Small and Midsize Businesses Face Greater Cybersecurity Risks and Challenges
For many businesses, dealing with a cybersecurity incident can be a challenging endeavor, especially since it involves financial and reputational damage. While this applies to all organizations, it is especially true for small and midsize businesses (SMBs).
Cybercrime has become increasingly widespread in today’s world, with cyberattacks increasing both in complexity and number. For many businesses, dealing with a cybersecurity incident can be a challenging endeavor, especially since it involves financial and reputational damage. While this applies to all organizations, it is especially true for small and midsize businesses (SMBs). In fact, cybercrime has become a large concern for the business sector, with a 2019 survey revealing that 58% of executives find data breaches a more significant concern than incidents like fires, floods, or even break-ins.
Small businesses and midsize/midmarket 1 companies tend to be attractive to cybercriminals, as they are perceived as “easy” targets that lack the capability and resources to both prevent attacks and deal with the aftermath.
Greater impact, fewer resources to recover from an attack
The impact of a cyberattack can be devastating for small and midsize companies. These businesses are vulnerable to having their whole operations disrupted by an attack, and they could take a long time to recover — or even worse, never recover at all.
The financial cost can be staggering. According to Cisco’s 2018 SMB Cybersecurity Report, data breaches — one of the most common threats faced by businesses — cost 20% of affected midmarket companies at least US$1 million. Furthermore, 40% of these companies suffered 8 hours or more of system downtime due to security issues. Those 8 hours represent roughly a full working day for one employee and lost productivity and opportunities for the affected business due to disruption of operations. It’s no wonder that many midmarket companies are starting to focus more on cybersecurity, yet only 56% of security alerts are investigated for signs of suspicious activity.
Midmarket companies, in particular, could be targeted more, as they have more valuable assets than small businesses but fewer IT security resources than enterprises. A survey conducted by Osterman Research revealed that midmarket organizations2 not only received more phishing emails than small companies did — they even ranked ahead of large enterprises. In fact, the bigger the company, the less is spent per employee for cybersecurity — mostly owing to economies of scale. It isn’t just businesses that are targeted by threat actors either; even non-profit organizations like churches can feel the heat of cybercrime, as what a U.S.-based church found after losing almost US$2 million to a phishing scheme.
There are also repercussions beyond financial losses. Many small and midsize companies have business dealings with larger organizations. Therefore, any security incident can have far-reaching effects on clients and partners. One example is the data breach involving the biometrics company BioStar 2, which exposed nearly 28 million records from various companies across different industries. Another is the recent ransomware infection of U.S. dental offices’ systems after their cloud remote management software provider suffered an attack.
Primary cyber risks
The Trend Micro 2018 Cyber Risk Index shows that on average, small and medium-sized organizations are at greater risk of the following than their larger counterparts are.
|Cyber risks||These are risks that involve external threats, including attacks that use malware like ransomware, cryptocurrency miners, and botnets.|
|Data risks||These are risks that involve the loss of critical and often confidential data such as customer information and trade secrets. Small and midmarket organizations that handle outsourced data-related work of large organizations are particularly vulnerable to data breaches.|
|Human capital risks||These are the risks that emerge either due to a lack of trained IT security personnel or because of a lack of cybersecurity education given to the company’s employees.|
|Infrastructure risks||These are the risks that are the result of uncertainty on how to secure properly technologies such as cloud services, internet of things (IoT) devices, as well as server environments.|
|Operational risks||These are risks that involve financial damage, disruption of operations, and loss of intellectual property, are often the result of flaws in security infrastructure|
While all companies — regardless of size — mostly face the same types of risks, SMBs are more susceptible to them due to a combination of factors, most of which involve a lack of resources combined with a lack of focus on cybersecurity issues.
Challenges and limitations
Many organizations lack proper understanding of the cybersecurity risks they face, often relying on self-research for threat information. Given how sophisticated many modern-day threats are, it is becoming difficult for a business to assess a potential attack without prior knowledge and the ability to correlate seemingly disparate indicators. Many threat actors also take advantage of zero-day attacks, making it even more difficult to detect and respond to these threats. Furthermore, even if the targeted companies use a wide range of security technologies, they might not possess sufficient knowledge to maximize these products. That unfamiliarity could allow threats to slip by or remain unnoticed.
One of the main challenges businesses face is the shortage of qualified personnel to handle their security requirements. According to Gartner, the number of unfilled cybersecurity roles is expected to rise to 1.5 million by 2020. This means that smaller companies that have fewer resources for hiring skilled professionals also have to compete with larger organizations for a small pool of workers.
The lack of skilled employees is further exacerbated by the sheer amount of information organizations have to deal with on a daily basis. A significant number of organizations within the midmarket and enterprise range have IT or security teams that often spend excessive time investigating incident alerts, many of which can turn out to be false alarms. It might pose less of a problem to larger companies that have a fully equipped IT department or a dedicated security team that can handle the different parts of the IT infrastructure. For businesses with small IT teams that do everything, from hardware installation to software updates to network maintenance, the prospect of having to sift through mountains of data to find that one real red alert from a myriad of grey ones might seem incredibly daunting.
That’s not to say that smaller businesses are naturally worse at implementing their cybersecurity strategy than larger ones. A midmarket company with 500 employees that is focused on securing its network and endpoints and spends on cybersecurity will likely fare better than a 2,000-seat organization that only does the bare minimum.
Maximizing investments through managed security
Small and midmarket companies have to take on considerable risks and challenges as well as serious consequences in the case of a successful cyberattack. They can consider prospects of third-party managed security that is well equipped to deal with various threats.
A managed detection and response (MDR) service like Trend Micro Managed XDR, which provides detection and response capabilities for businesses, can help organizations with their cybersecurity needs by monitoring customer networks, servers, emails, and endpoint data. The MDR team uses individual expertise and the collective knowledge of Trend Micro experts and tools to correlate data, helping companies determine which alerts to prioritize. Trend Micro analysts can also help organizations maximize their existing technology, allowing for more efficient detection and response capabilities, even against threats that have been in the system for a long time.
Once an actual threat is detected, Trend Micro analysts take steps to ensure that the organization can be protected. By conducting root cause analysis, the MDR team can provide a better understanding of how attacks are initiated, how extensively threats have spread, and what steps organizations can take for remediation.