SMB cyber safety: De-risking catastrophic events

Massimo Rapparini 26 Apr 2023

Businesses need to build enough protective measures and mitigating controls to recover and emerge stronger from cyberattacks.

September 15, 2008: The bankruptcy of Lehman Brothers triggers a 4.5% one-day drop in the Dow Jones Industrial Average, then the largest decline since the attacks of September 11, 2001.  

Many of us recall this event as the climax of the subprime mortgage crisis. An event of such a rare occurrence known as a fat-tail event; in other words, one with only a 0.3% chance of occurring under normal circumstances. The other characteristic of such events is that their consequences are often catastrophic, as happened with the banking system in 2008 and the ensuing global economic impact. 

Now, consider the occurrence of cyberattacks and their impact on small/medium businesses (SMBs) given the following facts: 

  • There are over 400 million SMBs in the world

  • The majority of SMBs make less than $50,000 in annual revenue

  • In 2022, cybercrime attacks impacted 1,000+ per million internet users

  • Ransomware is globally the main attack type, costing a business an average of $1 million or more

If we do the math, it follows that there is less than a 0.1% chance of a catastrophic cyber event for SMBs, but the roughly 400,000 SMBs globally that happen to be the victims of such attacks each year are likely to go bankrupt and close up shop indefinitely. When thinking about it this way, these businesses experience a fat-tail event that they're unable to recover from. 

How can SMBs de-risk the occurrence of these events and the impact on their business?  

The answer to this question is simple: Businesses need to build enough protective measures and mitigating controls such that even if they were to be the unlucky 0.1% of the SMB population, they could recover and emerge stronger. To achieve this, an SMB can start by investing in “table stakes” technology to protect their devices, backup their data, and scan emails as well as web traffic to ensure access to sensitive information is restricted and monitored.

Although this may seem like common sense, a concerning statistic is that only two-thirds of SMBs seem to invest in the most basic form of protection (endpoint security like antivirus, anti-malware, and so on), while even fewer have adequate measures in place for web and email security. Overall, it is estimated that only around a third of SMBs have adequate cybersecurity protection.  

When it comes to estimating risk, security, and trade-offs, humans have shown to be quite poor at judging the likelihood and impact, and the same seems to hold true for SMBs. The obscure, intangible, and sometimes scary nature of cyber threats, coupled with the trade-offs between de-risking the existing business versus spending more on marketing for new business, are likely the reason that so few SMBs are adequately prepared for a catastrophic cyber event.  

It’s the responsibility of the community of cyber experts and vendors of technology solutions to help educate SMBs and provide adequate cyber safety tools, such that when the fat-tail event comes knocking, more of those SMBs can feel confident about their survival rate.  

At Avast, we are committed to doing our part in de-risking cyber threats to SMBs. Find out more about how we can help you and your business by signing up for our free trial.

--> -->