It should come as no surprise that small and medium-sized businesses are often more vulnerable to cyber attacks than large corporations. These businesses not only suffer from a lack of resources to protect themselves against cyber threats, but they also suffer from a lack of awareness that they could be targets of cyber criminals in the first place. More often than not, SMBs are more concerned with making payroll and getting their taxes filed versus implementing a cybersecurity solution.
But the 2017 State of Cybersecurity in Small and Medium-Sized Businesses Report from the Ponemon Institute suggests it’s time for a change, especially since 61 percent of respondents (all SMBs) said they had experienced some form of cyber attack in the past 12 months. The causes of these cyber attacks vary, but more than half (53 percent) attributed them to insider threats, or negligent employees.
Many insider threats originate as a result of lax (or lack of) BYOD policies. While it’s impossible to completely ban mobile devices and smartphones from the workplace, SMBs can take steps to limit the amount of data employees have access to, including incorporating a Mobile Device Management (MDM) solution, which will enforce policies, install and update security software, manage configurations and more. We also encourage SMBs to draft their own BYOD policies and keep them accessible for current and new employees.
But insider threats aren’t all an SMB has to worry about. In fact, 43 percent of survey respondents listed third-party mistakes as a top cause for data breaches. Oftentimes, third-party vendors can be seen as a throughway to bigger businesses, which make them a primary target for hackers. Unfortunately, there’s also usually a disconnect between the larger business and its third-party vendor when it comes to security protocols, and because SMBs also rely heavily on third-party vendors to operate, any data breach or hack on a vendor will also have an effect on them. That’s why it’s important for SMBs to have standards in place for vetting the security of their third-party vendors, and these standards should effectively answer the question, “How do my third-party vendors protect my data?”
In terms of the types of threats SMBs encountered, 52 percent said they experienced a ransomware attack in 2017. That’s up from a mere 2 percent in 2016. Ransomware attacks, in general, have surged in recent years, and all businesses are at risk. Take the attack on the Hollywood Presbyterian Medical Center, for example. However, SMBs remain particularly susceptible to these types of attacks as hackers know they typically have weaker security systems and can demand anywhere from $500 to $2,000 per attack. In some instances, SMBs were willing to pay more than $10,000 to regain access to their systems, should they encounter a ransomware attack.
As SMBs continue to navigate the world of evolving cyber risk, there are a few fundamental best practices to keep in mind. These include adopting a BYOD policy, appropriately vetting any third-party vendor or supplier and better understanding the types of threats SMBs are more likely to encounter. But your education on how to best protect yourself in the event of a cyber attack should never end, and we encourage you to check out some of our other tips on how to make your SMB cyber resilient and how to get your SMB's data security plan in shape.