Small businesses defenseless in “dangerous” world, Israel’s ex-cyber chief warns

Small and medium-sized businesses, often overlooked, are underequipped to face emerging cybersecurity threats such as artificial intelligence (AI), according to Israel’s former cyber head Yigal Unna.

Despite their critical role in the supply chain and infrastructure, small and medium-sized enterprises (SMEs) are often neglected by both governments and insurance providers when it comes to cybersecurity, Unna told Cybernews.

Neglect renders SMEs "easy prey" for cybercriminals, he said. Instead of going against increasingly impenetrable big players, threat actors opt for volume attacks against weaker targets, which can be just as lucrative – and easier to get away with.

According to the British Insurance Brokers’ Association, 96% of all cyberattacks are launched against SMEs. A separate study from cloud security company Barracuda showed that smaller businesses were three times more likely to be attacked than larger companies.

The vast attack surface represented by SMEs is a vulnerability that nations could turn into a strength if governments recognized the problem and incentivized smaller companies to bolster their cyberdefenses, Unna said.

"It's not in the minds of many of my ex-colleagues and peers around the globe,"

Unna said.

After serving four years as the General Director of Israel’s National Cyber Directorate, Unna stepped down in 2022. He now works with CyFox, a firm specializing in AI-driven cybersecurity solutions.

According to Unna, AI is a major threat to consider and will make social engineering “very very easy.” In an interview with Cybernews, he also said ransomware is still a predominant threat, while denial of service (DoS) attacks are increasingly used against the private sector to cause reputational damage.

Why do you believe SMEs are overlooked when it comes to cybersecurity?

I’ve spent my career working for the government, and I didn't know much about the private sector and specifically about SMEs until I became the Director General of the National Cyber Directorate in Israel.

Governments naturally focus on critical infrastructure, which is mostly huge enterprises and very big companies. What I discovered is that the vast majority of the attack surface of a nation, of economy, of everything, is tens of thousands and – in the case of Israel – even hundreds of thousands of SMEs.

They are a part of the supply chain of critical infrastructure and they are also building the infrastructure. They make what the country, what a nation is all about. Still, due to the fact that this sector comprises many small entities, government and even insurance companies don’t pay enough attention to it. And that is a big problem.

It gets worse considering not only the market volume these companies have but also their role in the supply chain of the bigger players. It can cause a chain reaction and SMEs are attacked because they are easy prey.

What makes them easy prey?

As a Director General of Israel's entire national cyberspace, I understood I needed to have solutions that would be relevant to this vast majority of the attack surface. And when I looked around, I found nothing. SMEs do not understand how to run cybersecurity correctly.

The good news from a national point of view is once you give them a solution, you very quickly turn them into a cyber service. They begin to talk cyber, they begin to think cyber. And the overall impact is a dramatic improvement, a dramatic change for a country.

Another thing is the insurance companies. Cyber insurance is still, let's say, not very developed – and that's a big understatement. They do not have good cyber policies and the secret to turning it around is to improve it through SMEs.

Insurance companies are more reluctant to get into a venture with a big bank or a big enterprise. They do that, but it's not working very well. Instead, getting thousands of small businesses whose risks they can manage more easily would make the insurance companies more ready, more prepared, and more willing to get into cyber insurance.

It's a process that will feed itself because once they gain enough expertise, the insurance will be better. And then we can turn the market entirely, which you cannot do with one or two big enterprises.

During your tenure as the director general of Israel's National Cyber Directorate, what initiatives did you advocate for or implement that benefited SMEs? What should governments do to help them?

First, we need to acknowledge the need and acknowledge the problem, which is neglected more often than you think. It's not in the minds of many of my ex-colleagues and peers around the globe.

Second, you need to have regulation. Starting with encouragement rather than a big hammer. This could include subsidies, discounts or many of the other things that governments can do to get small businesses on board.

Companies with cyber solutions could get preferential treatment in government orders. It is sensible for any government to have a resilient supply chain.

This kind of soft regulation can then be followed by stronger rules. And the first thing I would do is go to the insurance industry and work hand in hand with them when it comes to regulation and related matters.

Can you provide some insight into the typical cybersecurity challenges that SMEs face in comparison to their larger counterparts?

They are easy for hackers, who look for the weakest spot. Big companies are getting more and more secure – the more they fortify, the bigger target smaller companies become.

Individually, it's less money, but you can do a dozen a day, which is not the case with big corporations. Threat actors targeting SMEs go for volume attacks and attack entire sectors. They get the same amount of money, or even more, from sheer quantity.

In the US, and even in Israel, hundreds of thousands of small businesses depend on computers. They all have attack servers and they all have money.

And if you do attack a big bank, for example, you may get into more trouble because they have enough resources to hunt you down and to get the police and the authorities to hunt you down. In the case of SMEs, you have a chance to get away with it.

"We need to run faster in this race just to stay on course,"

Unna said.

The list of threats with the emergence of AI is getting longer. We’re finding all kinds of new and different ways that it can be used to launch cyberattacks. Have you already observed the use of AI in cyberattacks, and what are some of the most common ways threat actors leverage it?

I have been speaking about AI in cyber since about 2018. Back then, nobody understood what I was talking about. Today, everybody understands the big threat that comes from generative AI. You can fake your CEO, your CFO – anything – and you don't even need deepfakes for that. It makes social engineering very easy.

The world is by all means getting more and more dangerous because we are more digital. And now we have generative AI. Unfortunately, the pace of defense solutions is always much slower than threat actors. We need to run faster in this race just to stay on course.

How can companies protect from that?

They need to look for cyber solutions that are also based on the cutting edge of AI. CyFox is exactly that. It is relevant for small businesses partly because it's very cheap. It’s very cheap because it uses AI in a way that can save a lot of hours and a lot of the most precious, most expensive resource in cybersecurity, which is the workforce.

I would recommend that any company choose AI-based solutions that are faster than emerging threats and more adjustable. We don't know what will be next, but we know it’s better to be prepared.

Beyond AI, what other emerging threats should companies be aware of and prepare for?

We see more and more DoS attacks, which are focused less on money and more on influence campaigns. The aim of these cyberattacks is to cause significant psychological damage.

While DoS attacks used to mainly focus on government and public agencies, we see more and more of that in the private sector as well. If you do the cyber influence attack right, it can cause a bank run, it can have catastrophic consequences for a company. It can have a psychological impact on clients and shareholders.

It's a problem mainly for big corporations today, but it's there. We also see DoS attacks combined with extortion more and more frequently.

Having said that, what would you say is the number one problem when it comes to cyber security now?

Ransomware is still number one, but the types of ransomware are changing. Unfortunately, we still have phishing. The human factor is the weakest point in every system and the weakest link in defense.

And that's exactly why AI is so bothersome. It imitates human behavior and does it much better and much faster. A combination of AI harnessed for malicious purposes and the human factor is the main threat to consider.