Looking back at the data breaches that have made headlines in recent years, a few names stand out: eBay, Target and Home Depot for starters. Besides being retailers, these three are linked by their status as big, established companies that nevertheless were hit by wide-reaching network security breaches. The scale of each incident was enormous. At Home Depot alone, the number of compromised payment cards may have exceeded the population of Spain.
SMBs: Under-protected and vulnerable to intrusion
However, it’s important to step back and realize that large corporations aren’t alone in facing significant cybersecurity risk. Small and midsized businesses are also common targets of cybercriminals:
- Over the past 12 months, almost two-thirds of SMBs in the U.K. experienced a breach, according to research from the British government’s Department for Business Innovation and Skills. Website hacks and loss of customer information happened frequently. A Nominet survey of 400 SMBs painted a more sobering picture, with 77 percent of respondents having been breached in the last month.
- In the TrendLabs primer “5 Reasons Why Your Antivirus Software Is Not Enough,” Trend Micro researchers explained how SMBs are prime targets largely because many of them stop short of full security. More specifically, these organizations may invest in antivirus, but neglect to address advanced persistent threats or social engineering that may flaunt it. SMBs are on pace to spend $5.6 billion on security technology by 2015.
- SMBs are moving much of their data and many of their services to the cloud. A Windstream study found that 68 percent of the 350 executives it surveyed were looking to the cloud to trim operational expenses. Yet, the cloud lessens IT’s control over company data. Cloud security is essential for detecting and mitigating any threats to these assets.
Despite these pressures, there can never be an SMB equivalent of the Target breach, if only because of a size disparity. For this reason, SMB cybersecurity will struggle to attract the attention it deserves if businesses are to become more adept at curtailing breaches.
The self-reporting example: Many SMBs lack resources to curb attacks
On top of the issue of scale, SMBs are also hampered by limited visibility into their own exposure to risk. The North American Security Administrators Association recently surveyed 440 financial advisors and discovered that only 4 percent of respondents knew that their companies had been breached, despite cybersecurity policies being in place at more than half of these firms.
This gap exists because many employees, as well as their employers, lack the means to detect security incidents, and thus self-report at a low rate. A mere 44 percent had initiatives for training workers in techniques such as identifying phishing emails. Moreover, risk assessments are often too narrow or basic to catch all possible threats, which, as we noted, are often beyond the scope of standalone antivirus tools. Assessors may focus on network security, or perform the review on behalf of their own enterprises, rather as independent outsiders. Assessments must evolve to account for today’s diverse threats.
“Firms this size generally lack the technology and sophistication to detect a cybersecurity breach,” stated Raj Bakhru, CFA and CEO of Aponix Financial Technologists, according to ThinkAdvisor. “A risk assessment covers deficiencies in documentation, processes and procedures, workflow flaws and vulnerabilities, vendor diligence, and beyond, in addition to internal and external network testing.”
Protecting SMBs against cyberattacks starts with education – e.g., about how to identify malicious attempts at gaining access to the corporate networks, and extends to strong endpoint security and regular, rigorous review of infrastructure. SMB breaches may not be front page news, but they’re damaging all the same and require a fresh approach to cybersecurity.
