Many people might tend to associate security breaches and malware attacks with large enterprises. After all, the attacks that grab the big headlines generally occur against global companies or large governmental organizations.
That doesn’t by any stretch mean small and mid-sized companies are off the hook when it comes to being targets of attack. In fact, smaller entities face many of the same threats and vulnerabilities, and in many cases they have to defend themselves with more limited resources.
Two separate studies from earlier this year address the cyber security challenges faced by smaller organizations. One, by international specialist insurer Hiscox, found that 65% of small businesses in the U.S. fail to act following a cyber security incident.
The company commissioned Forrester Consulting to survey 4,103 professionals in the U.S., U.K., Germany, Spain, and the Netherlands who are responsible for their organization’s cyber security strategy. Nearly half of the respondents (47%) said their organization had suffered at least one cyber attack in the past year.
The report, “2018 Hiscox Small Business Cyber Risk Report,” found that 44% of small businesses that reported a cyber attack in the past year experienced two, three, or four attacks. Cyber security is certainly a high priority among smaller companies, with two thirds of those surveyed saying cyber risk is a top concern for potential business impact on their organization in the coming year.
Despite the concerns, many of these companies lack of comprehensive security strategy. Just over half of small businesses (52%) reported having a clearly-defined strategy around cyber security. Furthermore, despite the frequency of phishing attacks, only about one third of the organizations (32%) have conducted simulated phishing experiments to assess employee behavior and readiness in the event of an attack.
Many smaller businesses don’t have the financial resources to address cyber security concerns. In fact, one half of the companies surveyed said they are challenged by a lack of budget.
While budgeting for cyber-related resources is critical, the report noted, people, processes, and technology must also be incorporated to ensure cyber readiness.
Another report, by networking equipment company Cisco, noted that “every organization, large or small, is at risk for an attack. But increasingly, small/midmarket businesses are the focus of attacks and often serve as a launch pad or conduit for bigger campaigns.”
Cyber criminals view small and midmarket businesses as soft targets that have less sophisticated security infrastructure and practices, and an inadequate number of trained personnel to manage and respond to threats, the report said.
The company’s 2018 Security Capabilities Benchmark Study showed that more than half (54%) of all cyber attacks result in financial damages of more than $500,000, including lost revenue, customers, opportunities, and out-of-pocket costs. That amount is enough to put an unprepared small or midmarket business out of operation permanently, the study said.
Many small and midmarket businesses are just beginning to realize how attractive they are to cyber criminals, the report said. And oftentimes that realization comes too late, following an attack. Recovering from a cyber attack can be difficult and costly, if not impossible for these businesses, it said.
The company conducted a worldwide survey of 1,816 small and midmarket businesses, which it identifies as those with fewer than 500 employees, and found that 40% of midmarket companies (250–499 employees) experienced eight hours or more of system downtime due to a severe security breach in the past year.
Nearly 40% of respondents reported that at least half of their systems had been affected by a severe breach. Smaller businesses are less likely to have multiple locations or business segments, and their core systems are typically more interconnected. When asked about the biggest security challenges they face, respondents are most concerned with targeted attacks against employees (such as phishing); advanced persistent threats (advanced malware the world hasn’t see before); and ransomware.
Hiscox recommends that smaller businesses consider a few best practices for building a strong cyber security defense. One is to help prevent attacks by involving and educating employees at all levels within the business. Have a formal security budgeting process in place and make sure cyber security is considered and prioritized in decision-making.
Another is to better detect threats by using technology such as intrusion detection and through ongoing monitoring of all critical networks. Track violations, including those that are successful and those that are stopped, and generate alerts using both automated monitoring and manual logging.
Third is to mitigate risk by creating a plan for all incidents, from detection and containment to notification and assessment. Specific roles and responsibilities should be clearly defined. Companies should also regularly review response plans to integrate emerging threats and new best practices, and ensure against financial risks with a stand-alone cyber security policy.