SMEs contribute to more than one third of GDP in emerging and developing economies and account for 34% and 52% of formal employment respectively. SMEs and young firms that experience rapid growth can have a considerable impact on employment creation and productivity growth, including through innovation, heavy investments in human capital, new demand for advanced products and services, knowledge spill-overs that other enterprises can harness, and impact on local entrepreneurial ecosystems, according to OECD report. Established medium-sized enterprises that innovate and scale up are the driving force behind growth in many OECD economies, often ensuring the coordination, upgrading and participation in supply chains of smaller suppliers.
Digital technologies enable SMEs to improve market intelligence and access distant markets and knowledge networks at relatively low cost, and stronger participation in international activity can boost SME growth. Many small businesses host a website, conduct business over email, allow for online or credit card payments, or even offer free Wi-Fi access to customers in their office locations.
However, increased digitization has exposed small / medium businesses to cyber threats. In their 2018 Data Breach Investigations Report, Verizon found that 58% of all cyberattacks target small businesses. While it is true that the ultimate reward might not be as high as from a multinational organization, cybercriminals go after SMBs because they are easier to penetrate.
Researchers at Warwick Business School have found that security breaches have a lasting impact on organizations, with breached companies typically paying lower dividends and invested less in research and development up to five years after the attack. Daniele Bianchi, assistant professor of finance at Warwick Business School, said: “Firms that suffer a data breach do not typically respond by firing the management, but by investing more in the existing CEO. At first sight, these results may look puzzling. However, they are consistent with the idea that the average response is to invest more in the management to address possible structural flaws, as well as maintaining the integrity of the firm in response to the reputational damage it has suffered. In the long run security breaches appear to have a more significant impact on firms’ strategies and policies than their cash flow.” While operating performance recovered after a cyber-attack, these companies tended to invest less in research and development and paid lower dividends over the next five years as they sought to manage the financial risks caused by data breaches.
When a multinational or global company is attacked, the cost can be astronomical whereas, according to the Ponemon Institute, the average cost for small businesses to clean up after being hacked is about $690,000 and, for middle market companies, it is over $1 million. The cybersecurity industry has also shown enterprise bias by targeting superior solutions and services to large enterprises who have deep pocketbooks and experienced staff.
Threats faced by small businesses
According to the Verizon Report, cyberattacks can occur in several different ways. 48% of last year’s breaches featured hacking while 30% included malware. Other less prevalent but still dangerous methods of attack were social attacks, privilege misuse or physical breaches.
Ransomware is malware that encrypts data, usually until affected users pay a ransom demand. It can create severe disruption and system downtime for small/midmarket businesses. Ransomware is also costly in a different way for these organizations: Cisco security experts explain that small/midmarket businesses are more inclined to pay ransoms to adversaries so that they can quickly resume normal operations. They simply can’t afford the downtime and lack of access to critical data—including customer data.
Despite worries about ransomware, Cisco security experts suggest it is a diminishing threat as more adversaries shift their focus to illicit cryptocurrency mining (“cryptomining”). The appeal of this activity is threefold: It can be highly lucrative, payouts can’t be traced, and adversaries can worry less about the potential for criminal liability for their actions. (For example, there is no risk of patients being deprived of critical care because a hospital’s systems and essential data are locked up by ransomware.) Adversaries can also deliver mining software (“miners”) through various methods, including email-based spam campaigns and exploit kits.
The Verizon Report also states that more than 25% of network attacks involve people inside an organization. As respondent companies move more data and processes to the cloud, they must also take steps to manage another potential threat: rogue insiders. Without tools to detect suspicious activity (such as downloading of sensitive customer information), they are at risk of losing intellectual property, sensitive financial and client data through corporate cloud systems.
A recent investigation by Cisco threat researchers highlights the risk: From January to June 2017, they examined data exfiltration trends using machine-learning to profile 150,000 users in 34 countries who were using the cloud. Over 1.5 months, researchers found that 0.5 percent of users made suspicious downloads.
Vulnerability and Impact of cyber-attacks of small businesses
Adversaries view small/midmarket businesses as soft targets that have less sophisticated security infrastructure and practices and an inadequate number of trained personnel to manage and respond to threats. A number of small businesses don’t have dedicated IT security staff, with 62% saying they would not know what to do in the event of a cyber attack or data breach.
Small businesses allow employees and contractors to use their own personal devices or applications (BYO) at work, creating new points of vulnerability. In addition, SMBs don’t always have a clear cybersecurity strategy that they communicate to every member of their team. The Verizon Report states that nearly one-fifth of system breaches occur because of human error. This can happen when an employee clicks on the wrong link or doesn’t adequately secure a device.
When a multinational or global company is attacked, the cost can be astronomical whereas, according to the Ponemon Institute, the average cost for small businesses to clean up after being hacked is about $690,000 and, for middle market companies, it is over $1 million. Cisco 2018 Security Capabilities Benchmark Study found more than half (54 percent) of all cyber-attacks result in financial damages of more than US$500,000 including, but not limited to, lost revenue, customers, opportunities, and out-of-pocket costs. That amount is enough to put an unprepared small/midmarket business out of operation—permanently.
System downtime, which undermines productivity and profitability, is a significant issue for businesses following a cyber attack. Research from the Benchmark Study found that 40 percent of respondents (250–499 employees) experienced eight hours or more of system downtime due to a severe security breach in the past year. Recovering from a cyber attack can be difficult and costly—if not impossible—for these businesses, depending on the nature and scope of the campaign.
Cisco saw similar results for larger organizations in the study sample (those with 500 or more employees). The difference, though, is that larger organizations tend to be more resilient than small/midmarket businesses following an attack because they have more resources for response and recovery.
Also, 39 percent of respondents reported that at least half of their systems had been affected by a severe breach. Smaller businesses are less likely to have multiple locations or business segments, and their core systems are typically more interconnected. When these organizations experience an attack, the threat can quickly and easily spread from the network to other systems.
In fact, according to the U.S. National Cyber Security Alliance, 60% of small companies are unable to sustain their business more than six months following a cyberattack. They frequently just don’t have the resources.
SMB cyber security
Only 38 percent of small/midmarket businesses have an active cyber-risk strategy in place, according to the Vistage Research Center, a resource center for business leaders. So first a strategy should be developed to improve cybersecurity.
Businesses also recognize that their security approaches must meet the demands of the modern work environment—in particular, the shift to mobility and the embrace of mobile devices. Fifty-six percent of respondents said that defending mobile devices from cyber-attacks is considered very challenging or extremely challenging.
Encrypting data helps SMBs protect the private and sensitive information on their network and enhance the security of communication between client and servers. When data is encrypted, even if an unauthorized person or entity gains access to it, it is not readable without the appropriate key. As a result, in addition to protecting access through authentication mechanisms, SMBs also need to use authorization to control who sees sensitive data and what they can do with it.
Detection is increasingly important when it comes to mitigating the damage caused by a breach. The Verizon Report states that 68% of breaches took months or longer to discover. Having best practices in place to detect a breach as quickly as possible helps to reduce its overall impact and can make recovery that much easier. In the event of a data breach, you should also be prepared to respond quickly and effectively.
Moving forward, smaller organizations indeed seek to address the cybersecurity challenges that threaten their organizations with new tools to stop threats. Benchmark Study respondents said that if staffing resources were available, they would be more likely to:
— Upgrade their endpoint security to more sophisticated advanced malware protection/EDR – the most common response at 19 percent.
— Consider better web application security against web attacks (18 percent)
— Deploy intrusion prevention, still seen as a vital technology to stop network attacks and exploit attempts. (17 percent).
At the same time, you should also be monitoring your systems for common indicators of a compromise. These can include unusual login times, reduced operating speeds across the network, errors in application and system event logs, new devices on the network, new users with admin privileges, unusual event log entries in the security log, or workstations with very high traffic.
Machine learning, while surrounded with hype, has its place in security. However, look for machine learning as a detection layer inside already deployed products versus a stand-alone product from another vendor that adds another product to manage.
By adopting a set of security platforms and tools that all work together, versus disparate pieces that may actually conflict with each other, you get an amplification of security effectiveness, as well as a simplification of management,” said Ben M. Johnson, CEO of Liberty Technology.
In recognition of their security challenges, many respondents are looking to the cloud to bolster defenses without adding people or straining existing resources. The adoption of cloud services among midmarket businesses is clearly on the rise, based on Cisco’s research. In 2014, 55 percent of these businesses said they hosted some of their networks via a form of the cloud; in 2017, that number increased to 70 percent.
Because of shortage of IT manpower, many small/midmarket businesses look to outsourced assistance to gather the talent they need to increase their knowledge of threats, save money, and respond to breaches more quickly.
Comprehensive, regular security processes—such as controls for high-value assets and reviews of security practices—help organizations identify weaknesses in their security defenses. Such processes are not as prevalent in small/midmarket businesses as they should be, perhaps owing to the lack of staffing.
Finally Small/midmarket businesses also must understand that there is no “silver bullet” technology solution to solve all of their cybersecurity challenges. The threat landscape is too complex and dynamic. The attack surface is always expanding and changing. And, in response, security technologies and strategies must continually evolve as well.