Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:30 AM
Marc Wilczek
Marc Wilczek
Connect Directly
E-Mail vvv

Under Attack: Over Half of SMBs Breached Last Year

Many small and midsize businesses work faster and harder than large enterprises, but they're just as vulnerable to cybercrime.

Today, every company, large or small, that does business online is prey for cybercriminals. Unfortunately, the smaller ones (with fewer than 250 employees) and midmarket firms (250 to 499 employees) are often the first to be hit. Moreover, they can serve as springboards for larger hacking campaigns. The bad guys see small/midmarket businesses as low-hanging fruit because they typically have only basic security precautions in place and lack the sort of in-house staff equipped to deal with serious IT threats.

According to Cisco's "Small and Mighty" Cybersecurity Special Report — drawing on data gathered from 1,816 respondents across 26 countries — more than half (53%) of midmarket companies suffered a security breach in 2018.

As outlined in the survey's report, respondents worry most about targeted attacks against employees (think phishing), advanced persistent threats (such as new types of malware), and distributed denial-of-service attacks (which flood a company's servers with so much traffic that they crash).

Cloud Adoption Requires Cloud-Based Defense Strategies
Because they are such attractive targets — and especially since they usually lack knowledgeable IT staff or dedicated network security personnel — smaller businesses need to be extra vigilant and find creative ways to detect and mitigate online skullduggery, and perhaps even more so than their larger counterparts.

In response to these security challenges, many companies are choosing to take advantage of cloud-based security solutions that cost less than the human alternatives. The use of cloud services among smaller businesses is increasing every year. According to Cisco, 55% of these businesses said in 2014 that some of their networks were hosted in the cloud; in 2017, that rose to 70%.

Clearly, rather than doing it themselves, smaller businesses are turning to hired IT guns to provide corporate cybersecurity. According to the survey, 57% use outside advice and consulting; 54% outsource incident response; and 51% employ external firms to monitor security. Not a bad idea in light of the global shortage of cybersecurity talent.

40% of Respondents Taken Offline for More Than Eight Hours
Most of today's small/midmarket businesses understand that the more complex their product and vendor environment is, the greater their responsibilities. For example, 77% of midmarket businesses say they had trouble setting up alerts. Consequently, a mere 54% of these alerts are looked into, leaving 46% beneath the surface, ready to do damage. Not every unattended alert will be damaging, but the ones that are can be catastrophic.

Cisco's Benchmark Study found that in 2018, 40% of respondents at smaller companies (250 to 499 employees) had eight hours or more of downtime attributable to a major security breach. The research suggests the same occurred in the bigger organizations in the study (500 or more employees). The key difference is that larger firms tend to be better off than their smaller counterparts after an attack because they have more resources to devote to response and recovery. Also, 39% of respondents experienced a severe breach in at least half of their systems. Smaller-scale companies are less likely to have many different locations or business departments, and their critical systems are usually more interconnected.

Recovering from a Cyberattack Can Be Difficult and Costly
Twenty-nine percent of midmarket companies say breaches cost them less than $100,000. A further 20% estimate that breaches cost between $1 million and just under $2.5 million, a number that would probably put an unprepared small/midmarket firm out of business for good.

The Better Business Bureau (BBB) did a recent study to show how much smaller businesses can struggle after a major cyberattack. The BBB asked North American small business owners "How long could your business remain profitable if you permanently lost access to essential data?" A mere one-third (35%) replied that they could stay profitable for more than three months. Over half of them said their financial well would run dry in less than a month.

Security Has Reached the Boardroom
The upside is that cybersecurity is now a common topic of boardroom discussion. Ninety-two percent of midmarket businesses now have a senior person in charge of security in one way or another, as noted in Cisco's report. A respectable 42% of them have installed a CISO, and another 24% have hired a chief security officer.

Another positive note is that a solid majority (91%) of midmarket firms test their incident response plans at least once a year by running drills. However, one wonders whether incident response plans are enough of a defense to ward off attackers, who seem to be getting smarter and using more sophisticated technology every day.

To keep pace with the bad guys, small/midmarket businesses must continue to improve their cybersecurity and acknowledge that even smaller changes are better than no changes at all. The online threat landscape is wide-ranging and always changing, and the targets of attack are increasing in number. In response, security technologies and strategies have to evolve the same way.

Related Content:



Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Marc Wilczek is a columnist and recognized thought leader, geared toward helping organizations drive their digital agenda and achieve higher levels of innovation and productivity through technology. Over the past 20 years, he has held various senior leadership roles across ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Moderator
4/8/2019 | 2:42:20 AM
Due diligence
While the companies are all required to have their own form of protection up, I sure hope that the cloud data storage companies are going to play their part and do what they can to protect all of their customers from being hacked too. I don't think that anybody would be so specifically targeted as opposed to trying to hit on the whole mainframe of the cloud network..
User Rank: Ninja
3/26/2019 | 10:51:41 AM
Cryptolocker and restore in hours
Small business can be very small indeed.  Before moving to Georgia in 2014, I had my own managed services business - just me and another consultant.  One of my clients was a lovely 501C3 museum I had been associated with like forever and they got Cryptolocker at 1:20 am on the executive director's machine.  Bounced to the server and everything went up into the air.  Everything.  When they called in panic, I picked up my dedicated Dell system to their server as off-site backup.  Not a drive but a whole computer.  Car, drove it down and as it had same name as server, everybody had data access fast.  Now the server could then be rebuilt fast and in 3 hours I had all data restored and server running fine.  Only lost desktop on Executive director station and I did not know he used a part of the.  98% restore.  Now that is a small one, very small, but illustrative of point of this article.  SMALL firms are vulnerable unless they have good staff or good consultant staff.  ( I should have charged more for my restore - well, lesson learned). 
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-24
The client API authentication mechanism in Pexip Infinity before 10 allows remote attackers to gain privileges via a crafted request.
PUBLISHED: 2020-09-24
An incomplete SSL server certification validation vulnerability in the Trend Micro Security 2019 (v15) consumer family of products could allow an attacker to combine this vulnerability with another attack to trick an affected client into downloading a malicious update instead of the expected one. CW...
PUBLISHED: 2020-09-24
An incomplete SSL server certification validation vulnerability in the Trend Micro Security 2019 (v15) consumer family of products could allow an attacker to combine this vulnerability with another attack to trick an affected client into downloading a malicious update instead of the expected one. CW...
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. x86 PV guest kernels can experience denial of service via SYSENTER. The SYSENTER instruction leaves various state sanitization activities to software. One of Xen's sanitization paths injects a #GP fault, and incorrectly delivers it twice to the guest. T...
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. There is mishandling of the constraint that once-valid event channels may not turn invalid. Logic in the handling of event channel operations in Xen assumes that an event channel, once valid, will not become invalid over the life time of a guest. Howeve...