SMBs AND CYBER SECURITY

August 9, 2023

“The large businesses continue to invest in their cybersecurity and enhance their cybersecurity posture. So what the cybercriminals are doing is they’re pivoting, they’re evolving and targeting the soft targets, which are the small and medium businesses.”

When you think of cyberattacks, highly-publicized breaches such as occurred at Twitter, Cash App, Nvidia, Uber, or Grand Theft Auto probably come to mind. But most small businesses (SMBs) presume that they are too small to be bothered with and therefore need to be concerned with protecting against cyberattacks.

Unfortunately, that thinking is wrong—and quite costly. Statistically, about 46% of all cyberattacks carried out are against small businesses (fewer than 1,000 employees), and a huge 61% of all SMBs were the target of a cyberattack last year. It’s time that SMBs took the threat seriously—and did something about it.

The Cost of SMB Cyberattacks

Some interesting statistics came out of a study conducted by IBM and the Ponemon Institute. To begin with, in 2020 alone, there were over 700,000 attacks against SMBs, costing them $2.8 billion in damages; malware was the most common type of cyberattack aimed at small businesses, with 83% of all ransomware attacks in 2021 being carried out against SMBs; and 51% of SMBs that suffered ransomware attacks ended up paying the attackers.

Furthermore, nearly 40% of SMBs reported that they lost crucial data as a result of an attack, and 75% reported that they could not continue operating if they were hit with ransomware. Given these numbers, one would think that SMBs would be the first to address the need for better cybersecurity, yet only recently have SMBs recognized the value of investing in the proper technology and adopting proper policies, and only 17% carry ‘cyber insurance.’

The ’Soft Costs’’ That Damage a Business

Aside from the fact that a cyber attacker can drain corporate bank accounts that are accessed—and even personal bank accounts that are accessible via business networks—there is also the issue of identity theft that oftentimes occurs along with cyberattacks. A company’s employees can have their lives destroyed over such breaches. Customer’s credit card information and other financial details affecting your customers can also be compromised, which, needless to say, can result in losing those customers in addition to dealing with the lawsuits they will likely bring.

Other ancillary damage includes the cost of bringing in cyber experts to investigate the matter, the costs of notifying customers of the breach (which also involves binging in professional consultants in order to be in compliance with all regulations that the business will now have to comply with), providing volumes of records to law enforcement, and an increase in liability insurance premiums. For investors, a data breach and its resultant losses to the company may be viewed as negligence and erode the confidence of investors in the SMB’s management.

Creating a Recovery Plan

The impact of cybercrime on an SMB can be catastrophic, and some cybercrimes can even shutter a business permanently. According to many experts, staying ahead of the cyber curve requires that an SMB have in place a recovery plan or business continuity plan just as for any other sort of disaster. Your company should have incident response teams that include cyber experts so as to be able to quickly identify a breach, hopefully, limit its spread and impact, and restore services as quickly as possible. Going forward, the team must analyze the breach to ensure that the business does not fall prey to cyber attackers in the future. Technically recovering from an attack is only one part of the response team’s function, and smoothing out the accompanying havoc is another. The team will also need PR experts, whether outside consultants or in-house staff, to make sure that customers and the public receive accurate information and not online rumors.

FCC Tips for SMBs

Because the internet is the theater in which cyberattacks take place, cybersecurity is particularly within the purview of the FCC. And, due to the fact that the theft of digital information is now the most commonly reported fraud—eclipsing even physical theft—the agency has drafted guidance to assist SMBs in developing a culture of security so as to enhance both the SMBs’ and their consumers’ confidence. Among the FCC’s tips for better cybersecurity are the following:

Training employees in security principles. Basic security practices such as strong passwords and Internet use guidelines should be established for employees and reviewed on a regular basis, with rules in effect for enforcement.
Protecting information, computers, and networks. ‘Clean machines’ having the latest security software, browser updates, and operating system updates are considered the best defenses against malware, viruses, and numerous other online threats. It is especially important for antivirus software scans to run automatically.
Firewalls. Preventing outside access is the job of a firewall, and this program is important to have installed on the equipment of remote workers as well.
Company mobile devices. A frequently overlooked access point for cybercriminals is by way of mobile phones. Mobile devices pose a significant security challenge, especially if they hold confidential information or can access the corporate network. Mobile devices must be password protected and have data encrypted.

Advice from the FBI

While it is true that SMBs simply do not have the same level of resources as larger corporations to either fend off cyberattacks or mitigate their effects, SMBs can nevertheless do much with what they have to stay cyber-secure. Echoing the FCC’s suggestions, FBI Supervisory Special Agent Michael Sohn recommended that SMBs practice ‘cyber hygiene’, noting that ‘a lot of the cyberattacks that we have witnessed from our investigations, almost all of them could have been prevented by doing very basic cyber hygiene.’ This includes using multi-factor or two-party authentication and not using the same password across multiple logins or accounts. Although this sounds very simple, the agency has witnessed many situations in which the same password used for an email might also be used for a payroll account or access to other financial accounts. Although utilizing a good password manager is not necessarily a ‘silver bullet’ to stop cyber attackers, that tool, along with other sound cybersecurity practices, can go a long way as a valuable layer in your SMB’s data and financial protection.

Executive Summary

The Issue

How can SMBs stay ahead of the curve in fighting cyberattacks?

The Gravamen

By adopting basic cybersecurity practices—including up-to-date password management and policy enforcement—even smaller businesses can mitigate breach occurrences.

The Path Forward

A disaster response team should be organized to quickly recover operations in the event a cyberattack occurs.

Action Items

Change of Mindset:

If you thought that cyberattacks mainly hit big companies, then to begin with, your managers need a sea change as to their perspective on this growing crisis.

Cybersecurity Policies:

Put in place cybersecurity policies covering everything from password practices, employee responses to suspicious emails, clicking on pop-ups, and overall use of company computers, and accessing company internet from mobile phones.

Disaster Response Team:

By having in place a team of professionals, including IT, PR, and a consultant, to address the compliance requirements following an attack, your company can at least limit the ancillary damage from an attack.

Technological Tools:

Don’t ignore the technology that already exists to help protect your company, such as firewalls, regular security updates and patches, and server access authentication, which is a technology that even SMBs should be able to afford when scaled to their size.

[email protected]

(212) 913 0500