It’s no secret that the global business landscape is rapidly evolving. Small to Medium sized Businesses (<$500 million) and their leadership are deciding whether to host their own data center, use software as a service (SaaS), migrate to the cloud, or a combination of all of it. The decisions and the circumstances are difficult and do not come without its risks and headaches. As technology continues its violent and rapid change, business owners need to pay attention to their security needs.

Cybersecurity solutions are something almost no business owner wants to talk about, think about or spend money on. From experience, there has never been a more critical time for small to medium sized businesses to implement comprehensive cybersecurity technologies, policies and procedures in order to protect themselves and their employees from falling victim to an “assault”.

Small to medium sized businesses are a prime target for cyberattacks as they often lack the resources or expertise to completely protect themselves from threats and are therefore often considered to be “soft” targets. Alert Logic estimates that 58% of malware attack victims are small to medium sized businesses and that 94% of attacks come through malware or phishing emails disguised as bills, invoices, email delivery failure notices and package delivery notifications. According to a study done by Cisco, the top three security issues from smaller business respondents included targeted attacks against employees, ransomware and advanced persistent threats.

Cybersecurity Ventures estimates that these cyberattacks will cost businesses $6 trillion annually by 2021, which is a massive $3 trillion jump from 2015. These costs include “damage and destruction of data, stolen money, lost productivity, theft of intellectual property, theft of personal and financial data, embezzlement, fraud, post-attack disruption to the normal course of business, forensic investigation, restoration and deletion of hacked data and systems, and reputational harm.” In fact, according to the 2019 Cost of Data Breach Study by IBM/Ponemon Institute, the average breach exposes 25,575 sensitive records for an average of $3.92 million per breach ($153 per record).

Although cybersecurity is a typically large allocation of small businesses’ resources, it is far more costly to holistically recover data, money and customers’ trust.

Detection of these breaches is also not always easy to spot for small businesses. Indeed, according to the 2018 State of Cybersecurity in Small and Medium Size Businesses report, 72% of small businesses reported that malware slipped past their intrusion detection systems. The global average timeframe for detecting a cyber intrusion is 146 days and is expensive to mitigate.

In the past 2 years, I have witnessed 2 major breaches causing major downtime. The first was directly resultant of a COO at a firm with over 900 million highly sensitive records who refused to have his password changed. That led to a breach of email and then began an all-out assault globally from over 100 countries. Even after the attack, the COO refused to change the password and the entire chief officer team repeatedly failed internal phishing tests. Instead of improving security, the infra team had to spend 1-2 hours a day fighting off these new attacks. The second breach was caused an administrator password not changed in 15 years that was breached by brute force. Access was then gained to the entire data center and 80% of systems were infected with ransomware. Instead of paying the ransomware of $10 million, the company experienced almost 2 weeks of downtime, $3.5 million in mitigation costs and $2.9 million in lost revenue.

Organizations must factor in these recovery costs along with how much the downtime from attacks will cost them. According to research, cybersecurity attacks caused 40% of respondents in small business at least eight hours of system downtime. Similarly, 39% of respondents said that security breaches had affected at least half of their systems. With all these costs and losses from a cybersecurity breach, small businesses are less likely than large businesses to be able to even bounce back at all. The Better Business Bureau (BBB) estimates that only 35% of small businesses could continue to be profitable for three months or longer if they permanently lost data through a cybersecurity breach.

The business owner needs to have a solid plan and strategy, a “cybersecurity blueprint” in order mitigate risks. To build an effective strategy, the owner must have someone to trust to get advice from and must apply new ways of thinking.

The question of who to trust to receive solid advice from is tricky. The business owner may have an infrastructure leader or even a security manager who he or she can consult. The leader may also have a consultant that they trust. You likely are hearing from them that you must spend money on hardware, software and services to keep you secure. Many times, this advice is not sound, akin to throwing something against the wall to see if it will stick. IT manager/security leaders are being sold products based on fear rather than sound advice on a simple layered strategy. Also, most advisors are not strategically thinking and not cloud aware. You need to seek and advisor that can tell you the hard things – “A new path needs to be taken”, “Scheduled downtime needs taken for patching”, “Need to move to the cloud”, etc. The leader needs to surround themselves with truthful people, who are current with technologies and are strategically focused.

As mentioned, the current environment needs a new way of thinking. The SMB business owner needs to:

• Commit to taking security seriously for company purposes and client purposes
• Be willing to accept that your staff may not be capable of doing enough or spending enough to protect your company
• Explore, if you have not already, the cloud as an option to move your business to
• Be willing to discuss the management and administration of all or part of your infrastructure by a quality Managed Service Provider (MSP) or Cloud Service Provider (CSP)
• Ensure compliance with new privacy laws like the California Consumer Protection Act (CCPA) requires new layers of security over personal data
• Be willing to stand with the rest of management to vocalize and demonstrate a commitment to the company’s security strategy, policies and implementation. The owner and the rest of upper management should not be known as the worst offenders

A great place for organizations to start is to create a cybersecurity blueprint, which is a process of defining an organization’s implementation and upkeep of cybersecurity procedures and policies. By using a framework to identify risks and reduce vulnerabilities, small & medium sized businesses can protect themselves from both technological and human error. Some of the frameworks of a cybersecurity blueprint can include training employees on best practices, multi-factor identification, perimeter security and monitoring, scanning and filtering emails that come through the system, patching strategy, and role-based security.

Cybersecurity will continue to become more important because technology and, therefore, cyberattacks are constantly evolving and becoming more complex. Small and medium sized businesses need to take cybersecurity seriously and implement blueprints and frameworks that manage risks, breach detection and recovery if they want to survive in this digital world.

2020 Silas Tate. All Rights Reserved