In the wake of a severe global pandemic, businesses of all sizes have adapted to new work methods. In addition, mandatory health guidelines for curtailing the spread of coronavirus have seen millions of SMBs worldwide scale down daily operations significantly or shut down altogether. One of the most notable changes is an unprecedented adoption of digital technologies to enable remote working approaches. Specifically, a rapid shift to virtual work strategies has resulted in an increased uptake of innovative digital tools, platforms, and solutions for various reasons, including efficient customer interactions, retaining supply chains and assisting employees in remaining productive throughout the crisis.
However, increased reliance on digital solutions for daily business activities has provided nefarious cyber actors with new opportunities for attacking SMBs. Although technologies have become ingrained in the critical operations of most SMEs, only a few have access to deep financial and human resources needed to match the rising cyber threat landscape. Besides, before the pandemic, SMBs provided hackers with easy data breach targets. A 2021 report on the state of data security found that small businesses lose more than $114 billion every year, with negligence and poor cybersecurity practices contributing to nearly 25% of the breaches.
In addition, the cybersecurity threats surrounding SMBs are multifaceted. While most are under-resourced and lack access to modern cybersecurity solutions based on AI and machine learning, a pervasive global shortage of cybersecurity professionals and skills continues to hamper SMBs' cybersecurity programs. Also, small and ill-equipped cybersecurity teams are no match for cyber adversaries that utilize newer and innovative technologies to perpetrate stealth data breaches and network intrusions. Furthermore, small businesses' cybersecurity threats and challenges extend beyond skill shortage and inadequate resources – they are often too advanced or too stealth for SMBs to deal with or protect themselves.
SMB Cybersecurity Statistics 2021
The Small Business Administration's Office of Advocacy (SBA) estimates that there are 30.7 million small businesses in the US alone or 99.9% of all US-based companies. Thus, cybersecurity for SMEs is a vital topic for small business owners and industry leaders. However, the inadequacy of financial and human resources implies that SMBs should approach cybersecurity using a much different perspective than large organizations. The following statistics paint a grim picture of the cybersecurity threats and challenges facing small business owners.
1. Cyber attacks target small businesses the most
A recent study on the cost of cybercrime found that 43% of all cyberattacks target small and medium-sized enterprises. Hackers prefer attacking small companies due to several factors: a lack of resources to harden network and data security and a misconception that upcoming businesses cannot be hacked since they don't have the money to interest attackers. Due to this, the same study found that only 14% of small business owners are well prepared to protect themselves from attacks.
2. Inability to detect against attacks
In light of the statistics in point one above, many small businesses cannot protect themselves. According to a 2019 State of Cybersecurity Report by Ponemon Institute, 45% of SMBs worldwide said that the cybersecurity processes they have implemented are usually ineffective in the fight against cyberattacks and threat mitigation. As a result, 66% of small business owners indicated that their businesses experience at least one cyber incident every twelve months. Also, 69% of security professionals believe that cyberattacks surrounding SMEs are more targeted. Specifically, social engineering/phishing attacks account for 57% of all attacks, followed by stolen/compromised devices at 33%.
3. Significant costs resulting from attacks
The cost of a data breach can potentially impact small to medium-sized businesses for months or even years. An adverse cyber incident results in unplanned expenses that are not included in annual IT security budgets. The costs vary depending on the impact of an attack and comprise business operation disruptions, system downtime causing revenue losses, ruined brand reputation, and data theft. The Hiscox Cyber Readiness Report 2021 found that the costs of a cyberattack threaten the survival of one in six small businesses involved in an attack. Additionally, a single cyber incident can cost SMEs not less than $34,604, with some attacks costing as much as $200,000.
4. Insider threats cost small businesses $7.68 million annually
Insider threats are the most dangerous since they are nearly impossible to detect, and the threat actors already have trusted access privileges. As a result, cyber incidents from insider threats are costly and damaging. For example, the Cost of Insider Threats Global Report by IBM and the Ponemon Institute showed that an insider threat-instigated cyber incident costs small businesses (organizations with less than 500 employees) an average of $7.68 million. Unfortunately, similar to other attack incidents, insufficient resources and a lack of robust access control mechanisms, such as least access privilege controls, inhibit SMEs from protecting against insider threats.
5. Nearly half of SMEs don't have a cybersecurity defense plan
A myriad of challenges plagues SMEs in all industries today. However, the cybersecurity intricacies designed for large enterprises have not traditionally featured SMEs. Also, small businesses often operate in a unique nature that warrants customized cybersecurity procedures and practices. The following are the top challenges preventing SMEs and startups from achieving industry-standard cybersecurity postures.
Cybersecurity challenges facing SMEs
1. Low level of awareness of cybersecurity threats
On average, fifty new cybersecurity vulnerabilities were discovered every day in 2020, totaling 18,103, more than in any other year. In addition, cybersecurity firms register almost 450,000 new malware variants every day. This means that business owners are required to be fully aware of new cybersecurity threats, trends, vulnerabilities, and emerging malware variants to protect their businesses adequately. However, SMEs may lack enough awareness concerning cybersecurity threats. Most small business owners are more concerned with finding new markets, acquiring new customers, or developing new products/services. Cybersecurity comes as a second thought, and in-house IT staff may not have the time to research emerging cybersecurity trends and how they can protect their organization better from modern threats. Insufficient awareness regarding emerging cyber threats and how to deter them exposes most SMEs to severe threats.
2. Low cybersecurity budget allocations
Cybersecurity is crucial for large organizations and SMEs. Like other core business operations, cybersecurity requires a significant financial investment, thus an adequate budget allocation. Cybersecurity financing not only protects against data breaches and attacks but also aids compliance with existing data protection and information security regulations. Most small business owners perceive cybersecurity investment as a strain on other functions tailored towards meeting set objectives, but the cost of a data breach is even higher. The cost of a data breach impacting SMEs may start at $120,000 and reach up to $1.24 million. However, hiring qualified security experts or acquiring in-house cybersecurity solutions that require constant upgrading and maintenance is expensive. Thus, financial constraints often leave SMEs with no choice but to outsource their cybersecurity needs to verified and tested managed service and security providers.
3. Inadequate data protection practices
In the modern business landscape, SMEs require sensitive information to compete effectively with their competitors. Data is currently the lifeline of business operations since data analytics assist in research, development, and access to new markets. Nevertheless, small businesses rarely have the resources, expertise, or experience to classify data according to sensitivity and protect it accordingly. For example, small business owners may lack the capacity to determine their 'crown jewel' data, where it is stored, who can access it, and the security levels required for each type of data. Therefore, they may lack robust least privilege access controls or role-based access controls. Cybercriminals will always go for the softest targets, and SMEs perfectly fit that description. Inability to secure sensitive information exposes small businesses to various data security risks.
4. Lack of adequate management support
Sufficient management support is vital to the success of any initiative, including cybersecurity programs. Lack of proper senior management support is one of the primary cybersecurity challenges facing SMEs. In particular, it is an uphill task to convince the management of an upcoming company to invest finances, time, and resources in functions that don't result in direct value to the business. In contrast, C-suite executives of large enterprises often depend on their in-house cyber experts to assess organizational cybersecurity assessments, recommend the required management support, and act appropriately. However, SMEs don't have the luxury, and senior management usually relies on their limited knowledge and an ill-equipped, underfunded, and often ignorant IT department to make cybersecurity decisions. In addition, mature cybersecurity processes require the unwavering of senior management to be effective.
5. A rapid shift to remote work
The COVID-19 came as a blessing and a curse to most SMEs. On the one hand, remote working requirements came as an eye-opener of work from home benefits, such as flexible work routines and the ability to maintain employee productivity amid economic shutdowns and collapse. On the other hand, remote working requires an accelerated adoption of digital solutions, which are a nightmare to secure and result in an expanded attack surface. Nevertheless, despite the cybersecurity challenges, 59% of SMEs without office space consider the benefits to outweigh the shortcomings and, therefore, plan to embrace remote working. Nevertheless, embracing new technologies to enable remote working requires significant investments and time to secure them adequately. In addition, authentication and access controls need expertized but costly assistance, and the limited financial resources inhibit small business owners from realizing the recommended cybersecurity posture.
6. Personal devices/shadow IT
Shadow IT is the unsanctioned or unauthorized use of personal IT assets in the workplace. For example, at least 80% and 67% of SME employees use Software as a Service (SaaS) applications and introduce unauthorized collaboration tools without requesting permission from IT, respectively. In most cases, securing shadow IT requires organizations to implement endpoint management systems that provide complete visibility of devices connecting to the corporate network. Personal devices also need a 24/7 security team to monitor the devices for adverse security events and respond in real-time. Failure to do so exposes a company to multiple cybersecurity threats, among them being data loss, inadequate data security, and unauthorized information access. However, if any, only a few SMEs can maintain an in-house endpoint detection and response system and the associated personnel needed to secure shadow IT.
7. Inadequate cybersecurity guidelines
The unavailability of appropriate guidelines regarding cybersecurity standards, whitepapers, and other industry-standard cybersecurity guidelines explicitly developed for SMEs prevents them from achieving a healthy security posture. Guidelines that exist are often generic, such as 'implement data backups, install an antivirus, configure the firewall, etc.,' but don't provide step-by-step measures that guide on how to enhance organizational cybersecurity. On the other hand, most of the existing cybersecurity guidelines are tailored for large enterprises implementing a robust cybersecurity framework. An example is a guideline requiring an enterprise to 'appoint a data security officer and ensure cybersecurity roles are well separated.' While such policies are effective for companies with existing cybersecurity frameworks, they are usually infeasible for SMEs. Standardized cybersecurity guidelines are crucial to realizing practice cybersecurity programs that protect against different kinds of threats.
8. Insufficient cybersecurity personnel and expertise
Cybersecurity is a vast field with multiple areas of specialties. For example, a network security administrator may not have the experience to hunt for threats in endpoints using data analytics and threat intelligence. Most Fortune500 organizations maintain cybersecurity professionals proficient in different roles to maximize human expertise in thwarting cyber threats, a feat that SMEs can only dream of having. Therefore, it is unsurprising to find a cybersecurity employee in a small business multitasking since they may be responsible for different roles and other IT processes. Some critics may argue that deploying various cybersecurity solutions can provide the required protection, but they also require special knowledge to configure and deploy efficiently. Hence, SMEs must hire the services of a managed security provider that offers world-class cybersecurity solutions, certified experts, and innovations designed to address modern information security threats.
What can be done?
The most sound course of action that SMEs can take to attain the same level of protection as large enterprises is to outsource cybersecurity to a competent managed service provider. A managed security provider has the knowledge, resources, certified cybersecurity experts, and state-of-the-art endpoint security and management systems to protect against sophisticated threats. In addition, the following measures can also provide a reasonable level of cybersecurity posture.
- Employee training and awareness: Human error causes at least 95% of all cybersecurity incidents. Therefore, cybersecurity training and awareness for all employees should be a focal point of any SME. Some pieces of training are expensive, especially when done several times a year, but they are worth the investment rather than waiting for an employee to cause a data breach through ignorance or errors.
- Updating and patching: SMEs must install the latest updates and security patches on all devices, applications, and operating systems. The latest updates counter the newest vulnerabilities and threats, making it harder for cyber adversaries to execute a data breach. However, outdated applications may contain exploitable security weaknesses that result in serious breaches.
- Robust password policies and multi-factor authentication: Password security is the most used defense method for individual users and organizations. Due to increasing password security risks, SMEs should ensure that all employees create strong passwords using recommended password security guidelines. Also, enabling multi-factor authentication can prevent malicious actors from gaining unauthorized access even if they have the correct password and username combination.
- Invest in a VPN service: VPN solutions protect data shared or transmitted through an insecure home or public network. Also, VPNs are practical solutions that provide secure remote connectivity. In light of a rapid transition to remote working methods, VPN services should be mandatory components of an SME cybersecurity program.
Protect your business with Pulsar Security
Pulsar Security is the perfect partner for SMEs looking to bolster their cyber defenses. The Pulsar Cyber shield is designed to provide a comprehensive set of solutions that bring optimized security benefits at an affordable cost. With cyber threats evolving at an alarming rate, frequent vulnerability assessments, dark web assessments, and 24/7/365 monitoring assure SMEs of early threat detection, real-time alerting and notification, and real-time response to deter the threats. In addition, Pulsar Security boasts of the best cybersecurity experts with relevant certifications capable of performing advanced penetration tests and simulated phishing attacks to assist SMEs in achieving a healthy cybersecurity posture.