It's no secret that cyber attacks pose a massive threat to businesses of all types, and that combating the various forms of cyber threats is a tedious and complicated task. One of the greatest misconceptions though is that large enterprises absorb the vast majority of cyber attacks while small-to-medium businesses are able to fly under the radar and avoid the wrath of cyber criminals.
The prevalence of this thinking is backed up by statistics:
54% of small-medium size businesses (SMBs) believe their companies are too small to be ransomware targets.
As a result of this misconception, 62% of such SMBs lack the in-house skills to handle cyber security and they spend less than $500 a year on cybersecurity products and services (average).
The underlying logic is not unreasonable: large corporations have much more data and on the data is typically considered more valuable than that of a small business. Additionally, successfully hijacking or disrupting a large business' network can have a much greater economic and societal effect, and they have much more money to extort.
SMBs Are Under Constant Attack
Reality however, paints a stark picture:
43% of all cyber attacks target small businesses, and this figure is rising each year.
Furthermore, 55% of small businesses involved in a 2016 study claimed they experienced a cyber attack in the last 12 months.
50% said they faced a breach involving customer and employee information.
The most common vectors were web-based, phishing / social engineering, and malware attacks, although all types of cyber exploits were well represented. The reason small businesses are targeted almost as frequently as their larger brethren is actually quite intuitive: although large businesses represent more valuable targets, they have massive security budgets and in-house professionals while small businesses represent easy targets due to their complacent attitudes toward cyber security.
The associated costs of cyber attacks on small businesses are often crippling. One of the most commonly cited statistics regarding cyber security and small businesses is that 60% of SMBs affected by a cyber attack close down within 6 months. The high cost of cyber attacks can come from multiple vectors: the cost of repairing the damage, customer backlash and abandonment, legal repercussions or litigation for security negligence, and actual inability to function or fulfill business obligations are the main sources of cost. Canadian businesses paid a particularly high price with a 2018 report finding that Canadian companies face both the highest average ransom cost ($8,764) as well as the highest cost of downtime per attack ($65,724).
Failures of a Traditional Approach
One consistent finding is that the greater your web presence, the greater your chances of being targeted by cyber criminals; so you might want to get a handle on your cyber-security before you seek to expand your web presence. In short, as large corporations have developed mature and robust cyber-security programs, it has become increasingly more fruitful for hackers to target small businesses with little-to-no cyber-security consciousness. So how should a small business go about preventing a crippling security breach?
A commendable first instinct is to install good anti-virus software on all business machines, ensure SSH is implemented on any internet-facing web platforms, password protect all sensitive data and systems, and maybe even to encrypt sensitive data such as customer login and payment info. However, if this is the extent of your cyber-security plan, then you may be left woefully unprepared to handle a serious cyber assault.
Anti-virus systems aren't all-encompassing defence systems and do not provide a 100% protection from all attack vectors - not to mention that hackers are constantly finding new ways to circumvent them. Passwords can often be cracked by social engineering or brute force, encryption standards become compromised and deprecated, and as your local network evolves and new devices are connected, oversights can easily occur (case-in-point: in 2018, hackers stole 10GB of data from a Las Vegas Casino by compromising a smart thermometer in a fish tank).
For small-to-medium sized businesses, it is often wiser and more cost-effective to seek expert third-party guidance on cybersecurity as well as having all personnel trained in cyber-security practices that apply to their duties, rather than to have a full blown cyber-security team or department. As with perhaps all aspects of business, agile principles should be applied to your cyber-security strategy, mainly in the form of the PDSA model (Plan > Do > Study > Adjust > *repeat*).
What Can You Do Right Now
With all that said, improving your business' cyber security posture may seem like a daunting task. Below are a few steps to get you started.
Perform a gap analysis exercise to establish current state, as well as a target for what your cyber security posture should be with the help of (perhaps multiple) third party consulting and advisory partners.
Plan for how you will attain your desired security posture, setting up tangible monthly or quarterly milestones.
Work to build or enact the desired state, with the help of third party expertise if needed.
Study the effectiveness of the attained security posture by sanctioning regular penetration tests and conducting threat/vulnerability analysis.
Adjust your targeted cyber-security posture based on what was learned from the previous step, and repeat steps 2-5 periodically.
This cyclical and agile approach to cyber security is essential due to the quickly evolving cyber-security landscape and the high rate at which previously secure software and security standards become compromised and obsolete.
Cyber-security is the seatbelt of the business world: it might seem cumbersome and unnecessary in the course of day-to-day operations, but when the time comes it will mean the difference between the life and death of your organization. After all, just 2.2% of people succumb to car accidents annually, while cyber attacks account for every 1 in 8 businesses biting the dust.
Consultant, Cyber Risk