It’s no longer just the big guys who are in the crosshairs of the modern cyber sharpshooter. In fact, Small and medium sized businesses (SMBs), typically companies with fewer than 250 employees, are seeing record malicious cyber activity with no signs of slowing down. This poses significant risk and threatens to put more than half of SMBs out of business.
Consider some leading headlines released on the topic. CNBC recently reported that 66% of small companies have had a data breach in the last 12 months. App River shared that the average cost of a data breach for a small company is $149,000, and a National Institute of Standards and Technology (NIST) study found that 88% of small business owners believe their business is vulnerable to a cyber attack.
Why is this Shift Occurring?
There are many good reasons why this trend is occurring, and some powerful lessons that SMB leadership can benefit from.
- SMBs ARE EASY TARGETS– SMBs are sitting ducks. Most are not adopting cybersecurity practices quickly, are extremely vulnerable to the simplest of attacks, and may not detect intrusions. Without basic cybersecurity awareness training and any level of defense, it’s relatively easy to breach a soft perimeter and find low hanging fruit. This often arrives in the form of phishing attacks and business email compromise. According to a recent CYREBRO analysis, over 80% of phishing attacks in the last year were targeted at SMBs. Even small changes to the security defenses of an SMB can quickly send a bad actor in another direction, and SMBs must adopt foundational practices to discourage them.
- MORE RESOURCES & COSTS– Many cybersecurity solutions today are not positioned for SMBs. They can be complex, costly, and require trained cybersecurity teams to implement. Their messaging is often rich in jargon and poor in plainspoken business terminology, which limits their relevance to SMBs. Also, many SMBs outsource IT (not always skilled in cybersecurity), and lack in-house expertise, and don’t have CISOs nor solutions in place. Most avoid the enormous salaries and expenses these resources represent. For SMBs to adopt cybersecurity, it must move from a massive cost center to something far more pragmatic.
- COMPLACENCY– it’s quite common for cybersecurity professionals to run into SMBs that do not yet believe there is a particular risk to their business, despite all evidence to the contrary. Common perceptions include ‘I havent been hacked before, so why worry now?” Another is the belief that sound practices are a distraction from core business, or may cause people to to miss emails, and that cybersecurity is something they just can’t be bothered with. Unfortunately, many companies learn the hard way that there’s nothing more distracting than being rendered out of business due to a malicious cyber event.
- MYTHOLOGY– Organizations everywhere believe in well-known myths to justify their inaction. Their leaders may be surrounded by yes men that reinforce these beliefs. Some of the most common may sound familiar. “We use cloud based tools and the data is all stored by our vendors, so we don’t really have any cyber risks.” “Our business is not a target for cybercriminals, so we’re good.” It can be difficult to overcome a belief in these myths, and sometimes data discovery tools can help overcome this.
- OVERCONFIDENCE– It’s not uncommon for SMB leaders to believe some very simple solutions render them safe from cyber chaos. When dealing with them, we often hear outrageous statements that highlight this. These include, “we all use complex passwords to ensure we never have an incident”, or “we use a SPAM filter and antivirus so we’re all set.” Recently, an executive told us that he “had used the same 20-character password on everything for 12 years, so nobody is going to breach that.” Among these people, foundational cybersecurity, multiple lines of defense and password reuse facts fall on deaf ears. Many believe that they’ve got very smart people that simply “don’t fall for anything” and fail to appreciate the sophistication of the bad actors out there.
- SOFT COMPLIANCE- Although more regulatory bodies are emerging, there remains little enforcement of cyber security compliance obligations in the US. This needs to change if they expect results. When Europe adopted GDPR, one of the early breach violations cited Google, and was met with a $57M fine by the French data protection authority, even publishing the news of the violation in English which is quite uncommon. They clearly meant business, and have issued several multimillion dollar fines. China recently experienced a data hack affecting over 1 billion residents whose data hit the dark web as a result. Industry professionals expect to see tighter controls enforced by China’s Ministry of Public Security. As Federal, state and municipal data protection regulations become more common in the United States, enforcement will become an issue of growing importance. Several industries are also seeing specific requirements to put greater emphasis on data protection, such as Insurance. The NAIC Data Security Model has already been adopted by 18 states, and is gaining momentum.
What SMBs Should Do First
If you’re guilty of one or more of these things, your risks may exceed those of a cybersecurity nature. With record M&A Activity in many industries, poor cyber hygiene and a relative unawareness of risk may impact valuations, and increase litigation. Insurers are seeing more attention paid to Directors & Officers (D&O) coverage when protecting SMBs against risk.
The best steps for SMBs overlooking cybersecurity risk is to prioritize discovery. There are many organizations who can help businesses objectively understand their vulnerabilities, and make corrective recommendations. Seek out professionals or vendors who are focused on the SMB space, who can quickly diagnose risk pragmatically, without overwhelming you with jargon and volumes of data. Seek recommendations of easy to implement solutions that are practical and affordable. This new paradigm of SMB cyber risk is proving extremely profitable for bad actors, and is not going away any time soon.