You may assume that large corporations are the main target for financially driven cyber criminals, but sadly small and medium businesses are just as at risk. What makes this risk worse is that oftentimes, a small business’s cyber defence strategies are underfunded, increasing exposure to threats. A staggering 46% of SME business owners believe that cyber-attacks are ‘mainly an issue for bigger organisations.’ (Gallagher research). However nearly 90% of breaches occur in small businesses (FirstData), highlighting a deep misunderstanding when it comes to the cyber security threat landscape.
Unlike corporations that fortify themselves with several layers of protection, SMEs usually lack in sophisticated security solutions and expertise. Hence, small and medium enterprises are particularly exposed to business damage. Large organisations are more likely to have a cohesive incident response plan in place which can help to detect, react and recover in a timely manner if a security event occurs. By underestimating what happens in the event of a security breach, a single cyberattack towards an SME could lead to huge consequences. Downtime, the costs involved to restore data and reputational damage are just some of the things to consider and in 60% of cases, an SME will go out of business within six months of an attack (NCSA - National Cyber Security Alliance).
A bigger concern is that cyber-attacks are maturing, with cyber criminals adopting well-researched, intelligently personalized and data driven assault tactics. Despite the great risk they are exposed to, and caught between inadequate consumer solutions and overly complex enterprise software, many SME owners fail to make cybersecurity a priority. According to BullGuard, 1 in 3 SMEs are reliant on free or consumer-grade cybersecurity tools to protect them from cybercrime, while 1 in 5 does not use any endpoint security at all.
Why SMEs are so vulnerable
Lack of awareness
Cyber security can feel intangible, with many SME owners feeling out of their depth when it comes to assessing cyber risks. BullGuard’s research also found that nearly 60% of SME owners are confident they will not encounter cybercrime and consequently do not invest in cyber security services. However, this is simply not the case and rather than waiting until an incident occurs, proactively safeguarding your business will be hugely beneficial in the long run. DynaRisk’s Cyber Security Score helps business owners to identify areas of risk within their company by training employees, monitoring for data breaches and leaks and providing support and guidance.
Remember - if your company data is valuable to you, it’s also valuable to criminals!
Lack of education
Nearly 50% of SME owners do not provide their workforce with any cybersecurity training. This becomes problematic as 90% of data breaches were caused by human error in 2019 according to a CybSafe in its analysis of data from the UK Information Commissioner’s Office (ICO). Equipping your employees with the right tools to be able to identify, evaluate and avoid threats should be a key part of any business strategy. Our SME product can form part of a resilient cybersecurity strategy, providing your employees with tailored tools and something tangible to work with.
Lack of expertise and resources
Small businesses are less likely to have dedicated security resources and rely more on outsourced suppliers and software for their IT needs, which often leads to potential supply chain and infrastructure configuration vulnerabilities. While 65% of SMEs manage cybersecurity in-house, less than 10% have a dedicated IT staff member. Knowing that SMEs do not have good enough resources to maintain a defensive cybersecurity posture, cybercriminals exploit this in their attacks.
Cyber security challenges for SMEs
One of the biggest threats to small businesses is phishing. Criminals impersonate legitimate individuals or companies in an attempt to deceive employees into giving away sensitive information such as company credentials or financial details. With the wealth of data available to online fraudsters, phishing emails continue to become more authentic-looking and increasingly difficult to detect. Using AI to create a targeted campaign and convincing tactics such as HTTPS encryption - almost 75% of phishing attacks used SSL protection in 2019 (APWG) - employees are more inclined to become victims.
No amount of automatic software can make up for poorly trained employees and from time to time, phishing emails will slip through spam filters. Providing your staff with regular cybersecurity training and ensuring that all the employees are aware of what to look out for, and how to respond if they are targeted, significantly diminishes the chances of them falling victim to social engineering scams. DynaRisk's phishing simulation service is a great way to train and test your employees to differentiate legitimate emails from scams. Moreover, we put together a comprehensive set of tips to help your employees detect phishing attempts.
DivvyCloud research highlighted that the number of records exposed by cloud misconfigurations has surged significantly by 80% from 2018 to 2019, with a total of 33.4 billion records compromised. Leaving your server unprotected could lead to system rectification costs, GDPR penalties and eventually reputational damage. Furthermore, the exposed customers could face a greater risk to be targeted by threat actors in personalised phishing campaigns designed by using the information attained in the leaked databases. Thus, if you feel like your business could be vulnerable, now is the time to act. By implementing strict data management policies and constantly monitoring the parties accessing sensitive data, you can detect and mitigate the risks in a timely manner. Here is an insightful article to find out how to properly protect your database and prevent data leaks.
Data breaches make up one of the fastest-growing forms of cybercrime globally. The total number of records exposed in 2019 increased by 284% compared to 2018. In total, there were over 15.1 billion records exposed with 7,098 breaches reported in 2019 based on the new Risk Based Security report. The consequences not only include the cost of the data recovery, but also potential penalty fees, claims put in by affected users and reputational damage - 30% of consumers would avoid using services provided by an SME involved in a data breach, according to Bank of America Merchant Services. To protect against data breaches, the key is robust, preemptive protection and constant monitoring of your company information on hacking forums. Cyber insurance can also help manage the cost of claims in the event of a breach. Find out more about how data breaches can impact your company, how you can prevent them and how to develop a cohesive incident plan if a breach occurs.
The most common form of online extortion affecting businesses is ransomware - small businesses make up 71% of ransomware victims. The second most common form is Denial of Service (DoS) attacks - DynaRisk's Intelligence team has noticed a huge surge in the DDoS attacks in the last months.
Ransomware attacks involve encrypting victim's files and denying access until a ransom (usually in Bitcoins) is paid. The FBI states that more than $140 million was paid to ransomware criminals over the past six years. Being hit by a ransomware attack means business downtime and huge financial loss. There are several actions you should take to protect your business including backing up data, investing in firewalls and antivirus software that can detect and stop a ransomware attack. Read more about ransomware prevention here.
A Denial-of-Service (DoS) attack attempts to disrupt the normal traffic of a server by flooding it with a huge amount of requests from multiple sources until it crashes and becomes unavailable. This can leave businesses unable to trade for minutes, hours or even days, with potentially catastrophic long-term impacts. Fortunately, there are some defense strategies that you can employ to protect your small business against these types of attacks, especially if your business is reliant on a website. Other than tracking IPs, developing a clear comprehensive DoS incident response plan and using multi-level protection strategies such as VPN, anti-spam, content filtering and load balancing will help you prevent and mitigate these types of network security threats. Measuring bandwidth is also a possibility to monitor any spikes, which could indicate a DoS attack.
How we can help
Cyber security changes at a rapid pace and with technology becoming increasingly interconnected, new risks are constantly emerging. Resilience and proactivity are the key weapons to prevent security incidents and protect your customers and employees. Get in touch today to discuss effective ways to protect your business.
TL;DR (Too Long; Didn't Read)
Due to the lack of awareness, education, expertise, and resources, it becomes very difficult for SMEs to protect their business in the ever-increasing cyber threat landscape. Constant challenges, such as data leaks, breaches, phishing scams, and cyber attacks could be catastrophic for smaller enterprises, causing financial losses, business disruption, and reputational loss.
To protect SMEs from cyber threats:
- Never underestimate the impact of cyber threats on your business
- Follow a proactive and resilient cybersecurity strategy
- Educate your employees to recognize and prevent cyber threats
- Consider a cybersecurity insurance policy
- Invest in smart, easy to use cyber security solutions to prevent cyber risks instead of supporting the costs of combating them, such as Cyber Security Score and SME products
with DynaRisk to discuss effective ways to keep your SME secured.