No Target is Too Small: Why SMEs Must be Cyber-Resilient

Cyber-attacks have hit, and hurt, companies of all shapes and sizes. The financial costs arise from the attack itself, fixing it, and addressing the reputational impact by re-fostering public trust, along with potential regulatory fines and legal bills.

Even so, many organizations – especially micro and small businesses – are unprepared to defend themselves against the increasing threat of cyber-attacks. 

This is concerning for several reasons, and not just because small businesses are the number-one employer in most economies. If a smaller company has to close its doors, even for a relatively short period, the negative impact on the business can be huge, far larger than it might be for a large, well-funded business that has multiple service areas and locations. 

This was highlighted in an October 2018 survey, which found that the average amount demanded during a ransomware attack is $1,077 – but the average cost to remediation cost to businesses is $133,000, when downtime, recovery costs and lost business opportunities are factored in. While these costs are troubling enough for enterprise organizations, they could well be unaffordable for many SMEs. Paying the ransom is not an option, as less than 20% of victims who do give in to the extortion demand actually get their data unlocked.

SMEs exposed to attack
The Cyber Security Breaches Survey 2018 commissioned by the UK’s Department for Digital, Culture, Media & Sport, found that micro/small businesses are less apt than medium or large businesses to combat cyber-threats. While 79% of the latter have actively looked for information, advice or guidance about cyber security, only 58% of micro or small businesses have done the same. The differences become even more stark with respect to cybersecurity policies (26% vs. 62%) and training (19% vs. 47%). The numbers are clear: SMEs are simply more vulnerable to cybercrime.

Although just over half (55%) of SMEs have carried out health checks, risk assessments or audits to identify cybersecurity risks, a quarter (25%) have not implemented any cybersecurity governance or risk management measures. Also just 12% of micro/small businesses have instituted a formal cybersecurity incident management process. 

Fortunately, awareness of this issue is on the rise. The directors or senior management in three-quarters (74%) of micro/small businesses place a high priority on cybersecurity. However, the necessity is obvious in light of the facts. 42% of micro/small businesses identified at least one breach or attack in the last year. In 17% of incidents, these businesses took 24 hours or more to recover from the breach. 

The #1 attack trends: ransomware and DDoS 
Over the past few years, ransomware and distributed denial of service (DDoS) attacks have become notoriously common and caused countless small business owners to lose sleep – and, sometimes, big money. According to the UK’s National Crime Agency’s 2017/2018 Cyber-Threat to UK Business Report, both of these threats comprise the top attack trend.

These attacks can be truly damaging, even fatal, to a vulnerable target. If the IT systems of a small e-commerce business are inaccessible or down for many hours or days, the ramifications can be brutal.

In the digital era, business can be brought to a standstill with just a few clicks. POs can no longer be placed or processed, billing can’t be done, or the firm’s customer database is locked down. Ouch. 

Unfortunately, various Cybercrime-as-a-Service platforms on the Darknet sell ransomware toolkits or targeted DDoS attacks for as little as $10, so cybercrime is easier and more accessible than ever. For criminals who know their way around this shady corner of the web, taking advantage of illegal tools and the capabilities of the black market is simple and cheap.

Ignoring or downplaying risk management in the digital world is like playing Russian roulette – the odds are not good, and there is everything to lose. The increased awareness about cyber-threats among SMEs is encouraging, but insufficient to keep the bad guys at bay. SMEs must do more. They need to take tangible action and play catch-up with their big-boy counterparts that take cyber-threats seriously. 

However, building in-house expertise can be costly and time-consuming – especially in light of the ever-increasing shortage of cybersecurity professionals. To speed things up and benefit from economies of scale, SMEs should consider engaging a security-specialized consulting firm to help them identify any compromising loopholes. 

If it’s too expensive or complicated to implement the right tools and to operate them around the clock, a managed service provider can be recruited to run the various security services along the SME’s IT value chain.

Since these providers usually have a shared infrastructure spread across hundreds or thousands of clients, their fees are typically less than the costs associated with the do-it-yourself approach.

Avoiding an attack is the top priority, but businesses should consider “what-if” scenarios and institute a corporate cybersecurity incident management process that can assist them during a potential crisis. Whether it’s about troubleshooting, restoring IT backups, stakeholder management or customer communication, nothing is more effective than a capable team that knows precisely what to do when an attack strikes, and how to get things back on track across multiple work streams.

No business is too small to be attacked; but equally, with the right approach to security, no business is too small to defend itself.

What’s Hot on Infosecurity Magazine?