In this News Insight, CSO Magazine discusses the elevated risks faced by SMBs when it comes to cybersecurity. If you’re looking to strengthen your security plan, download our definitive guide to reassessing mobile security practices. —Samsung Insights editorial team
We live in a time when malicious cyber attacks happen every minute, every day, all over the world. Companies from the smallest startup to the largest organization suffer from cyber attacks. It’s not surprising then that cyber incidents targeting businesses, nearly doubled from 82,000 in 2016 to 159,700 in 2017, driven by ransomware and new attack methods.
However, not all companies are affected by malicious attacks in the same way. Did you know that small- to medium-size enterprises (SMEs) and small- to medium-size businesses (SMBs) face far greater threats, risks and challenges combating cyber attacks. In fact, 60% of SMBs who were victims of cyber attacks did not recover and shut down within 6 months. Why? What are the main reasons SMEs and SMBs fail to recover after a major cyber attack? More importantly, what can they do about it to have a stronger defensive strategy?
1. Unable to afford crucial IT and IT staff
A robust IT department is critical for staying abreast of and implementing protections from the latest security threats. However, to be truly protected, companies have to purchase multiple security systems to guard key entry points. For a company that allows BYOD and is connected to different cloud services, this means the IT department has to protect four main security components; the user identity, the device used, the network they’re connected to and the cloud services they’re using. This normally leads to purchasing at least four different security platforms.
The challenge is not only in deploying multiple security systems, but also managing them and maintaining their daily operations. This demand also requires staffing. For SMEs and SMBs, sometimes the entire IT department is no bigger than 2-3 employees, whereas enterprise-level corporations’ budget can afford whole IT departments stacked with large security teams. This disparity in staff and proper IT often leaves SMEs and SMBs exposed and a lot more vulnerable to cyber attacks, and, worse, when they do happen unable to recover because they lack the technology and staff to do so.
2. Inability to provide ongoing cybersecurity training
Ongoing security education and threat awareness also play a role in why SMEs are an easy target, and later struggle after being hit by a cybersecurity attacks. Keeping in mind that cyber protection is developing as fast as malicious attacks do, it is important that staff are continuously trained and updated on current threats and the different ways to mitigate or respond to them.
For smaller enterprises with limited resources, this is not always an option as it requires sending staff to conferences, courses and other expensive educational training programs. Programs which are simply not cost-effective for smaller businesses.
This lack of cybersecurity training leaves SMEs and SMBs vulnerable as they don’t know the kind of threats they are looking for ahead of time, how to respond to them when they do hit, and are often totally blindsided on how to fix them. Frequently this leaves SMEs and SMBs helpless in the face of complicated security breaches—especially after being hit by malware or ransomware. According to the National Cyber Security Alliance, 60% of hacked SMEs and SMBs go out of business, because they simply don’t know the way forward.
3. Ransomware is much more devastating for SMEs and SMBs
Ransomware is a huge security problem for any size company. According to a quarterly report, 64% of malicious emails sent in Q3 2017 used ransomware. But many attacks don’t have to be as notorious as WannaCry or NotPetia to take an entire company down. Ransomware was the fastest growing threat in cyber security in 2017. Most ransomware attacks don’t have a happy ending—at least for the victim and typically end in favor of the attackers. For a big organization, that might be a hard blow to take, but still it will be a manageable one, while for an SMB or an SME, it will devastate any chance of getting back to regular operations.
While big companies have cyber insurance and the ability to pay the ransom, a small or medium size company may not be covered by insurance and have much smaller war chests from which to draw upon. Such a financial blow could mean a massive hit to a mid-size company or a fatal one to a small one.
4. A bad reputation can’t be ignored in the age of the internet
Companies serving customers have a responsibility to keep them safe. Keeping private information secure is an expectation, and in some cases, the law. So when personal information is compromised, customers rightly feel violated and often seek financial restitution through the courts. For SMEs, costly breaches can not only break a company’s bank, but lead to a media storm of bad press. Ultimately, a company’s failure to protect customers’ private information can and will live forever in the annals of the internet, bruising a company indefinitely. The news can also lead to current customers leaving and potential ones going elsewhere.
While it’s true a dent in the company’s reputation is a hit for any size company, large organizations have more resources to handle a crisis. They often possess a large legal team to fight any battle in court, and PR firms to employ crisis communications. Small businesses are not always quite so lucky. Additionally, once hit with a security breach, many smaller operations lack the financial resources to hire a PR firm to handle the bad press, let alone employ a large legal team. Devoid of such resources, SMEs often succumb to bad press and can be bankrupted in court. Loss of private data could also lead to massive fines by authorities if HIPPA, CFPB, GDPR, or other regulations were breached in the attack. Such fines could be absorbed by a large company, but devastate a smaller organization.
What lies ahead for SMEs, SMBs and cyber security
SMEs and SMBs do have inherent advantages over larger companies. For example, their agility enables them to be flexible and adjust to changes quickly. They lack the red tape and complexities larger organizations have to overcome to get things done fast.
Keep in mind, an SME needs to seek solutions matching their size and needs, and not necessarily the same solutions used by a big organization. The fact that a Fortune 500 company chooses to work with a complex and expensive vendor doesn’t mean it is the best fit for an SME. It might just be the best for them, but not a good fit at all for a smaller operation. Smaller companies can crowdsource and be the first to use security collaboration tools, taking advantage of their cost-effectiveness.
Smaller companies with smaller IT teams can use and consider autonomous systems to help them not only detect but also mitigate security threats. The idea of a full protection solution doesn’t belong only to the top-tier companies and can be introduced and adopted by SMEs if they keep an open mind to the new wave of cyber security solutions emerging—and just in time we might add.
Download our comprehensive guide to reassessing your mobile security practices.