A tech startup in the New York area was flying high after a big funding round. The cash landed in the company’s bank account, but then disaster struck: Cyber criminals had heard about the funding round too, and decided to steal the money.
Using software that monitored the keystrokes of the CFO and comptroller, the hackers obtained the company’s banking credentials and drained over $1 million from its working capital account, sending funds to bank accounts in Russia, China, and Turkey. The firm, which did not want to be named, never recovered the money.
Get Data Sheet, Fortune’s technology newsletter.
According to Mark McArdle of eSentire, a security firm that advised the startup after the attack, the incident was not an isolated one. Instead, it is part of a growing trend in which sophisticated cyber criminals are eschewing big financial institutions in favor of softer targets.
Hackers move down the food chain
A recent cyber-heist on Bangladesh’s central bank, which saw criminals make off with $80 million, is a reminder the financial sector is still vulnerable to hackers. But in North America, such attacks have become much more difficult.
“Larger banks are getting harder to penetrate since they’ve invested in security for years. They’ve had their big breach through which they get religion, they get spend [more budget] and they get harder,” said Bill Stewart, an EVP with Booz Allen (bah). “Now, the adversaries are moving down the food chain.” In practice, this means the same hackers who once targeted big banks are seeking easier prey: credit unions, small hedge funds, PR firms, and a wide variety of other mid-tier enterprises.
This Is the Place Where AT&T Stops Hackers
The attackers are led by mafia-like criminal gangs but also outfits like Lazarus, which hit the Bangladesh central banks, and which is widely believed to be tied to the government of North Korea. According to McArdle of eSentire, some nation states are expanding their hacking targets as a way to fund their cyber-military capacities.
He added that the mid-tier firms, now the targets of hackers of all stripes, can be defined as companies that lack resources for chief security officers, and other full-time defense operations.
Brett Hansen, an executive with Dell Security, confirmed this assessment.
“Cyber crime is making a lot of people rich. Because of that you’re going to find a lot of people who want to take a share of windfall,” he said. “It’s an opportunistic enterprise. Just as businessmen will look for low barriers to entry, so will cyber criminals.”
The attacks can come in a variety of forms, including ransomware, boss phishing (emails that trick employees into wiring money) or outright heists like the one that befell the New York tech company.
Cyber-as-a-service and the me-too problem
The prospect of staving off hackers who learned their trade on big banks is a daunting prospect for mid-size companies. Lacking the security sophistication of giants like JP Morgan (jpm), they appear to sitting ducks.
This situation is what is giving rise to the growth of “cyber-as-a-service” outfits like eSentire and Dell Security (dell), which provide advice and remote monitoring to companies outside the Fortune 500.
One solution, according to McArdle, is to “reduce the attack surface to something manageable” by using dedicated computers for sensitive transactions, and have someone monitor them for unusual activity.
This sort of approach may also be appealing to firms with smaller security budgets, especially given the huge number of vendors offering a bewildering array of cyber-security software.
According to a recent BTIG report, the saturation of the cyber market is such that there are literally hundreds of companies currently offering similar products. The report, called “Attack of the Clones,” warns investors and companies to beware of “me-too” vendors offering the “next magical cyber security solution.”
Stewart of Booz Allen, which is also expanding its security practice, says the “cyber-as-a-service” option for mid-tier service is likely here to stay, but also offered a word of caution.
“It’s viable but it’s not easy—managed security service is an emerging market, and some services are commoditized,” he said. “Where I see the whole thing heading is that there is going to be consolidation and service integrators will emerge.”
But no matter how things play out in the cyber-security industry, mid-size firms better explore their options. Before North Korea comes calling.