It cannot be stressed too often that while cyber attacks on major companies get headlines it is the small and medium businesses (SMBs) that are most at risk. SMBs are vulnerable for many reasons:
- Lack of sufficient security in place, including insufficient training.
- Lack of trained IT personnel.
- Personal and confidential information including customer data with insufficient protection.
- Connection to supply chain of major company providing hackers with access (think Target breach).
- Lack of third party backup, vulnerable to ransomware.
According to the 2018 Micro Cyber Risk Index, SMBs are more at risk than larger companies for
- External threats of malware including ransomware, cryptocurrency mining and botnets.
- Lack of IT and/or cybersecurity personnel, insufficient employee training.
- Threats to critical data, including data outsourced from larger organizations.
- Operational risks of financial damage, loss of intellectual property, business interruption.
- Insecure infrastructure including cloud services, Internet of Things, and servers (I would add personal devices).
Some statistics:
- According to cybersecurity form 4iQ, small business data breaches increased by 425% in 2019.
- Verizon's data breach report showed 43% of all breaches took place in SMBs.
- 83% of SMBs do not have the funds to deal with a cyber attack aftermath, according to an InsuranceBee survey of 1,300 owners. Only 17% have considered the legal and reputational damage.
- According to the 2018 "State of Cybersecurity in Medium and Small Size Business" report, the average cost of a cyber attack is $3 million of which $1.56 million is downtime. A Cisco study of midmarket companies with 250-500 employees showed 40% of them experienced over 8 hours of downtime from security breaches in 2018.
- 1 out of 323 emails to small businesses are malicious (phishing, malware, spam) according to a 2019 Symantec study.
- 70% of SMEs don't have a complete inventory of third parties with whom they share sensitive and confidential information.
Although SMEs may not have the budget for additional security, a post on the Cyber Security Intelligence website recommends increased spending with these priorities:
- Outsource IT to a vendor who can provide 24/7 monitoring,designated alerts, reports and threat mitigation.
- Cyber security awareness training for all employees.
- Security software for personal devices, not limited to computers.
To learn more about Cybersecurity and how your SMB could benefit from a policy review, schedule a quick 10 minute call with our Risk Management expert, Steven Sharkey below. He will be happy to help in any way he can.