Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

5/28/2020
02:00 PM
Marc Wilczek
Marc Wilczek
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

3 SMB Cybersecurity Myths Debunked

Small and midsize businesses are better at cyber resilience than you might think.

Small and midsize businesses (SMBs) are the bedrock of most national economies. And being a small-business owner is a hard job, especially during economic downturns and crises like the current COVID-19 pandemic.

When the security industry looks at cybersecurity preparedness, it is often critical of SMBs. They are often portrayed as being lax or ignorant about security issues. However, Cisco's "Big Security in a Small Business World" report, based on a survey of approximately 500 SMBs (those with 250 to 499 employees) shows that SMBs are actually paying close attention to security and that their sometimes novel and entrepreneurial approaches are paying off. 

Evidently, it's time to clear up some common misconceptions about SMBs and cybersecurity. Here are a few of the biggest whoppers.

No. 1: Only large organizations face public scrutiny.
Our first myth is that the media is only interested in the large-scale attacks and breaches that occasionally wreak havoc among governments and huge corporate entities, and that attacks on SMBs don't or won't generate headlines. However, last year, smaller organizations garnered roughly the same coverage as their larger counterparts. In the Cisco survey, approximately half (49%) of SMBs reported that they were subjected to public scrutiny after a security incident.

Similarly, in 2019, 59% of SMBs voluntarily reported their largest data breach last year, as did 62% of larger businesses. Obviously, smaller outfits are dedicated to preserving their relationships with their customers and partners.

Interestingly, a majority of smaller businesses said they get enquiries from the people they serve about how they handle their data: Seventy-four percent of SMBs and 73% of larger companies reported that customers or prospects ask these questions about the firm's approach to cybersecurity. In other words, customers care about their personal data, and they need to trust the companies in possession of it.

No. 2: After a cyberattack, big businesses have less downtime and recover faster.
A major security incident can result in massive disruption in any business, large or small. But if you're an SMB, the most important consideration is not the length of downtime per se, but rather how you can ensure your resources aren't completely maxed out. In this regard, automation might be just what you need. It can provide both early warnings of attacks and quick responses to them, which can help safeguard your business. Research indicates that SMBs and larger organizations experience roughly equivalent downtimes after cyberattacks. Specifically, last year, 24% of SMBs were hobbled for more than eight hours as a result of their most critical security breach. Thirty-one percent of larger organizations reported a similar downtime duration after a major incident.

Fortunately, the use of automation as a security weapon is catching on. The Cisco report wraps up stating that in order to simplify and accelerate threat detection and response, a respectable majority (77%) of organizations of all sizes plan to automate their security landscape over the next 12 months.

What attacks are these companies hoping to avert? Ransomware, the threat most likely to cause 24 hours or more of system downtime, topped the list. DDoS attacks were the third most destructive attack in terms of downtime, particularly for large organizations with 10,000 or more employees.

No. 3: SMB leaders are lax about security and data privacy.
For any business with a digital presence, it's obvious that solid, always-available IT systems are a key to revenue generation, company reputation, and brand value. It's just as clear that for security to be done right, leaders have to support it, whether or not the business has 50 or 50,000 employees under its roof.

And the data shows that, indeed, SMB executives are keenly aware of all this. In fact, 87% of SMB executives polled by Cisco agree that security is a high priority — only 3 points below their counterparts in larger businesses. More than 66% of respondents in 17 different industry verticals said their leaders considered security as a top priority.

Closing Notes
The verdict is in: SMBs are no laggards when it comes to cybersecurity, and in many respects are faring no better or worse at it than their far larger counterparts. The data shows that SMBs actively consider security during their strategic planning and in the running of their daily business.

But SMBs also face special challenges. Many feel a continual pressure to grow and are doing it by deploying ever-larger mobile and remote workforces. While this can help a company achieve its growth goals, it also opens it up to a universe of dangerous security threats.

That's why beefing up security with state-of-the-art cybersecurity technology can pay off. Last year, SMB respondents who only replaced or upgraded security technologies after they stopped working had to deal with 7.6 hours of downtime after their worst security breach. In comparison, companies that had up-to-date systems were offline for only 5.4 hours.

The lesson is clear: In terms of cybersecurity, automated security tools with built-in analytics — ones that can detect and mitigate even unknown threats — can help SMBs play with the big boys.

Related Content:

 
 
 
 
Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really  bad day" in cybersecurity. Click for more information and to register

Marc Wilczek is a columnist and recognized thought leader, geared toward helping organizations drive their digital agenda and achieve higher levels of innovation and productivity through technology. Over the past 20 years, he has held various senior leadership roles across ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/14/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
Why Cybersecurity's Silence Matters to Black Lives
Tiffany Ricks, CEO, HacWare,  7/8/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-14499
PUBLISHED: 2020-07-15
Advantech iView, versions 5.6 and prior, has an improper access control vulnerability. Successful exploitation of this vulnerability may allow an attacker to obtain all user accounts credentials.
CVE-2020-14501
PUBLISHED: 2020-07-15
Advantech iView, versions 5.6 and prior, has an improper authentication for critical function (CWE-306) issue. Successful exploitation of this vulnerability may allow an attacker to obtain the information of the user table, including the administrator credentials in plain text. An attacker may also ...
CVE-2020-14503
PUBLISHED: 2020-07-15
Advantech iView, versions 5.6 and prior, has an improper input validation vulnerability. Successful exploitation of this vulnerability could allow an attacker to remotely execute arbitrary code.
CVE-2020-14497
PUBLISHED: 2020-07-15
Advantech iView, versions 5.6 and prior, contains multiple SQL injection vulnerabilities that are vulnerable to the use of an attacker-controlled string in the construction of SQL queries. An attacker could extract user credentials, read or modify information, and remotely execute code.
CVE-2020-14505
PUBLISHED: 2020-07-15
Advantech iView, versions 5.6 and prior, has an improper neutralization of special elements used in a command (“command injection�) vulnerability. Successful exploitation of this vulnerability may allow an attacker to send a HTTP GET or POST request that create...