A Practical Guide to High-Risk Cybersecurity for Small & Med-Sized Businesses

In today's business world, internet has become an necessary tool. Companies of all sizes have integrated the internet into nearly every aspect of their operations, a trend that is likely to accelerate as businesses embrace mobile and cloud computing to a greater extent. And, while the internet has facilitated tremendous economic growth, it has also introduced significant security risks. Massive data breaches have become commonplace, and the average cost of such breaches hit new highs last year. Cybersecurity is clearly a concern shared by the entire business community, but it poses a particularly dangerous threat to smaller businesses. The reason is straightforward: small and medium-sized businesses ("SMBs") are not only targets of cybercrime, but its primary target..In fact, the majority of all targeted cyberattacks last year were directed at SMBs. Even more concerning is the fact that cybercrime poses an existential threat to small and medium-sized businesses. It is estimated that half of small businesses that experience a cyberattack go out of business within six months.

Cybercrime Dilemma

Smaller businesses are not the only ones who should be concerned.Many SMBs have direct and indirect business relationships with larger organisations, which cybercriminals are well aware of. Because SMBs' cyber defences are typically less robust than those of larger organisations, cybercriminals are focusing on them as a gateway into larger organisations. In fact, it is believed that the cybercriminals responsible for the breach of Target's systems in November 2013, which resulted in the theft of personal information from 70 million people, gained access to Target's system by breaching the network of the small business that Target used for heating and air conditioning services. Large organisations are now, in effect, a "sprawling network" of interconnected business partners, any one of whom could serve as a vector for a cyberattack. Business leaders have requested government assistance with this critical issue, and a coordinated approach is clearly required. This article will discuss the unique challenges that SMBs face when dealing with cybersecurity issues, as well as possible solutions, with a focus on the crucial roles that the private and public sectors will need to follow.

Cybercrime : A Threat to SMBs ?

Several successful cyberattacks against some of the country's most prominent firms have occurred in recent years. Only in the last two years have major breaches at eBay, JP Morgan, Home Depot, and Target been reported.These breaches, which affected approximately 353 million customers, were spectacular not only because of their size, but also because of the seemingly constant rate at which they appeared to occur. Because the popular press focuses on attacks like these that target the largest corporations, it is easy to overlook the fact that SMBs are at even greater risk, and are far more vulnerable once they are victimized. In fact, there are many more threats to confidential data held by local businesses for every high-profile breach. Some basic statistics will help to frame the scope and urgency of the issue that SMBs are facing.

The number of known cybersecurity incidents increased by 48 percent last year, and cyberattacks on SMBs have become more common. According to one study, SMBs were the target of 60% of all targeted cyberattacks last year. This trend is expected to continue this year, as a June report confirms that SMBs are still the preferred target of cybercriminals. In fact, approximately 75% of all spear-phishing scams targeted SMBs in June, with the smallest companies (those with 250 employees or fewer) bearing the brunt of those attacks. Furthermore, these attacks have become far more expensive, with losses from phishing scams increasing from $525 million in 2012 to $800 million last year, a more than 50 percent increase. Recent trends confirm that SMBs face a diverse and ever-changing cyber threat landscape. Ransomware, for example, has emerged as a major threat to SMBs. These attacks, in which a cybercriminal encrypts a firm’s files and demands a ransom payment to decrypt them, are becoming more common, effective, and expensive.

As per sources, the number of such attacks more than doubled last year, and ransomware programmes now have the ability to target more than 230 different types of computer files, up from only 70 in 2013. In the last two years, we've also seen the rise of fraudulent transfer schemes, in which cybercriminals use publicly available information and flaws in email systems to trick small businesses into transferring large sums of money into bogus bank accounts. As per sources, such schemes cost companies around the world more than $1 billion between October 2013 and June 2015, and while companies of all sizes have been victimised, SMBs are thought to be the most vulnerable. Finally, the internet of things provides cybercriminals with new attack vectors, many of which are not immediately apparent. Network printers and copiers, for example, which allow organisations to scan and email documents within the organisation, can provide attackers with an unexpected way to launch a lateral attack into a business network.

Why SMBs Are Such striking Targets for Cybercriminals

SMBs are appealing targets for a variety of reasons, the most important of which is that they are easier to target than larger organisations. The reason for this is all too obvious: SMBs face the same threat landscape as larger organisations, but with far fewer resources. As per a study, many SMBs do not have enough in-house expertise to deal with cyberattacks, and the problem is especially acute for the smallest businesses. The owners of such businesses handle cybersecurity issues about 83 percent of the time, and the results are perhaps predictable. According to one survey of businesses with fewer than 50 employees, only 29% are aware of the steps required to improve their cybersecurity measures, and even fewer have written policies in place to respond to a data breach. Unfortunately, the situation appears to be deteriorating. Companies with less than $100 million in revenue actually reduced their cybersecurity spending last year, despite the fact that the number of detected cyber incidents and the associated losses—reached new highs.

There are indications that many SMBs may not be taking cybersecurity as seriously as they should. One latest survey of 400 small businesses, 27 percent have no cybersecurity protocols at all, and a similar number have difficulty implementing even the most basic cyber defences, such as routinely backing up their data. As per to another survey, most SMBs fail to respond appropriately to successful attacks. This survey found that 60% of surveyed SMBs did nothing to strengthen their security protocols in the aftermath of a breach. This apathy is dangerous given the increasing sophistication and expertise of cybercriminals, who are now collaborating to a much greater extent, resulting in a significant increase in the quality, quantity, and complexity of attacks. Given that network security has been estimated to be effective only 24 percent of the time, a proactive approach appears to be warranted.

Potential Solutions Cybersecurity Guidance for Small and Medium-Sized Businesses

Cybersecurity is a profoundly difficult problem, one that is exacerbated by SMBs' limited resources. Nonetheless, the issues raised above point to specific steps that could be taken to assist SMBs in better dealing with this persistent threat. A strong public-private partnership is likely to be critical in assisting SMBs in overcoming resource constraints. The government can play an important role in the development and dissemination of such educational programmes. In fact, the National Institute of Standards and Technology's Framework for Improving Critical Infrastructure Cybersecurity ("Framework") has already taken a significant step in this direction. This Framework, as one panellist put it, can serve as a "foundational educational tool for SMBs."

Identify Ways of Fostering Economies of Scale for Cybersecurity Solutions

Today responsibility for cybersecurity rests with the SMBs, not the government. Nonetheless, policymakers could look into ways to encourage the development of economies of scale for cybersecurity solutions to help alleviate the resource constraints faced by SMBs. There are numerous options in this regard, but one is to create tax credits for vendors to encourage them to develop cost-effective cybersecurity solutions tailored to the specific needs of SMBs. Similarly, policymakers could consider measures to assist the nascent cyber-insurance market in reaching a level of maturity that will reduce costs and provide solutions tailored to SMBs. Some options include establishing a programme similar to the National Flood Insurance Program to help buttress the private market in the event of catastrophic, widespread attacks, or having the government act as a reinsurer for the cybersecurity insurance market during its infancy.

Final Notes

Utilizing innovative technologies is critical for SMBs to succeed in the modern economy, but SMBs must be aware of the risks that new technologies pose. SMBs bear primary responsibility for cybersecurity, and data suggests that they can do a better job of implementing basic cyber defences. Nonetheless, cybercriminals today have significant advantages over SMBs. A vibrant and dynamic collaboration between the public and private sectors could help to level the playing field significantly. There are undoubtedly many more that should be carefully considered. Let us hope that policymakers and SMBs can collaborate to find the most cost-effective and effective solutions for SMBs. Incase it failed it might get more riskier as the cybercrimes are increasing day by day.