This is the first of a two-part blog series focusing on cybersecurity for small- and medium-sized businesses (SMBs). Read the second blog here.
“I knew what a tornado could do, but you never think it would hit your place.” – Dan Oswald, a small business owner.
Many SMBs know what a cyber attack is and the damage that it can do but think that they’re invisible to cybercriminals or that a cyber attack will never happen to them. This belief is partially the fault of the media because SMB cyberattacks don’t usually make the headlines (unless they were part of a hacked supply chain of a more significant vendor). Partially this belief stems from the attitude that it won’t happen to you – like Oswald who never expected rare twin F4 tornadoes to rip through his rural town in 2014 and destroy his business. And, partially this belief of invisibility stems from the logic of why go after a fish when you can land a whale.
The reality is that the whale, or large enterprise, maybe too hard to land, and fish, SMBs, are easier to catch and more plentiful. A threat actor can sustain themselves on fish, and there’s always the chance that a fish will lead them into the belly of the whale. This famously happened with the Target breach years back, when the threat actors found their way into Target’s system through a smaller vendor.
If you run an SMB, know that you are not invisible. There are plenty of statistics that prove how much of a target SMBs are. If you run an SMB here are thirteen statistics that you need to know. For some, thirteen is a lucky number – for others unlucky. What you do with the following information will determine whether your SMB will be cyber-prepared and lucky, or potentially become one of these unlucky statistics itself.
SMB Cyber Stat #1: According to Verizon’s 2019 Data Breach Investigation Report, 43 percent of all data breaches target SMBs.
SMB Cyber Stat #2: According to 4iQ’s 2019 Identity Breach Report, SMBs were targeted at an inordinate rate in 2018. There was a 424 percent increase over the previous year in authentic and new breaches of SMBs.
SMB Cyber Stat #3: InsuranceBee’s Cyber Survey of more than 1,300 SMB owners found that SMB owners are largely unaware and unprepared for a cyber incident. The survey found that 83 percent of SMBs lack the funds required to recover from a data breach or cyber attack.
SMB Cyber Stat #4: The average cyber attack costs nearly $3 million when you factor in potential ransom, cost of lost data, system outages, non-compliance fines, downtime, legal fees, public relations fees, loss of business, and, of course, potential lawsuits. The Ponemon Institute’s 2018 State of Cybersecurity in Small & Medium Size Businesses Report breaks down the costs, attributing $1.56 million of that $3 million to downtime.
If you’re wondering how cyber costs can total $3 million, look to the recent AMCA healthcare data breach as an example. The company has paid millions in”additional” charges — reporting the breach cost $4.2 million and notifying the 20 million affected patients cost $3.8 million. That’s $8 million before factoring in the non-compliance penalties, legal fees and lawsuits. Not surprising, the company filed for Chapter 11 protection in June.
SMB Cyber Stat #5: According to our partner, Cisco’s, 2018 Security Capabilities Benchmark Study, SMBs typically experience eight or more hours of downtime during a severe security breach. The study stated that eight hours offline was the reality for 40 percent of medium-sized businesses in 2018.
SMB Cyber Stat #6: In 2018, the number of SMBs reporting negligent employees as the cause of data breaches rose to 60 percent as published by The Ponemon Institute. External threat actors were reported as only 37 percent of the cause of breaches.
SMB Cyber Stat #7: The Ponemon Institute also reported that 54 percent of SMBs think their businesses are too small to be targets of ransomware or attractive to threat actors.
SMB Cyber Stat #8: The 2018 Duo Trusted Access Report lists that more than 50 percent of phishing campaigns resulted in the exposure of at least one set of user credentials.
SMB Cyber Stat #9: Juniper Research’s 2018 Report depicts a frightening picture. The report shows that small businesses invest less than an average of $500 each year on consumer-grade cybersecurity solutions. Small-business spending made up only 13 percent of the overall cybersecurity market in 2018, even though over 99 percent of all companies are small businesses. With investments that low on security measures, its no wonder that threat actors find small businesses so appealing.
SMB Cyber Stat #10: According to The Ponemon Institute, cyber attacks resulting from compromised employee passwords cost on average $383, 365.
SMB Cyber Stat #11: 68 percent of small businesses don’t have an incident response plan in place, according to Nationwide. Therefore, they are unprepared when breaches, system problems, or natural disasters impact their network. Incident response, and preparing for the unexpected, is part of responsible cybersecurity planning.
SMB Cyber Stat #12: Continuum shares, in their 2019 Small Business Cyber Security Report, that 62 percent of SMBs lack the personnel in house to properly handle cybersecurity functions, while 56 percent of respondents admit they don’t have any security specialists on staff.
SMB Cyber Stat #13: According to the 2017 State of Cybersecurity Among Small Businesses in North America Report, 55 percent of small businesses list resources and knowledge as barriers to their cybersecurity planning.
Size doesn’t matter to a cyber threat actor. In their mind, no business is too large or too small to try to breach. It’s a little like Goldilocks if she were a threat actor, she would have no issues about testing the cybersecurity of every company – from big to small – to find a target that is “just right.” If statistics 11-13 especially resonated with you, we’d love to discuss what ISA Cybersecurity Inc. can do to fortify and prepare your SMB. You don’t want to find Goldilocks lying in wait in your system.
There’s a lot that ISA Cybersecurity Inc. can do to help protect your small- or medium-sized business, and there’s also a lot that you can do to self-protect. Be sure to check out the second blog in this 2-part series, with practical cybersecurity approaches for your SMB.