When it comes to cybersecurity, SMBs are even more vulnerable than enterprises, with less resources to combat internal and external threats.
In part 3 of our exploration of the state of cybersecurity (part 1 examined the basics of business security, including the core functions Identify, Protect, Detect, Respond, and Recover); part 2 addressed the growing and evolving threat environment) we find that the size of your organization doesn’t matter when it comes to risks. The ugly truth is that all organizations are vulnerable, particularly small and medium businesses, which do not offer the financial potential of larger organizations, but also have neither the skills nor resources of wealthier targets.
Small and midsize businesses are not just targets of cybercrime, "they are its principal target," stated Commissioner Luis A. Aguilar, US Securities and Exchange Commission. The majority of all targeted cyberattacks in 2014 (60 percent) were directed at SMBs, and it has been estimated that "half of the small businesses that suffer a cyberattack go out of business within six months as a result."
The latest research indicate that SMBs are more prone to – and less capable of dealing with – cyberattacks:
SMBs are a big part of the overall IT market: spending on IT products and services will grow from nearly $2.4 trillion in 2016 to more than $2.7 trillion in 2020, with the small office category (the 70-plus million small businesses with 1-9 employees) accounting for approximately 25 percent of all IT spending throughout the forecast period. Medium (100-499 employees) and large (500-999 employees) business will see the fastest growth in IT spending, each with a CAGR of 4.4 percent.
However, cybersecurity does not seem to play a big enough part in SMB IT budgets. According to the research, personnel, technologies and budgets are insufficient to maintain strong security posture:
The lack of cybersecurity resources, especially skills, is significant:
"It is really hard for a one-man shop … to do security because you are expected to do all the other tasks around the office," said Peter Tsai, senior IT analyst at Spiceworks. Even in smaller companies, "security is almost a full-time job, and it is really hard to adequately protect your network if you do not have the right resources."
These findings would be alarming in themselves but they represent only part of the problem. SMBs apparently believe they are much less vulnerable than the facts indicate:
However, the reality is that 60 percent of small businesses will close within six months of a cyberattack.
SMBs do not take the risks seriously, and do not practice safe computing:
This collection of facts and figures paint a dismal picture for cybersecurity, particularly for SMBs. They may offer a much smaller potential for financial gain, but with their scarce – or nonexistent – cybersecurity skills and resources, they are still highly vulnerable to external and internal threats.
But it's not all doom and gloom. There are a wide variety of cybersecurity products and services available to minimize risk and resolve breaches and other issues. Like many self-help programs, perhaps the first step is to recognize that your business is vulnerable, and that a proper mix of procedures, products and services can ensure the protection of your business.
Keep a clean machine: keep all workplace machines clean and protected from malware, viruses and infections.
Protect your information: secure your accounts by making passwords long, strong and unique.
Protect your company's online reputation: set security and privacy settings to your comfort level of sharing.
Educate your employees: teach your employees basic best practices: such as if an email, social network post, or text message looks suspicious, even if you know the source, delete it.
The new Avast Cybersecurity Basics Training Quiz provides training on Data Security, Identity Management, and Social Media Security
How SMBs can effectively protect their networks from cyberthreats – without breaking their security budgets