2022 was a challenging year for all companies, regardless of their size, economic activity and even level of cybersecurity budget. Social Engineering, Ransomware and ZeroDays attacks were mainly responsible for the headache of many IT departments and even the closure of many companies that did not have the economic muscle or the right strategy to deal with this crisis.

That only happens in large companies

However, we still hear small and medium-sized companies say, “That only happens to big companies, have you ever heard an SME say it was attacked”.

Let’s think for a minute, a small or medium sized business, which has about 200 customers, which allows it to receive considerable profits for its size, pay bills, and provide jobs. Knowing the negative impact to their image, they really believe that they will be in the press saying “We were hacked”, that is NOT going to happen, in many cases when they are victims of a cyber criminal, they prefer to keep silent and see how they can solve by their own means, even paying when they are extorted by Ransomware. Which helps the Ransomware as a Serviceindustry stay in the game.

Ransomware as a Service

Many are still surprised when they hear “RaaS” or “Ransomware as a Service”, they see it as a joke, however, cybercriminals are at the forefront of technology and are perfectly aware of the different business models, both current and emerging.

RaaS is a business model based on subscriptions purchased by affiliates who are responsible for distributing the malware previously developed by the Operator, and receive a commission for each victim who pays the ransom for their information, thus reaching more countries, more victims, with less effort and less chance of being caught and using multiple techniques.

As shown in the image above, there is a whole infrastructure behind this service, very well financed by organized crime in many cases and in other cases just a group of enterprising criminals.

Now let’s not lose the focus of Affiliate number 3, the reason why we wrote this article, the “Script Kiddies”, people with little knowledge of computers, who become experts running tools without the slightest knowledge of how they work. These are the most dangerous actors, since they do not measure risks of any kind, they have no remorse, since, for them, this is a simple game and, not having any relevant knowledge, they look for the so-called “Low Hanging Fruit” or “Low Hanging Fruit”, and who are they?

Low Hanging Fruit The Ideal Target for Script Kiddies

Low Hanging Fruit, are known as those targets, easy to obtain, within which stand out, people or organizations with little or no awareness in cybersecurity, and mainly the famous “Who will attack me?”, and clearly in this classification enter SMEs.

Why are SMEs the PlayGround of Cybercrime?

Why complicate your life, if it can be easier and with little effort.
Instead of attacking a large company and demanding a ransom of $250,000 or more (which it probably won’t pay), cybercriminals prefer to attack 500 easy companies and charge $5,000 each, knowing that they would rather pay it than go bankrupt. In this way, the cybercriminal receives $2.5 million. Multiply this per affiliate and you will see why it is such a lucrative business and a difficult war to fight for those who are not cybersecurity conscious and/or believe they need infinite resources to protect themselves.

Why is it so simple?

I’m Aware of the Risks, but the Solutions are Too Costly

Solutions Too Costly

This is not true at all, many times small changes in our culture can have a big impact on the security of the organization.

The problem lies in the fact that, when seeking help from security companies, they focus on large and well-known consulting firms that, although they have excellent products and services, these have costs that are too high for small companies, generating immediate rejection and the assumption that there are no alternatives that adapt to their reality and needs.

Logically, the investment in cybersecurity controls must be proportional to the value of the information to be protected, and the cost of recovering in case of loss of this information. Reminding them that the cost is not only in money to be paid to a consultant, but in time and impact on the corporate image.

What Can I Do Then?

We present you with the phrase “Small actions generate big changes”.


Some Solutions and Services for SMEs