I have been reading more and more about the dangers of cyberattacks and their costly impact to business, but the thing that stuck out to me was the profound impact on small businesses. Small businesses are increasingly a target for attack, and so many are unprepared.
The U.S. Small Business Administration, Office of Advocacy, reported there are 28 million small businesses in the United States that have less than 500 employees. Of these, 37% have less than 20 employees. In April, 2016, Symantec published their Internet Security Threat Report which reported that in the last five years, attacks against small businesses with less than 250 employees comprised 43% of all attacks. They go on to say that part of the reason is the lack of investment smaller firms make compared to larger enterprises. US congressman and Chairman Steve Chabot of the Committee on Small Business held a full committee hearing titled, “Foreign Cyber Threats: Small Business, Big Target” in 2016, to examine the risks faced by small and medium sized organizations. The underlying message is that small companies are not immune to attack and protective measures need to be implemented.
The challenge can seem daunting for many small business owners. Many have no idea what is really needed to protect their investments from cyber criminals. Many simply don’t know where to go for help or what questions to even ask. Others feel the investment is too great for the return. Let’s take a moment and look at the actual financial impact a data breech can have on a small business.
In 2013, the average cost related to cyberattacks on small businesses was $8,699 per attack. Today, that number has risen to $20,752 per attack. Criminals are using more sophisticated techniques than ever before to gain access to sensitive information, like personal health information, credit card data, personal identity information, social security numbers, etc. The National Cyber Security Alliance reported that 60% of small businesses will close within 6 months of a cyberattack.
In 2015, the National Institute of Standards and Technology, part of the U.S. Department of Commerce, stated “Protecting information and systems makes good business sense. It reduces your risk and allows you to do more business in a safer environment (and increases your profit, too!)”
The big question for many is where to start investing in cybersecurity. Typically, the best place to start is by performing a risk assessment and determining the extent of investment required. Can you invest too much? Yes. It is important that the right investments are made, and that you implement tools and processes that are aligned with the findings of a risk assessment. Believe it or not, one of the most effective ways to start protecting your business is by ensuring your employees are trained on typical threats they might face. It is the intersection of people, processes and tools that equate to successful risk mitigation.
In 2017, there is no reason to expect things will be any better for small businesses. A significant increase in attacks is highly likely. Last year Ransomware was a major problem for small businesses. Ransomware can be best defined as a type of malicious software that prevents users from accessing systems until a fee is paid. The fee can be avoided for companies who take adequate backup measures, but there is inevitable downtime to restore files from backup. In 2017, the use of ransomware looks to be even more pervasive than last year. Unfortunately, ransomware is just one type of threat faced by small businesses.
Ultimately, business owners need to determine what level of risk is acceptable to them, as it is impossible to fully eliminate risk from the equation. It is no longer if you will be attacked, but when. Small businesses can do a lot to limit the impact of security related threats. Threats are numerous and come from a variety of different avenues, like cyberattacks, employee mistakes, physical attacks, natural disasters, etc. It is all about mitigating these high impact threats, thereby reducing your overall risk.
Don’t be afraid to invest in security and compliance, but do so wisely. Most small businesses cannot afford to implement a security practice within their organization. Instead many small business are focused on investing in services that exist to completely manage, monitor and defend, in real time, any and all suspicious activity. This allows the small business owner to focus on what they do best, while providing them the peace of mind that there are teams of people actively protecting their investments and mitigating risk. These services are far less costly than a single security resource. Investments in cybersecurity are a good business practice and unfortunately here to stay.
My final thoughts are that taking a risk based approach to security is essential. Investments are required and the threat of cyberattacks are not going away anytime soon. Remember, a cyberattack can not only be financially costly, but damaging to your reputation. Leverage tools, processes and services that make sense and allow you peace of mind. Please feel free to connect with me if you want to discuss further.