Incidents like the February 2024 ransomware attack on UnitedHealth Group that cost it a reported $22 million in ransom plus $872 million in financial damages may grab headlines, but make no mistake, small and medium sized businesses (SMB) are the primary target of cybercriminals. If you didn’t know, now you know. They are viewed as easy targets that do not feel the need to install the best defenses. 51% SMBs don’t have cybersecurity measures in place. Of those, 59% say their business is too small to be a target.
The prevailing sentiment amongst small business owners is that cybersecurity is a luxury. This is not a new development in the world of SMB cybersecurity, but at least slowly the numbers are trending in the right direction, perhaps a result of the accelerated digitization of most industries since the pandemic. Since for many SMB owners or IT leaders, starting is the hardest part, here is a cybersecurity risk management for small business primer so they can begin or improve the process of identifying, assessing, and mitigating risks.
The importance of proactive cybersecurity
IBM research revealed that 51% of organizations intend to invest more in cybersecurity in direct response to a breach they experienced. This attitude is understandable, as smaller businesses have less resources and are focused on core business functions to stay profitable in a challenging economy. However, this attitude is not justifiable given the often-catastrophic ramifications an attack can have on a small business. A business like, for example, a chain of 4 or 5 coffee houses, can ill afford to endure a systems outage for 10, 15, or 24 hours. Today, most similar businesses use point-of-sale (POS) payments systems like Square and online ordering apps. Given that 60% of small businesses that suffer a cyberattack go out of business within half a year, it is clear how devastating such an incident can be.
Business interruptions alone cause considerable damage to these companies. But this is just one of the risks SMBs must mitigate. Further, since knowing exactly what their vulnerabilities are can be a black box for SMB owners, the first step to protecting an organization is to conduct a cyber risk assessment, which, in itself, can sound intimidating. But it’s not.
Assess and reassess your security posture
A cyber risk assessment is a good place to start. The US government, via agencies like Cybersecurity Infrastructure Security Agency (CISA) and the Small Business Administration provide several free online tools and guides for assessing cyber resilience and making a cybersecurity plan. We provide a free assessment tool that gives you a report outlining responses, the identified risks, their potential impact on your organization, and recommendations for mitigating or managing those risks.
The threat landscape is labyrinthine, tangling through numerous endpoints, networks, and platforms. For retail businesses, it’s not only the POS they need to secure. They must also assess the risk of applications and third-party platforms like human resource management, inventory management, customer relationship management, e-commerce, etc.
SMBs must ensure their systems are not vulnerable to attacks against their suppliers. And unfortunately, supply chain attacks go both ways. Successful breaches on large companies now often cascade down to their suppliers, so SMBs must consider their own upstream supply chain security. Privately owned retailer Dollar Tree, which operates roughly 16,000 Family Dollar outlets, was hit by a supply chain cyberattack in 2023 after a digital break-in of third-party service provider Zeroed-In Technologies. About two million people’s personal data was compromised.
Cyber resilience strategies for SMBs
Of course, every organization’s tech infrastructure is different, as is their readiness to address threats. Based on the completed assessment -- an analysis of an organization’s security policies and procedures, as well as an evaluation of employees’ awareness and compliance with these policies -- an SMB can create a plan to secure their perimeters, data, and business continuity.
A cybersecurity plan will include:
- Official cybersecurity policy, including employee training because the human element is by far the most effective attack vector for bad actors
- Consider effective cybersecurity technology software tailored your specific needs, because employee training will only get you so far
- Create a plan for routine, periodic reassessments, security audits, reviews, and testing
- Create an incident response plan
- Plan to acquire cybersecurity liability insurance for complete peace of mind.
The ultimate goal is to develop cyber resilience, so that the company is not in danger of catastrophic damage in the event of a virus, malware, phishing, or ransomware attack.
Cyber threats are a moving target
Threats are always changing and evolving as technology advances and as cyber criminals advance in sophistication. We live in a time of constant tech disruption that widens the potential attack surface. For example, a 2023 re-assessment would have added things like ChatGPT or other large language models into the list of vulnerabilities. Unfortunately, some cybercriminals are using generative AI tools to become more efficient at their attacks. This enlarged attack surface is reason enough to take cybersecurity urgently.
Most if not all businesses deal with customer data and have a responsibility to protect it. Further, data breaches or other incursions not only lead to business interruption, but also damage customer trust, class action lawsuits, and costs for investigation and notifications of the incident. Today, insurers provide comprehensive cyber liability policies for SMBs that cover everything.
Any simple cost-benefit analysis will tilt the scales toward protecting the company’s systems instead of waiting for an incident. Small and medium-sized business owners are justifiably concerned with the cost of cybersecurity. However, cybersecurity experts are aware of the roadblocks in shoring up their security and have designed affordable cybersecurity solutions for SMBs. The National Cybersecurity Alliance advises small and medium business: “Many cloud-based services offer robust security features, such as data encryption and access controls, often at a fraction of the cost of maintaining an in-house infrastructure.” Our Samurai Extended Detection and Response (XDR) is one such solution, tailored to help SMBs benefit from an enterprise-grade, machine learning-powered security posture with limited resources.
Since SMB owners may not have the resources to hire a MSSP, a dedicated IT or cybersecurity leader, Samurai XDR is an automated AI platform designed to be implemented and maintained with ease, even by non-technically savvy personnel.
For more information on our small business starter package for Samurai XDR, visit here.
Key Takeaway Section
Q1: Why are SMBs targeted by cybercriminals? A1: SMBs are often seen as easy targets due to inadequate cybersecurity measures and the misconception that they are too small to be targeted.
Q2: What is the first step in improving cybersecurity for an SMB? A2: Conducting a cyber risk assessment to identify vulnerabilities and understand the potential impact of cyber threats on the business.
Q3: What components should be included in a cybersecurity plan for SMBs? A3: A comprehensive cybersecurity plan should include official policies, employee training, cybersecurity technology, routine assessments, and an incident response plan.
Featured articles
How to Build a Resilient Cybersecurity Strategy for MSPs
26 September 2024 | Webinars
In today's rapidly evolving threat landscape, MSPs are on the front lines of cybersecurity. As threats become more sophisticated, MSPs...
MSP Blueprint: Proactive Threat Hunting with XDR for Enhanced Cybersecurity
12 September 2024 | Cybersecurity 101
This article explores how Managed Service Providers (MSPs) can leverage Extended Detection and Response (XDR) to enhance proactive cyber threat...
The Importance of XDR for Regulatory Compliance
5 September 2024 | XDR
The SEC's 2024 cybersecurity disclosure rules mandate public companies to disclose incidents and detail their risk management strategies. Even non-public...