When they’re seeking out victims, hackers love to think small.
Big businesses make a tantalizing target, but their large size also means that they can spend a lot on cybersecurity. Smaller businesses, less so.
That’s why almost 60 percent of cyber attacks are aimed at SMEs. They may offer reduced rewards, but criminals know their defenses are weaker.
Too many small and midsized organizations seem oblivious to the risk — and that’s worrying. Large or small, all organizations face the same threats.
Research by Kaspersky has shown that:
- 56% of SMEs have been affected by malware
- 44% have been hit by phishing attacks
- 24% have been affected by denial of service (DoS) attacks
- Almost 30% have been the victim of an unwanted network intrusion
But the impact on smaller businesses is worse. According to the Ponemon Institute, the average cost of cleanup for SMEs after a data breach is between £550,000 and £800,000.
A mere pittance compared to high profile hacks like Equifax (cost: £1.1 billion and rising), but scaled to the revenues of a midsized business, that amount can be catastrophic.
For many it actually is. According to the National Cyber Security Alliance, 60 percent of small companies struggle on for about six months after a cyber attack, before eventually shutting their doors.
The combined impact of lost revenues, damaged reputation, and the hard costs of shoring up network defenses inflict commercial body blows that their smaller resources simply can’t withstand.
Why would a hacker target us?
Because they don’t count turnover in billions of pounds, a lot of SMEs think cybercriminals won’t bother attacking their networks.
Security experts call this the “shoal" mentality – everyone knows breaches are a daily occurrence, but because there are so many potential targets, SMEs assume it’s unlikely they’ll ever find themselves in a hacker’s crosshairs.
That false sense of security can lead to an undercooked or haphazard approach to network protection. Companies delay investment in new technology, have inadequate security practices, roll out disparate solutions, spend too much time chasing false alarms, or simply don’t have the in-house resources and skill sets they need to keep up with a risk landscape that changes every week.
Additionally, a lack of cybersecurity awareness can also create vulnerabilities that have nothing to do with technology. Weak protections for mobile devices and poor password hygiene mean people are often the issue, creating an "insider threat" that opens the door to breach through error and laziness.
Smaller organizations may have more to offer hackers than they think.
Aside from banking details and the commercial information held on their databases, SMEs can be attacked because of their connection to bigger organizations, as they are often part of a supply chain and may be seen as the weakest link in a series of connected networks.
Breaching a smaller company's network could provide the stepping stone hackers need to access their ultimate target, further up the hierarchy.
Bring in the hired guns
Budgets and revenues place a natural limit on how much cash midsized businesses can devote to cyber protection. As it isn’t revenue-generating, the expenditure may well be seen as a headache or a grudge purchase.
But SMEs face the same threat landscape as big companies – just without big company resources.
So the answer for many is to hand over day-to-day cybersecurity responsibilities to a managed service provider (MSP). Working with a partner means gaining fast access to expert knowledge, additional resources, and the latest technologies – plus the confidence that cyber defenses are being rigorously managed, patched, and maintained.
Payment plans are often tiered or otherwise flexible, depending on the size of the organization.
MSPs can also provide consultancy to ensure the provision of the right level of protection for the business. They will typically conduct a security assessment at the start of the engagement to understand where weaknesses and vulnerabilities may lie, either in technology, people, or company processes.
Another reason SMEs turn to MSPs is for help managing the growing compliance burden around safeguarding privacy and personal information. Regulatory regimes like GDPR and PCI-DSS require a lot of time to understand and implement, along with ongoing effort to maintain compliance.
For a midsized business, keeping up with all the rules around data processing and protection can be a big distraction from day-to-day priorities. And yet, a company of any size can face huge fines for infractions.
With the growing popularity of cloud services and bring your own device (BYOD) policies, the issue of password security is becoming increasingly important. Weak logins and loose standards for managing credentials have played a part in numerous high-profile breaches in recent years.
People are stubbornly reluctant to give up passwords like "123456" and "qwerty", so it may well be time to have an outside expert assess how hackable your IT estate is, then recommend services and approaches to address it.
Size doesn't have to matter when it comes to keeping small and mid-sized businesses secure. The threats will keep growing in size and complexity, but there are scalable and affordable options out there to keep SME defenses on par with the protections big companies have come to depend on.