How small businesses can overcome evolving cybersecurity challenges
Small businesses are the backbone of the UK economy, but they’re also the favourite target for cybercriminals who often view them as easy targets.
There isn’t a week that goes by without a major data breach making the headlines. But what’s misleading about only paying attention to the incidents that we read in the news is the fact that they usually pertain to large businesses. This has led many small business leaders to assume that they aren’t worthy enough targets for cybercriminals; that they simply don’t have enough valuable data for them to be attractive to malicious actors.
In reality, nothing could be further from the truth. According to Accenture’s Ninth Annual Cost of Cybercrime study, 43% of breaches occur in small- to medium-sized businesses. This may have something to do with the fact that only 14% of SMBs are willing to invest in the technology and expertise required to adequately protect themselves. The truth is that every business has something of value, and cybercriminals often view SMBs as easier targets.
Understanding the true cost of a data breach
Every year, IBM publishes its industry-leading Cost of a Data Breach Report. The most recent one, published last year, found that the average cost of a data breach had increased by 10% over the previous year, with the healthcare sector experiencing the highest costs. Just a single stolen record containing personally identifiable information (PII) costs an average of US$180, and even ‘small’ breaches typically involve the theft of many thousands of records.
While these figures paint a dire picture for small businesses, which might not have the funds needed to recover from a data breach, it is even harder to quantify the true and lasting cost of an incident. If you fail to protect your business from a ransomware threat, for example, the cost of remediation can go far beyond the cost of recovering your data. Reputational damage, which comes as a result of failing to protect customer data or uphold the level of service your customers expect, is much more difficult to put a number on. In the worst-case scenarios, businesses may also face legal action, should any data breach or other security incident be found to be a result of a failure to meet regulatory standards.
Often, the immediate costs of a security incident, namely those associated with remediation, are just the tip of the iceberg. The costs of reputational damage can ripple across the months and years. For example, if customers primarily engage with your business via online channels, yet your systems run into extended periods of unscheduled downtime in the wake of an attack, it won’t be long before they start looking to competitors. In the era of instant gratification, even a relatively minor disruption can result in you losing your competitive edge.
What are the threats facing small businesses?
Even at the risk of sounding alarmist, it’s safe to say that the information security threats facing small businesses are both enormous and extremely varied. From small cybercrime syndicates operating off the dark web to highly sophisticated state-sponsored attacks, threat actors target any and every business, regardless of size or industry. In the case of small businesses which are often part of far larger supply chains, attackers may target them to reach a broader range of victims.
The UK’s National Cyber Security Center (NCSC), which gathers cybersecurity insights from a range of authoritative sources, reported that phishing attacks dominated the small business threat landscape in 2021 and continues to do so. In fact, a staggering 91% of UK companies experienced one or more successful email-based social engineering attacks last year, with 84% of those involving ransomware. Moreover, 60% of ransomware victims ended up paying a ransom to regain access to their encrypted data. In other words, they felt they had been left with no choice but to inadvertently fund cybercrime – which is exactly where ransom payments inevitably end up.
The proliferation of social engineering makes clear the human element in cybersecurity. Many employees still view cybersecurity as a technical problem and, therefore, the responsibility of the IT department. The truth is that anyone who uses a computer for work is a potential target, and the more sophisticated of cybercriminals tend to deliberately target those who are among the most vulnerable.
Social engineering is the primary attack vector for criminals intent on spreading ransomware and other forms of malware. The simple reason for this is that it is far easier to exploit human ignorance and unpreparedness than it is to hack through modern firewalls, encryption, and other measures that have long been standard for protecting sensitive data. In most cases, all an attacker needs to do is dupe their victims into downloading a malicious email attachment or clicking a malicious link. In fact, that requires no technical expertise at all, which is why it is also highly incorrect to assume that most threats come from actual ‘hackers’. That said, the most sophisticated and dangerous threats against businesses tend to combine both advanced hacking skills and social engineering.
The threat landscape has further evolved in the era of remote work, where employees expect to be able to work from home or on the move. Technologies like cloud computing have enabled this massive transformation in the way we work, but they have also done away with the notion of a secure perimeter. In the old days, by contrast, all workplace applications and data were hosted internally and on-premises, accessed only via machines in the office. Today, however, employees are accustomed to accessing work apps and data from any device in any location.
Despite the undeniable cost, productivity, and morale benefits of hybrid work, it does introduce some unique security threats and challenges. For example, having employees access work apps and data over an unsecured WiFi connection outside the office can leave them exposed to man-in-the-middle attacks, such as wireless network eavesdropping. Fortunately, with the right technology combined with comprehensive security awareness training, it is easy enough to mitigate such threats.
What can you do to protect your organisation?
Small businesses with just a few dozen employees cannot reasonably be expected to maintain their own full-time IT departments and deploy all necessary protective measures themselves. That said, maintaining adequate security hygiene requires 24/7 monitoring and protection, not to mention the fastest possible response times should an incident be detected. This requires the optimal blend of people, process, and technology (PPT) and, with the right approach, it is possible for small businesses to protect themselves every bit as well as large enterprises with their own dedicated cybersecurity teams can.
Insofar as people are concerned, it is vital that small business leaders remember that the human element is the weakest link in cybersecurity. Overcoming this requires a combination of regular security awareness training and a top-down, leadership-driven approach that instils a culture of cybersecurity hygiene. Of course, having people with the necessary technical expertise is also critical. This might be difficult for a typical small business to achieve in-house, however, due to the fact that full-time chief information security officers (CISO) often command six-figure salaries. Fortunately, there is the much cheaper and more practical option of hiring expertise on demand in the form of an IT and security consulting service.
Processes are the next key ingredient in implementing an effective cybersecurity strategy. The processes should be clearly defined, repeatable steps designed to fulfil a specific function. For example, you will need established processes for identifying and classifying sensitive data, reporting incidents, assessing risks, and collecting data. Your security processes must align with your business goals and priorities, as well as your legal and regulatory commitments and the commitments you have to your customers. To ease the burden on their in-house teams, many small businesses outsource their security processes to managed services providers.
Technology is the third and final ingredient in a cybersecurity strategy. This refers to the tools implemented to augment the capabilities of your employees and automate the processes they rely on to uphold the demands of cybersecurity. Common examples of security technologies include firewalls, encryption, multifactor authentication, and antivirus software. These tools must be applied throughout your technology environment to eliminate single points of failure and help business leaders ensure they always have complete visibility into where their assets are and which controls are in place to safeguard them.
When it comes to having an effective way to protect your data against rising cyber threats, it is vital that you have all three pillars working together. After all, technology alone is useless if people don’t know how or are unwilling to use it. However, with a strategic approach that blends together all three, you’ll be better positioned to protect your business, your employees, and your customers. In this day and age, that’s priceless.
Join IT makes sure you’re covered in terms of cybersecurity and retaining full control and visibility over your mission-critical digital assets. We serve as an extension of your team to offer an approach that is truly personalised to the unique needs of your business. Contact us today to discuss your technology strategy.