Cyber Security Threats to SMBs
Most of the time, when we think about the most public cyber security attacks and data breaches, we generally associate them with large enterprises. The truth is cyber attacks are not limited by company size.
According to the 2019 Cost of a Data Breach report by the Ponemon Institute, “small businesses face disproportionately higher costs than larger organizations when it comes to breaches.”
Small and Medium Size Businesses (SMBs) can be very profitable targets for bad actors because they have fewer resources and little in-house expertise to plan, implement, and execute a cybersecurity incident response plan. Business drivers and modernization needs make it an even trickier balancing act with the new norm of working from home. While large corporations can afford to spend vast sums of money on cybersecurity, SMBs must make every dollar count by identifying and focusing on top security threats.
The most significant, most damaging, and most widespread threat facing small businesses are phishing attacks. Phishing accounts for 90% of all breaches that organizations face, they’ve grown 65% over the last year, and they account for over $12 billion in business losses. Phishing attacks occur when an attacker pretends to be a trusted contact and entices a user to click a malicious link, download a malicious file, or access sensitive information, account details, or credentials.
Phishing attacks have grown much more sophisticated in recent years, with attackers becoming more convincing in pretending to be legitimate business contacts. There has also been a rise in Business Email Compromise, which involves bad actors using phishing campaigns to steal business email account passwords from high-level executives, and then using these accounts to request payments from employees fraudulently.
Bring Your Own Device (BYOD)
BYOD is an ongoing dilemma for small-business owners. While it increases flexibility and decreases costs, it also exposes business assets to malicious code from a personal device or untrusted employee. The threat of losing valuable data or compromising critical business processes is real once a private device is connected to a business network. Also, dishonest employees can more easily steal sensitive information from the network. And, as always, there is the threat of an employee’s device being stolen or lost.
Ransomware is one of the most common cyber-attacks, hitting thousands of businesses every year. They’ve grown more common recently, as they are one of the most lucrative forms of attacks. Ransomware involves encrypting company data so that it cannot be used or accessed, and then forcing the company to pay a ransom to unlock the data. Ransomware leaves businesses with a tough choice – to pay the payment and potentially lose vast sums of money or cripple their services with a loss of data.
Small businesses are especially at risk from these types of attacks. In 2018, 71% of ransomware attacks targeted small businesses, with an average ransom demand of $116,000. Attackers know that smaller firms are much more likely to pay a ransom, as their data is often not backed-up, and they need to be up and running as soon as possible. The healthcare sector is particularly badly hit by this type of attack, as locking patient medical records and appointment times can damage business to a point where it has no choice but to close unless a ransom has been paid.
Cloud-based attacks on the rise
With businesses of all sizes increasingly moving to the cloud, we can expect the number of cloud-based attacks to grow in 2020. Currently, nearly all SMBs use the cloud in some fashion. Some take advantage of cloud storage solutions like Dropbox, Google Drive, or Microsoft OneDrive. Some rely on SaaS solutions like Microsoft Office 365, QuickBooks, or Pipedrive, and some let employees use whichever cloud applications they want to help them be as productive as possible.
However, while cloud adoption is growing, cloud maturity is stagnating. Only 57 percent of small to mid-sized organizations describe their cloud maturity as being advanced or intermediate, according to the RightScale 2019 State of the Cloud Report from Flexera.
SMBs need to realize that the more they embrace the cloud, the more exposed they become to various cloud-based threats. Insufficient cloud security dramatically increases the risk of a significant data breach, whose consequences can be devastating.
Lack of Cyber Security Staff and Employee Training
- 45% of organizations report that they do not have an adequate IT security staff to ensure 24 × 7 × 365 monitoring;
- 54% of business entities claim that they do not have a sufficient Cybersecurity skill set for their size;
- 57% of companies even claim that they do not have enough Cybersecurity workers to staff their Security Operations Centers (SOCs) fully.
Employees are the most valuable asset of your company, and there must be a continual investment in their education and professional training. Employees can be the strongest or the weakest link in your business; therefore, it’s essential to address them as a potential security threat. A lack of basic security knowledge can lead to falling prey to spam emails, creating weak passwords, visiting unsecured sites, or even sharing confidential data through public networks.
Principal Cyber Security Priorities for SMBs
- Education: Employees are the first line of defense against cyber-attacks, and naive working practices and behaviors could be putting businesses at higher risk. Boosting awareness of hackers’ tactics can help SMBs ensure that their employees are a security strength rather than a weakness.
- Keep an eye out for the signs: Phishing is a widespread technique amongst attackers. As a result, employers need to be confident in recognizing the different types of this attack. Tailored and ongoing security awareness training that includes phishing simulations will help employees know the signs of an attack before it’s real.
- Revaluate your risk profile: Every business has diverse risk factors. If you don’t have the expertise, contact an independent security auditor or a managed service provider (MSP) to assess your security posture. Work to develop a plan for adequate and ongoing risk mitigation.
- Prepare for the worst: Set-up a data breach response plan that recognizes specific security experts to call, and a communications response plan to warn customers, staff, and the public.
SMBs can be vulnerable to Cyber Security attacks and may not have the personal or resources needed to proactively manage cyber security. The Cyber Security experts at Lazarus Alliance are completely committed to you and your business’ success. Regardless of whether you represent the private sector or the public sector, we stand ready to partner with your organizations.
Lazarus Alliance is proactive cyber security®. Call 1-888-896-7580 to discuss your organization’s cyber security needs and find out how we can help your organization adhere to cyber security regulations, maintain compliance, and secure your systems.