Cyberattacks, many have noted, are the fastest growing economic crime not only in the United States, but also around the world. This upward trend has been observed since 2014, according to PricewaterhouseCoopers (PwC), and won’t likely be slowing down anytime soon.
Cyberattacks—much like the advancement of technology, the interweaving of digital lives among familiars and strangers via social networks, and the broadening adoption of the Internet—are here to stay.
As much as the Internet has changed individual lives on the planet—for better or for worse—it's changed the way people do business even more. The current reality is that a business is not much of a business if it’s not online. Even local small businesses, such as restaurants, home renovation companies, or dance studios, require some kind of Internet presence to flourish.
However, stepping into the online realm as a business is, in itself, a double-edged sword. While the visibility the Internet affords entrepreneurs almost guarantees growth, on the flip side, organizations also put themselves at risk of Internet-borne threats. Online retailers may run afoul of web skimming tactics. Online publishers and bloggers using content management systems can be hacked, or their advertisements poisoned via malvertising. Even simply opening emails can put an enterprise at risk.
Organizations of all sizes must understand that in today's world, cyberattacks are an inevitability.
Unfortunately, a majority of small- to-medium-sized businesses (SMBs) are unprepared for any form of digital assault, much less aware of its inevitability. In the end, some affected organizations emerge from an attack with such excessive losses that they are put out of business—permanently.
So exactly how unprepared are SMBs for an eventual cyberattack? To help paint a picture of their current cybersecurity posture, we gathered a few noteworthy statistics. Suffice to say, they aren't good.
Cybersecurity posture of SMBs
We took a look at several factors impacting SMB cybersecurity, from rate of incidents and staff shortages to costs shouldered after an attack. Here's how they pan out:
Non-enterprise businesses reported more cyber incidents in 2019 compared to the previous year, according to the Hiscox Cyber Readiness Report.
- For small businesses reporting at least one or more cyber incidents, the proportion has increased from 33 percent of respondents to 47 percent.
- For medium-sized businesses, the increase is even greater, moving from 36 percent in 2018 to 63 percent in 2019.
- Verizon’s 2019 Data Breach Investigations Report found that 43 percent of all breach victims were small businesses.
Lack of resources
SMBs typically have fewer resources for cybersecurity protection, whether that's a smaller budget for software solutions or overtaxed or undertrained IT staff. This can result in negligence that ultimately leads to breach.
- On average, an SMB can face up to 5,000 security alerts per day, yet only 55.6 percent of them investigate these alerts, according to Cisco.
- According to the aforementioned Keeper Security-Ponemon Institute report, 6 out of 10 SMBs report that attacks against them are more targeted, sophisticated, and damaging; yet 47 percent of them have no idea how to protect their companies from cyberattack.
- 52 percent of SMBs claim they don’t have an in-house IT professional on staff, according to Untangle's 2019 SMB IT Security Report.
- Untangle also found that 48 percent of organizations claim that limited budget is one of a handful of barriers they face when it comes to IT security.
Cost of an attack
- SMBs shoulder a heftier cost relative to their size compared to larger organizations, per IBM’s Cost of a Data Breach Report.
- Organizations with a headcount between 500 and 1,000 shelled out an average of US$2.65 million in total data breach costs.
- The total cost for organizations with more than 25,000 employees averaged $204 per employee, whereas organizations with between 500 and 1,000 employees had an average cost of $3,533 per employee.
Interestingly, two independently published reports, namely Cisco’s Small and Mighty special report [PDF] on small and mid-market businesses and Keeper Security and the Ponemon Institute’s State of Cybersecurity in Small & Medium Size Businesses reflected a similar range of costs.
In the same Small and Mighty report, Cisco also reveals that SMBs are more likely to give in to paying threat actors their ransom demands as they cannot operate without access to critical data and cannot afford the usual 8+ hours of downtime.
Top SMB threats and ways to fight them
Does this mean SMBs should stay away from the Internet? Clearly, that's not the answer. However, if organizations large and small don't take steps to secure their businesses against cyberattacks, they're not only putting themselves at risk for profit loss, but may be stunting global economic growth. According to Accenture, a trusted digital economy could stimulate an additional 2.8 percent growth in organizations over the next five years, translating into $5.2 trillion in value creation opportunities for society as a whole.
Yet SMBs face sophisticated cyberattack methods with far fewer resources than large enterprise organizations to fight them. We list a few of the top SMB threats below, as well as our recommendations for the best ways to combat them—keeping in mind budget and staff constraints.
When it comes to online threats, malicious attacks by cybercriminals via malware still rank as the top challenge for SMBs in several reports. In most cases, not only is malware difficult to detect, but it's also costly to remediate and mitigate. Whatever the threat is, let’s not forget that potential threat actors are motivated toward financial gain via extortion, coercion, fraud, or stealing sensitive and classified information that can be sold to the highest bidder.
In 2019, SMBs have been especially impacted by ransomware and Trojans, such as Emotet and TrickBot, according to our product telemetry.
Recommendations: To address the challenge of sophisticated malware attacks, SMBs should first and foremost create a backup plan so that they won't lose critical data in the event of a ransomware attack. Data can be safely stored to the cloud and accessed anywhere, should machines be frozen out in an attack. In addition, purchasing a budget-friendly endpoint protection solution that blocks sophisticated attacks can help carry some of the load in place of a highly-trained IT staff.
Based on Accenture’s The Cost of Cybercrime report, web-based attacks are among the top reasons why businesses lose revenue. Such attacks normally make use of an Internet browser and an SMB’s official website as the attack launchpad to perform criminal acts, such as accessing and stealing confidential client information or compromising the site to make it infect visitors. Examples of web-based attacks are cross-scripting (XSS), drive-by downloads, and SQL injection (SQLi).
Recommendations: The majority of web-based attacks start off when threat actors attempt to manipulate or tamper with a website’s functionality using code as input to entry fields. Preventing such code from rendering is a general security measure that SMBs could begin adopting. This way, businesses can have better control over the types of user input their websites accepts and renders when someone interacts with them.
For SMBs, mitigating web-based attacks and threats may involve inviting a security professional to audit their website’s code for potential gaps that miscreants can exploit, and advising on how best to address them. While we’re on the subject of coding, SMBs such as app developers or others with programming staffs will want to make it a priority to train on how to code well with security in mind.
Distributed denial of service (DDoS) attacks
DDoS attacks often result in extended downtime for business websites, and that's never good for the targeted organization. This means clients are denied access to the site, which stops them from transacting with the business, and the business loses precious opportunity, money, and productivity.
Recommendations: Perhaps the easiest way a business can thwart off DDoS attacks is to avail of services from a good content delivery network (CDN). However, prevention can also be done in-house without breaking the bank. Expect a DDoS to happen in the future and plan ahead for it. Establish workplace protocols on what to do in the event of a DDoS attack to your company’s website. If you can, include in the planning phase what, how, and when you would communicate with your clients about a website outage caused by this attack.
Phishing and social engineering attacks
A whopping 85 percent of organizations experience this type of attack, especially now that the top threats to businesses, Emotet, Trickbot, and various ransomware families, are often delivered via phishing email. With fraudsters and social engineers getting wilier, their tactics are getting more sophisticated and polished. And we can expect this to increase unless businesses start taking these threats seriously.
Recommendations: Train all members of staff. There are some simple methods you can use to help employees identify phishing emails vs. legitimate ones. Many examples of phishing emails and current scams exist online. Make cybersecurity awareness a top priority. Step it up by creating an intentional culture of security within the company.
Dangers posed by current and former employees with malicious intent will always loom over SMB executives. However, insider threats are not just limited to the obvious. Often, it’s the staff who are negligent, inattentive, and abuses their privileges that become an accidental insider and trigger a data breach.
Recommendations: The topic of insider threats must be included in every cybersecurity training staff undergoes. Doing so likely decreases the likelihood of accidental insiders but not address the deliberately lax or professional insiders however. In this case, implementing controls can further minimize insider threat incidents.
Whether remote workers like it or not, they are a risk to their organizations. Sad to say that many organizations are unaware of this, nor do they realize the magnitude of the risk remote workers pose on company assets, including intellectual property, as well as customer, staff, and vendor information. As such, they fail to conform to best practices set by the US Small Business Administration, and they fail to implement the most basic of cybersecurity measures.
Recommendations: Education and policies, once again, play a role in securing an SMB’s remote workers.
Long term effects of cyberattacks
Many from the outside looking in may assume that once organizations are back up and running after a data breach, apart from a few hiccups, business will continue as normal. Nothing could be further from the truth.
Depending on how much damage a data breach has caused a business in total, it may take awhile for them to regain back what they lost and become profitable again. Sometimes, years-long consequences after a breach are felt by SMBs. This includes damage to the business’s reputation and loss of trust from current and potential clients.
The best course of action SMBs can take after a cyberattack is to learn from their experience by improving their overall cybersecurity posture and state of cyber readiness going forward. Make cybersecurity and privacy a priority. Create multiple backups of your most sensitive data. Regularly monitor and conduct risk assessments. Educate workers. Lastly, make sure that all devices connecting to your network are properly configured and protected with anti-malware software and strong encryption protocols.