Under Attack: Over Half of SMBs Breached Last Year

Many small and midsize businesses work faster and harder than large enterprises, but they're just as vulnerable to cybercrime.

Marc Wilczek, Digital Strategist & COO, Link11

March 26, 2019

5 Min Read

Today, every company, large or small, that does business online is prey for cybercriminals. Unfortunately, the smaller ones (with fewer than 250 employees) and midmarket firms (250 to 499 employees) are often the first to be hit. Moreover, they can serve as springboards for larger hacking campaigns. The bad guys see small/midmarket businesses as low-hanging fruit because they typically have only basic security precautions in place and lack the sort of in-house staff equipped to deal with serious IT threats.

According to Cisco's "Small and Mighty" Cybersecurity Special Report — drawing on data gathered from 1,816 respondents across 26 countries — more than half (53%) of midmarket companies suffered a security breach in 2018.

As outlined in the survey's report, respondents worry most about targeted attacks against employees (think phishing), advanced persistent threats (such as new types of malware), and distributed denial-of-service attacks (which flood a company's servers with so much traffic that they crash).

Cloud Adoption Requires Cloud-Based Defense Strategies
Because they are such attractive targets — and especially since they usually lack knowledgeable IT staff or dedicated network security personnel — smaller businesses need to be extra vigilant and find creative ways to detect and mitigate online skullduggery, and perhaps even more so than their larger counterparts.

In response to these security challenges, many companies are choosing to take advantage of cloud-based security solutions that cost less than the human alternatives. The use of cloud services among smaller businesses is increasing every year. According to Cisco, 55% of these businesses said in 2014 that some of their networks were hosted in the cloud; in 2017, that rose to 70%.

Clearly, rather than doing it themselves, smaller businesses are turning to hired IT guns to provide corporate cybersecurity. According to the survey, 57% use outside advice and consulting; 54% outsource incident response; and 51% employ external firms to monitor security. Not a bad idea in light of the global shortage of cybersecurity talent.

40% of Respondents Taken Offline for More Than Eight Hours
Most of today's small/midmarket businesses understand that the more complex their product and vendor environment is, the greater their responsibilities. For example, 77% of midmarket businesses say they had trouble setting up alerts. Consequently, a mere 54% of these alerts are looked into, leaving 46% beneath the surface, ready to do damage. Not every unattended alert will be damaging, but the ones that are can be catastrophic.

Cisco's Benchmark Study found that in 2018, 40% of respondents at smaller companies (250 to 499 employees) had eight hours or more of downtime attributable to a major security breach. The research suggests the same occurred in the bigger organizations in the study (500 or more employees). The key difference is that larger firms tend to be better off than their smaller counterparts after an attack because they have more resources to devote to response and recovery. Also, 39% of respondents experienced a severe breach in at least half of their systems. Smaller-scale companies are less likely to have many different locations or business departments, and their critical systems are usually more interconnected.

Recovering from a Cyberattack Can Be Difficult and Costly
Twenty-nine percent of midmarket companies say breaches cost them less than $100,000. A further 20% estimate that breaches cost between $1 million and just under $2.5 million, a number that would probably put an unprepared small/midmarket firm out of business for good.

The Better Business Bureau (BBB) did a recent study to show how much smaller businesses can struggle after a major cyberattack. The BBB asked North American small business owners "How long could your business remain profitable if you permanently lost access to essential data?" A mere one-third (35%) replied that they could stay profitable for more than three months. Over half of them said their financial well would run dry in less than a month.

Security Has Reached the Boardroom
The upside is that cybersecurity is now a common topic of boardroom discussion. Ninety-two percent of midmarket businesses now have a senior person in charge of security in one way or another, as noted in Cisco's report. A respectable 42% of them have installed a CISO, and another 24% have hired a chief security officer.

Another positive note is that a solid majority (91%) of midmarket firms test their incident response plans at least once a year by running drills. However, one wonders whether incident response plans are enough of a defense to ward off attackers, who seem to be getting smarter and using more sophisticated technology every day.

To keep pace with the bad guys, small/midmarket businesses must continue to improve their cybersecurity and acknowledge that even smaller changes are better than no changes at all. The online threat landscape is wide-ranging and always changing, and the targets of attack are increasing in number. In response, security technologies and strategies have to evolve the same way.

Related Content:



Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

About the Author(s)

Marc Wilczek

Digital Strategist & COO, Link11

Marc Wilczek is a columnist and recognized thought leader, geared toward helping organizations drive their digital agenda and achieve higher levels of innovation and productivity through technology. Over the past 20 years, he has held various senior leadership roles across the ICT industry. Before serving as chief operating officer at Link11, he was member of the management board of T-Systems' Computing Services & Solutions (CSS) division. Prior to that, he served as senior vice president, Asia Pacific/Latin America/Middle East & Africa at CompuGroup Medical, and as managing director, Asia Pacific, for Sophos. He is an Alfred P. Sloan Fellow and holds master's degrees from FOM Graduate School for Economics and Management in Frankfurt and London Business School.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights