As if running a small-to-medium-sized business wasn’t difficult enough.
In recent years, SMB cybersecurity has gained a spot on the worry list of many owners and operators. Cybercriminals are increasingly setting their sights on SMBs to extract ransom money, customer information, and other valuable data.
Symantec found that 43% of spear-phishing attacks in 2015 were aimed at businesses with 250 or fewer employees. That’s a jump from 34% of such attacks in the previous year. The suspected reason: staffing and budgetary concerns force SMBs to deprioritize cybersecurity.
A recent report from the Ponemon Institute and Keeper Security paints a similar picture. The survey of 598 IT professionals in the SMB realm found that 55% of companies had experienced a cyberattack in the last 12 months. A full half said they had been the victim of a data breach.
These stark figures make sense, depressingly, since only 14% of respondents described their companies as “highly effective” at mitigating cyber risks. Additionally, 76% of companies reported that their technical solutions (anti-virus software, firewalls, etc.) did not prevent malware from infecting their systems.
Damage Served Two Ways
Researchers found that SMBs paid a pretty penny in the aftermath of a cyberattack or breach. The companies surveyed spent an average of $879,000 on restoring damage or stolen IT assets, and another $955,000 on disruptions to normal operations. In total, cyberattacks cost SMBs roughly $1.8 million in 2015.
The damage from a breach or cyberattack doesn’t necessarily stop there, however.
As any tiny coffee shop or start-up tech firm will tell you, reputation is huge to both attracting and retaining business. From Yelp reviews to good old word of mouth, SMBs of all sorts often live and die by the words of customers.
It’s no surprise, then, that 66% of those surveyed listed customer records as the type of information they’re most worried about losing in a data breach. Studies show that once a breach of such information is announced, a company can kiss customer goodwill goodbye. A 2015 Vormetric survey found that 84% of Americans would take their business elsewhere after news of a data breach at their favorite retailer.
Here we see the dual impact data breaches often have made clear: staggering repair and operational costs combined with a crippling blow to reputation. Either could easily be the death knell for an SMB.
Employees as Common Thread
Unsurprisingly to us, phishing or other social engineering techniques ranked second-highest on the list of attack methods against SMBs. Forty-three percent of respondents said their company had fallen victim to phishing, second only to web-based attacks.
Separating attacks from confirmed data breaches, however, showed a different (but still human-based) trend. Negligent employees or contractors accounted for 48% of data breaches, the most common cause asked about in the survey.
It’s clear that the story with SMB cybersecurity and data privacy is the same as with large companies: the human element is the biggest threat.
Unfortunately, SMBs are even less equipped than larger businesses to deal with cyberthreats given their limited resources. Sixty-seven percent of respondents cited insufficient personnel as the biggest challenge to a strong cybersecurity posture. The limited staff are likely overworked, too: 54% of respondents said their organization’s IT staff are also responsible for cybersecurity concerns.
Toward a Solution
With limited resources, it might seem attractive for SMBs to shirk away from employee awareness initiatives. After all, overworked IT staff likely have enough to do without having to worry about teaching their coworkers cybersecurity or data privacy best practices.
What’s an SMB to do?
For one: don’t overlook employee awareness! The best, and perhaps only, way to effectively address your human-side problems is with training and reinforcement that hits on your most pressing risks. Even a relatively bare bones approach to awareness, with a few general training topics teamed with reinforcement, is better than letting employees fend for themselves.
A training initiative can sound like a lot of work, but with the right vendor, it doesn’t have to be. Seek out a provider experienced in getting effective training up and running quickly and easily.
If additional training or learning reinforcement content is needed, a vendor should be able to provide this, too. An all-in-one approach keeps overworked IT staff from having to wrangle multiple vendors, each with a different piece of the awareness puzzle.
SMBs are known for employing jacks and jills of all trades, folks that can take on multiple tasks with gusto and drive them through to completion. The report referenced above certainly bears this out in the IT and cybersecurity space.
So, in a world where SMB cybersecurity often is at the hands of employees, working with an awareness vendor that can also “do it all” becomes increasingly important. An SMB’s bottom line and reputation could depend on it.
Learn what MediaPro can do for your business by contacting us or requesting a demo.