Businesses are built on hope. A well-founded hope, but hope nonetheless. Hope that the product-market fit is right. Hope that under careful management and with nurtured growth, everything will work out.
Another essential aspect of business is risk, and successful entrepreneurs learn to factor in at least basic risk-reward calculations in their decisions early on. However, there is a pitfall: for a risk to be well-calculated, it needs to be known and understood by the decision-maker.
As the complexity of the enterprise increases in proportion to its success, the nature of business is such that no single person can be a master of every aspect of it. Due to this, decision-makers must rely on the subject matter expertise of one another to cover their "blind spots".
This is where misguided hope can take place. It can be deceptively easy to downplay the risks with the "it'll never happen to me" attitude, but with many sharing such hopes, some are bound to be proven wrong. Looking at the numbers, 18.5% of small and medium-size businesses ("SMBs") experienced a damaging cyberattack in 2020. Moreover, one-in-three of data breaches globally involved an SMB - typically a company with fewer than 250 employees and $20M in total assets.
This is no coincidence, as such organizations carry an explosive combination of assets just as sensitive as large enterprises, and a lack of tools, expertise and budgets to support a sophisticated $200,000/year SIEM, a $600,000 in-house security team, or a $130,000+ Cyber Incident Response program. As a result, a typical post-cyberattack loss for an average SMB is between $2M and $7.6M (at minimum, $1.3M in our experience), and many go out of business shortly after or face huge insurance premiums.
It can be deceptively easy to downplay the risks with the "it'll never happen to me" attitude, but with many sharing such hopes, some are bound to be proven wrong.
In our experience, there are two prevalent cybersecurity strategies when it comes to SMBs - both based on hope. The first is where a company does the bare minimum, such as conducting annual penetration tests. If the test reveals critical vulnerabilities, they are typically placed in a queue and are addressed by the IT or application development team eventually. However, no penetration test can guarantee that all possible entry points were discovered and exploited. Furthermore, combining an annual testing schedule with a rapidly changing digital infrastructure (we've seen a particularly major shift in 2020 driven by the pandemic, of course), may mean that new vulnerabilities are introduced between the tests, effectively increasing their discovery time by up to 12 months.
if your MSS partner's responsibility ends with informing you when an attack is detected, and your internal IT team is not prepared to respond to it, your cyber Incident Response approach has no teeth.
The second strategy is signing up a Managed Security Services (MSS) partner to largely outsource the cyber ops. While this can be a somewhat viable approach, it does come with a few caveats: first, not all MSS are created equal. Review your contract and pay particular attention to the "Response" part of things - if your MSS partner's responsibility ends with informing you when an attack is detected, and your internal IT team is not prepared to respond to it, your cyber Incident Response approach has no teeth. Second, if your infrastructure is extremely vulnerable to attacks, even the best MSS or SOC-as-a-Service will eventually miss one.
Neither strategy is even close to being considered comprehensive, and both regular penetration tests and well-rounded managed services should be considered only a part of your holistic cyber risk mitigation approach. Interestingly, in the current job market, even both combined will typically cost less than a mid-level cybersecurity analyst hire. Still, how can an SMB balance the need to respond to emerging cyber threats, and less-than-generous cybersecuritry budgets? Stay tuned as we explore this topic in a series of posts to follow.