Whenever we hear about major cyber security attacks such as data breaches, it’s typically larger enterprises that are the victims. That makes sense, considering those events can potentially impact a lot of people and therefore are more likely to grab headlines and garner attention.
But that doesn’t mean small and mid-sized companies (SMBs) are immune to such attacks. In fact, smaller organizations are frequent targets of cyber incidents, and they generally have far fewer resources with which to defend themselves.
A recent study by the Ponemon Institute, which conducts research on a variety of security-related topics, presents a clear picture of the cyber security challenges SMBs are facing. The report, "The 2019 Global State of Cybersecurity in SMBs," states that for the third consecutive year small and medium-sized companies reported a significant increase in targeted cyber security breaches.
For its report, Ponemon conducted an online survey of 2,391 IT and IT security practitioners worldwide in August and September 2019, and found that attacks against U.S., U.K., and European businesses are growing in both frequency and sophistication.
Nearly half of the respondents (45%) described their organization's IT posture as ineffective, with 39% reporting that they have no incident response plan in place.
Cyber criminals are continuing to evolve their attacks with more sophisticated tactics, and companies of all sizes are in their crosshairs, noted Larry Ponemon, chairman and founder of the Ponemon Institute. The report shows that cyber attacks are a global phenomenon, as is the lack of awareness and preparedness by businesses globally, he said.
Overall, cyber attacks are increasing dramatically, the report said. About three quarters of the U.S. companies surveyed (76%) were attacked within the previous 12 months, up from 55% in a 2016 survey. Globally, 66% of respondents reported attacks in the same timeframe.
Attacks that rely on user deception are on the rise, the study said. Overall, attacks are becoming more sophisticated, with phishing (57%), compromised or stolen devices (33%), and credential theft (30%) among the most common attacks waged against SMBs globally.
Data loss is among the most common impact of cyber security events. Worldwide, 63% of businesses reported an incident involving the loss of sensitive information about customers and employees in the previous year.
SMBs around the world increasingly are adopting emerging technologies such as mobile devices and apps, the Internet of Things (IoT), and biometrics, despite having a lack of confidence in their ability to protect their sensitive information.
Nearly half of the survey respondents (48%) access more than 50% of their business-critical applications from mobile devices, yet virtually the same portion of respondents said the use of mobile devices to access critical applications diminishes their organization's security posture.
Furthermore, a large majority of respondents (80%) think it is likely that a security incident related to unsecured IoT devices could be catastrophic. Still, only 21% monitor the risk of IoT devices in the workplace.
The report also suggests that biometrics might finally be moving toward the mainstream. Three quarters of SMBs currently use biometrics to identify and authenticate users or have plans to do so soon.
Small and mid-sized companies can take several steps to bolster their cyber security programs. One is to educate users and managers throughout the organization about the importance of strong security and taking measures to keep data safe.
Because so many attacks begin with employees opening suspicious email attachments or clicking on links that lead to malware infestations or phishing, training users to identify these threats is vital. Companies can leverage a number of free training resources online to help spread the word about good security hygiene.
Smaller companies, particularly those will limited internal cyber security skills, can also consider hiring a managed security services provider (MSSP) to help build up a security program. Many of these firms are knowledgeable about in the latest threats, vulnerabilities, and tools, and can help SMBs quickly get up to speed from security standpoint.
And companies can deploy products and services that are specifically aimed at securing small businesses. Such tools provide protection for common IT environments such as Windows, macOS, Android, and iOS devices. They are designed to protects businesses against ransomware and other new and existing cyber threats, and prevent data breaches that can put personal and financial data at risk.
Some of these offerings can be installed in a matter of minutes with no cyber security or IT skills required, which is ideal for smaller companies with limited resources and a need to deploy stronger defenses quickly.