When it comes to cybersecurity, SMBs are even more vulnerable than enterprises, with less resources to combat internal and external threats.
In part 3 of our exploration of the state of cybersecurity (part 1 examined the basics of business security, including the core functions Identify, Protect, Detect, Respond, and Recover); part 2 addressed the growing and evolving threat environment) we find that the size of your organization doesn’t matter when it comes to risks. The ugly truth is that all organizations are vulnerable, particularly small and medium businesses, which do not offer the financial potential of larger organizations, but also have neither the skills nor resources of wealthier targets.
Small and midsize businesses are not just targets of cybercrime, "they are its principal target," stated Commissioner Luis A. Aguilar, US Securities and Exchange Commission. The majority of all targeted cyberattacks in 2014 (60 percent) were directed at SMBs, and it has been estimated that "half of the small businesses that suffer a cyberattack go out of business within six months as a result."
The latest research indicate that SMBs are more prone to – and less capable of dealing with – cyberattacks:
- 50 percent of respondents (businesses with between 100 and 1,000 employees) reported that they had data breaches involving customer and employee information in the last 12 months
- 75 percent reported that exploits have evaded their anti-virus solutions
- 59 percent say they have no visibility into employees' password practices and hygiene
- 65 percent do not strictly enforce their documented password policies.
"Negligent employees or contractors and third parties caused most data breaches," according to the report. "However, almost one-third of companies in this research could not determine the root cause."
SMBs are a big part of the overall IT market: spending on IT products and services will grow from nearly $2.4 trillion in 2016 to more than $2.7 trillion in 2020, with the small office category (the 70-plus million small businesses with 1-9 employees) accounting for approximately 25 percent of all IT spending throughout the forecast period. Medium (100-499 employees) and large (500-999 employees) business will see the fastest growth in IT spending, each with a CAGR of 4.4 percent.
However, cybersecurity does not seem to play a big enough part in SMB IT budgets. According to the research, personnel, technologies and budgets are insufficient to maintain strong security posture:
- 67 percent insufficient personnel
- 54 percent insufficient budgets
- 44 percent insufficient enabling security technologies
The lack of cybersecurity resources, especially skills, is significant:
- 59 percent of businesses with fewer than 500 employees had no access to a security expert, whether internally or through a third-party contractor or managed security provider
- 66 percent have no training or certification in security.
"It is really hard for a one-man shop … to do security because you are expected to do all the other tasks around the office," said Peter Tsai, senior IT analyst at Spiceworks. Even in smaller companies, "security is almost a full-time job, and it is really hard to adequately protect your network if you do not have the right resources."
These findings would be alarming in themselves but they represent only part of the problem. SMBs apparently believe they are much less vulnerable than the facts indicate:
- 77 percent say their company is safe from cyber threats such as hackers, viruses, malware or a cybersecurity breach;
- 66 percent say they are not concerned about external threats (like a hacker or cybercriminal stealing data) or an internal threat (like an employee, ex-employee or contractor/consultant stealing data);
- 47 percent believe a data breach incident would have no impact on their business and it would be treated as an isolated incident; and,
- 18 percent say they would not know if their computer network was compromises.
However, the reality is that 60 percent of small businesses will close within six months of a cyberattack.
SMBs do not take the risks seriously, and do not practice safe computing:
- 87 percent do not have a formal written Internet security policy for employees;
- 69 percent do not have an informal Internet security policy for employees;
- 59 percent do not have a contingency plan outlining procedures for responding and reporting data breach losses;
- 75 percent do not have policies for employee social media use on the job while 23 percent have established policies; and,60 percent do not have a privacy policy that employees must comply with when they handle customer or employee information.
Summary
This collection of facts and figures paint a dismal picture for cybersecurity, particularly for SMBs. They may offer a much smaller potential for financial gain, but with their scarce – or nonexistent – cybersecurity skills and resources, they are still highly vulnerable to external and internal threats.
But it's not all doom and gloom. There are a wide variety of cybersecurity products and services available to minimize risk and resolve breaches and other issues. Like many self-help programs, perhaps the first step is to recognize that your business is vulnerable, and that a proper mix of procedures, products and services can ensure the protection of your business.
How to protect yourself
Keep a clean machine: keep all workplace machines clean and protected from malware, viruses and infections.
Protect your information: secure your accounts by making passwords long, strong and unique.
Protect your company's online reputation: set security and privacy settings to your comfort level of sharing.
Educate your employees: teach your employees basic best practices: such as if an email, social network post, or text message looks suspicious, even if you know the source, delete it.