Cyberattacks among small and medium businesses (SMBs) are becoming more and more commonplace, and the ramifications can be huge. A 2021 IBM study found that 60% of businesses with fewer than 500 employees go out of business within six months of a cyberattack.
A recent survey of 850 organizations with sizes ranging from 10 to 1,000 employees found that 64% of respondents have reported that their organization has suffered a cyberattack.
Small and midsized businesses make particularly attractive targets for cyber criminals. They have much of the same information, customer data, and digital infrastructure as larger organizations, but are easier targets for three key reasons:
- Lack of information
- Lack of resources
- Growing threat landscape
Let’s dig into those areas.
Lack of Information
Cyber criminals target midmarket and small businesses because they are viewed as easier targets due to a lack of protection for some of their resources. In some cases, there may be a lack of understanding as to appropriate security technologies that can leave business vulnerable. At other times it’s a lack of resources that leave SMBs vulnerable and, in turn, result in attacks becoming more commonplace.
According to the Keeper Security-Ponemon Institute report, 6 out of 10 SMBs report that attacks against them are more targeted, sophisticated, and damaging; yet 47 percent of them have no idea how to protect their companies from cyberattack.
That lack of understanding can extend to employees. Businesses often don’t have a security training program in place, leaving employees less likely to be able to detect social engineering attacks and email phishing scams. Those scams include impersonation attacks in which attackers send official-seeming email messages that entice victims to reveal sensitive financial and personal data
In fact, research commissioned by cybersecurity company BullGuard found that one-third of companies with 50 or fewer employees report using free, consumer-grade cybersecurity, and one in five companies use no endpoint security whatsoever.
More alarming is that the same study found that 43% of SMB owners have done no cybersecurity planning at all. This leaves them unable to quickly detect a cyberattack, and unprepared to efficiently respond to an attack once it is detected. This leaves sensitive financial and customer data—even the company itself—at significant risk.
Lack of Resources
Mid-sized organizations face sophisticated cyberattack methods with far fewer resources than large enterprise organizations. They have fewer IT staff, or for smaller businesses, no dedicated IT staff at all. In fact, 52% of SMBs claim they don’t have an in-house IT professional on staff, according to Untangle’s 2019 SMB IT Security Report.
These organizations understand the implementation and investment in IT security solutions as a strategic business objective, yet many are constrained by budget. According to the same Untangle report, almost 30% of SMBs invest less than $1,000 a year on IT security with 52% noting that this responsibility is distributed across other roles within the company.
In the meantime, the demand for cybersecurity professionals far outpaces available supply, with research by ISC2 showing a global security workforce shortage of more than 2.7 million people. Finding talent is especially hard for small businesses which must compete with larger organizations that can offer better salaries and more attractive benefits packages.
To make matters worse, research by security firm Trellix found that this gap is likely to grow, with almost one-third (30%) of the current workforce planning on changing professions in the future.
The consequences are significant. With resources stretched thin, an SMB is more likely to have misconfigured systems, not enough time for effective risk assessment, and undeployed security patches. This leaves them more vulnerable to attacks, slower to respond to attacks, and even more susceptible to future attacks as system maintenance is deferred while attacks are mitigated.
Growing threat landscape
All organizations face a growing threat from cyber criminals, whose attacks are growing in volume and sophistication. A Microsoft report found that ransomware attacks increased 1,070% year-over-year between July 2020 and June 2021.
In fact, small businesses reporting at least one or more cyber incidents increased from 33% to 47% in one year. For medium-sized businesses, the increase is even greater, moving from 36% percent in 2018 to 63% percent in 2019.
The increase is primarily because hackers aren’t using different tools for different types of companies; they’re launching the same types of assaults on several companies by literally copying and pasting malicious code.
This makes attacks on small and medium businesses especially problematic, particularly because the attack methods are just as advanced as hackers use on bigger companies. Duplicating attacks allows cyber criminals to launch attacks faster. As a result, smaller companies can easily find themselves inundated by a series of sophisticated attacks.
Resources and recommendations
The best course of action small or midsized businesses to take before a cyberattack happens is to get a security assessment that details exactly where they are most vulnerable. If a business has already fallen victim to an attack, it’s not too late to learn from their experience by improving their overall cybersecurity posture and state of cyber readiness going forward.
vCom Solutions can help with every aspect of cyber security. Our experts can ensure that that all devices connecting to your network are properly configured and protected with anti-malware software and strong encryption protocols. We can help ensure that sensitive data has multiple backups, can monitor systems for attacks, can create risk assessments, and can help educate employees.