For many businesses, dealing with a cybersecurity incident can be a challenging endeavor, especially since it involves financial and reputational damage. While this applies to all organizations, it is especially true for small and midsize businesses (SMBs). In fact, cybercrime has become a large concern for the business sector, with a 2019 survey revealing that 58% of executives find data breaches a more significant concern than incidents like fires, floods, or even break-ins.
Small businesses and midsize/midmarket companies tend to be attractive to cybercriminals.
They are perceived as “easy” targets that lack the capability and resources to both prevent attacks and deal with the aftermath.
Greater impact, fewer resources to recover from an attack
The impact of a cyberattack can be devastating for small and midsize companies. These businesses are vulnerable to having their whole operations disrupted by an attack, and they could take a long time to recover — or even worse, never recover at all.
The financial cost can be staggering. According to Cisco’s 2018 SMB Cybersecurity Report, data breaches — one of the most common threats faced by businesses — cost 20% of affected midmarket companies at least US$1 million. Furthermore, 40% of these companies suffered 8 hours or more of system downtime due to security issues. Those 8 hours represent roughly a full working day for one employee and lost productivity and opportunities for the affected business due to disruption of operations. It’s no wonder that many midmarket companies are starting to focus more on cybersecurity, yet only 56% of security alerts are investigated for signs of suspicious activity.
Midmarket companies, in particular, could be targeted more, as they have more valuable assets than small businesses but fewer IT security resources than enterprises. A survey conducted by Osterman Research revealed that midmarket organizations not only received more phishing emails than small companies did — they even ranked ahead of large enterprises. In fact, the bigger the company, the less is spent per employee for cybersecurity — mostly owing to economies of scale. It isn’t just businesses that are targeted by threat actors either; even non-profit organizations like churches can feel the heat of cybercrime, as what a U.S.-based church found after losing almost US$2 million to a phishing scheme.
There are also repercussions beyond financial losses. Many small and midsize companies have business dealings with larger organizations. Therefore, any security incident can have far-reaching effects on clients and partners.
Primary cyber risks
The Trend Micro 2018 Cyber Risk Index shows that on average, small and medium-sized organizations are at greater risk of the following than their larger counterparts are.
- Cyber risks. These are risks that involve external threats, including attacks that use malware like ransomware, cryptocurrency miners, and botnets.
- Data Risks. These are risks that involve the loss of critical and often confidential data such as customer information and trade secrets. Small and midmarket organizations that handle outsourced data-related work of large organizations are particularly vulnerable to data breaches.
- Human capital risks. These are the risks that emerge either due to a lack of trained IT security personnel or because of a lack of cybersecurity education given to the company’s employees.
- Infrastructure risks. These are the risks that are the result of uncertainty on how to secure properly technologies such as cloud services, internet of things (IoT) devices, as well as server environments.
- Operational risks. These are risks that involve financial damage, disruption of operations, and loss of intellectual property, are often the result of flaws in security infrastructure.
Challenges and limitations
While all companies — regardless of size — mostly face the same types of risks, SMBs are more susceptible to them due to a combination of factors, most of which involve a lack of resources combined with a lack of focus on cybersecurity issues. Many organizations often rely on self-research for threat information.
The lack of skilled employees is further exacerbated by the sheer amount of information organizations have to deal with on a daily basis. It might pose less of a problem to larger companies that have a fully equipped IT department or a dedicated security team that can handle the different parts of the IT infrastructure. For businesses with small IT teams that do everything, from hardware installation to software updates to network maintenance, the prospect of having to sift through mountains of data to find that one real red alert from a myriad of grey ones might seem incredibly daunting.
Small and midmarket companies have to take on considerable risks and challenges as well as serious consequences in the case of a successful cyberattack. It is vital that they have equip themselves with the correct measures to protect their businesses against threats. Employee empowerment and the right security solutions can firm up a small business’ security posture. They can also consider prospects of third-party managed security that is well equipped to deal with various threats.
Copyright © 2023 SCORE Association, SCORE.org
Funded, in part, through a Cooperative Agreement with the U.S. Small Business Administration. All opinions, and/or recommendations expressed herein are those of the author(s) and do not necessarily reflect the views of the SBA.