cybersecurity services offered by specialised companies manage to guarantee a high level of protection, the fact that 85 per cent of micro-enterprises have no training in privacy and cybersecurity leaves criminals plenty of room to manoeuvre. Margin that malicious hackers have no qualms about using, continuing to extend their advantage through the use of the latest technologies. Artificial intelligence at the service of criminals is a tool to improve the effectiveness of their actions, assisting the human element that organises malicious campaigns and attacks.
Ai attacks
.It is no coincidence that, according to many experts in the field, the main contribution of Ia to cybercrime is to make the phishing campaigns with which they steal users' credentials much more credible and effective. Thanks to the targeted training to which it can be subjected, the systems used by criminals can create e-mails that reflect the style of a specific company or person, making the communication much more credible. In addition, a technique that is gaining increasing popularity is Ai-based credential stuffing, i.e. an attack that exploits databases of stolen passwords to try them out on a large number of sites. The hope of the criminal is to find a password that its owner has decided to use on several services. When this happens, a hacker can steal many accounts in a very short time. The recommendations that specialists are constantly making to urge people not to always use the same password, however, are bearing fruit and users are learning to use different passwords for each service, while often changing them very little so that they do not have to waste time going to retrieve them. The Ia is often able to guess the pattern and thus hack those accounts where only slightly different passwords are used from those already compromised.
Sensitive Information
.Besides, the Ia are very good at gathering information. When a criminal wants to carry out a targeted attack on a person, he needs to tap into as much information as possible in order to gain their trust. The Ia can scour the Web for everything possible to know about a person and present the information in a readable and accurate manner, saving the attacker an enormous amount of time. This collection of data also makes it possible to predict, in some cases, people's behaviour or tastes, giving the criminal extra leverage to get them to click on a link he has prepared to carry out the attack. If, for instance, the target plays padel and the Ia comes across an advertisement for a tournament to be held in the city, it can suggest and compose a phishing e-mail based on this event. Finally, the first machine-to-machine attacks begin to appear. The Ia analyses the results of the tools used by criminals to analyse the defences of the target companies and are able to devise attack strategies that have a high chance of success.

