SMBs and Cybercrime Preparedness
IndustryView | 2014
In today’s digitally powered, ultra-connected business environment, nobody is safe from the reach of cybercriminals. Although it’s the high-profile breaches—such as the Target or J.P. Morgan incidents—that score all the headlines, small and midsize businesses (SMBs) are also under attack.
A 2013 study by security giant Symantec showed that around one-third of all cyberattacks now target SMBs. And no wonder: SMBs are easier “marks,” as they frequently lack the resources and technical expertise to maintain strong security.
But how aware are small businesses of this risk? And how seriously are they taking the threat of a cyberattack? We at Software Advice wanted to know—so we surveyed 385 adults who were either owners or decision-makers at U.S. firms with 500 employees or less. Here’s what we found.
Two years ago, most SMBs were fairly relaxed about hackers, malware and other potential security threats. In 2012, for instance, Symantec found that 77 percent of small-business owners or operators believed they were safe from cyberthreats. However, in light of the multiple high-profile security breaches of 2013 and 2014, not to mention the widely publicized Heartbleed bug (initially billed as “pretty apocalyptic” by leading security firm Kaspersky Labs), it seemed reasonable to assume that SMBs might now be feeling less confident.
And anxiety does seem to have risen: 41 percent of our respondents were either “extremely” or “very concerned” that they might become a victim of cybercrime. A further 26 percent said that they were “moderately concerned." This gave us a healthy total of 66 percent who were worried—very nearly inverting the results of the 2012 Symantec survey.
That still leaves us with slightly over one-third of respondents who were remarkably sanguine about the safety of their businesses, as 34 percent said they were either “minimally” or “not at all concerned” about cybercrime.
Of course, there could be numerous reasons for this relaxed state of mind: business owners may think they are too small to register as a potential target, or they may be cocky about the state of their defenses. Alternatively, since 80 percent of businesses fail in the first 18 months, perhaps some SMBs are simply too busy trying to stay afloat, and don’t have time to worry about fiendishly clever Ukrainian hackers.
Regardless, complacency is an error. Even if some SMBs are not interested in cybercriminals, the criminals may very well be interested in them.
To gain a little extra insight on SMB security, we spoke to Jeff Multz of Dell Secureworks. In his role as director of North American SMB sales, Multz travels the country to talk to small businesses about security. And while he says that interest in security has increased enormously among SMBs, many firms are still vulnerable—even in big cities such as New York.
“I’m really scared, because small businesses are the soft, juicy innard. They have ignored [security] due to economics or due to a lack of understanding, and they are where the big companies were in 2003—it is that scary,” says Multz. “Every day I am on the road, and I am often astonished by what we are seeing.”
Multz cites the example of a hedge fund he visited recently which lacked even such fundamentals as a firewall or antivirus.
“They opened a closet and they had a router—that was their firewall,” he says. Situations such as this, Multz adds, are simply “terrifying. I can’t believe this is 2014.”
Of course, it is one thing to be concerned about the threat of cybercrime—but unless that concern spurs improvements in business security, it’s not very useful. Next, we wanted to gauge the degree of confidence among SMB decision-makers that their sensitive business data was, in fact, secure.
Primarily, it is striking that a full 26 percent of respondents described themselves as “extremely confident;” industry experts might suggest that at least some of these respondents were guilty of hubris. After all, if a tech giant such as eBay can be forced to advise 150 million of its users to change their passwords following a data compromise, it stands to reason that could happen to anyone.
However, it’s interesting to note that this figure of extreme confidence is close behind the 34 percent who are “minimally” or “not at all concerned” about cybercrime (in the previous section). This suggests that a robust faith in the quality of security, rather than a lack of knowledge, may be fueling that statistic.
By contrast, a slight majority of 52 percent described themselves as “moderately confident.” Whether this is a good or a bad thing depends on your perspective: It is good if it means that many SMBs are looking at their current security systems with a critical eye and considering ways to improve them. It’s not so good if it indicates doubt combined with a lack of funds, expertise or both.
Finally, over one-fifth of respondents (21 percent) were “not sure” or were “minimally” or “not confident” that their sensitive data was secure. This is understandable, as security can be complicated, and even overwhelming, for SMBs—especially when it overlaps with compliance standards, such as the PCI DSS rules that affect anyone accepting credit cards.
Cybercriminals are well aware that some SMBs struggle with or neglect security—so even if securing your sensitive data feels like a headache, this task should never be an afterthought. It is a priority.
Breaches are expensive. According to a 2014 Ponemon Institute study, the average cost of a data breach is $3.5 million: 15 percent more than it cost last year. Unlike with consumer fraud—in which individuals are not liable for losses incurred when criminals use their credit cards to purchase (for instance) exotic vacations—businesses are likely to face high costs following a data breach.
For example, in cases where criminals break into a firm’s computers and access banking logins, “...then the business owner is responsible and not the bank,” says David Langlands, director of security and risk consulting for Dell SecureWorks. If the company’s accounts are drained as a result, then the affected business will never see that money again.
In cases where criminals steal customer credit cards, meanwhile, the situation can rapidly become very messy indeed.
“In a large breach, typically the banks will join together or pursue resolution through a card brand (Visa, MasterCard, etc.) to reach an agreement with the breached merchant,” says Langlands. “Often the initial step is a large lawsuit, with the general result being an out-of-court settlement. Additionally, the breached merchant must pay for a forensics investigation and may pay fines.”
However, a startling number of SMBs seem to be unaware of where the law stands on these matters.
As the chart shows, only 30 percent of respondents said that they were “extremely confident” they understood their liability. By contrast, 31 percent selected “minimally confident,” “not sure” or “not confident.” This left a further 38 percent occupying the uneasy middle of moderate confidence.
Of course, when it comes to legal matters, every business owner needs to know the legal consequences of a breach—otherwise, it will be impossible to conduct an even minimally credible risk assessment, or to plan for the worst happening. Thus, SMB owners and operators who are uncertain about their liability should at the very least read up on the consequences of a data breach or consult with a lawyer.
At the start of the survey, we asked respondents if they were concerned about cybercrime. Many answered that they were. To conclude, we asked if they had a plan for what to do if they suffered a data breach—and many answered that they did not have a plan.
As the chart shows, only 36 percent answered that they had some form of insurance in place. The rest of our respondents thought that their security system was sufficient and that contingency planning was not required (18 percent); simply considered any plans unnecessary (17 percent) or were unsure whether or not their company had a plan (27 percent). Needless to say: If you don’t know whether you have a plan or not, even if it turns out that such a plan exists, it is probably not a very good plan.
We also left an “other” option, for the 2 percent of respondents who did not have insurance or a current security system they were confident in, but who had a policy or damage-control plan in place outlining the steps the company should take in the event of a breach (even if it involved large amounts of gold hidden under a mattress).
According to Multz, small organizations often fall prey to cybercriminals because they don’t plan on having to face that eventuality. Multz notes that cybercriminals are increasingly targeting all sorts of small organizations—including charities, museums and churches—where they anticipate defenses will be weak.
However, even simply deciding on what kind of damage-control strategy you are going to take ahead of time can make a difference. Compare, for instance, the responses of Target and Home Depot to their respective data breaches. Both breaches were enormous, but Home Depot controlled the release of information much more tightly than Target. We found that in the week Home Depot finally disclosed how many customer credit cards had been compromised, awareness of that breach was still much lower among consumers than it was for the Target breach—which was, by then, almost a year old.
Home Depot may have suffered the bigger breach, but from the point of view of reputation management, it was the clear winner. Financial losses may be inevitable, but having a damage-control strategy in place can nevertheless go a long way towards mitigating your business’ suffering in the event of a breach.
But there is no need for SMBs to despair. While few experts believe it is possible to attain perfect security, it is certainly possible to mitigate risk—and quickly, so long as businesses are willing to take the time to investigate solutions and to make the necessary investments.
Simple things such as keeping systems patched and adhering to best practices about passwords (never using the same one twice, never sharing them and making sure that they are sufficiently complex) can go a long ways towards reducing risk. Teaching employees to never click on a link from an unknown or untrusted source is another simple but effective step businesses can take.
Meanwhile, many of the world’s leading cybersecurity vendors have solutions targeted specifically at small businesses. For instance, Symantec, Kaspersky, McAfee, AVG, avira! and F-Secure sell inexpensive products aimed at firms with very few employees—in some cases, less than 25. These are available either as on-premise or cloud-based software systems, and are designed to have a single administrator to keep things simple. Other reputable firms, such as Fortinet, sell “unified threat management” systems: hardware solutions that combine multiple security functions in one box. (For more information about these solutions, Software Advice has compiled this guide.)
In addition, SMBs have the option of using a managed security service provider (MSSP)—in other words, hiring an external expert to manage their security. Major vendors such as Symantec, Trustwave and Dell offers MSSP services, and they are not always intended exclusively for large firms.
For instance, Multz says that the smallest clients for its managed SecureWorks service have as few as three to five employees; other very small businesses may find such services as this valuable “if they perceive high value or high risk to their business based upon data loss or data breach.”
And so, we find that at the end of the year of breaches, SMB concerns about security may have risen—but many smaller businesses still seem to be effectively crossing their fingers and “hoping for the best.” But hope is not a strategy, and it is certainly not security. Fortunately, remedies such as the ones briefly outlined above do exist.
Small businesses are also finally starting to wake up to the reality of the cyberthreat and the importance of security. This represents a major opportunity for security firms to tap into a rich seam of new business. Marketing and sales teams at these firms should be using every tool at their disposal to reach out to, and educate, small businesses about their security needs and how they can help.
By doing this, security firms will not only boost their profits, they will also be improving the safety of the digital environment for businesses, and by extension, their clients and consumers—which means everybody wins.
To further discuss this report, or to obtain access to any of the charts above, please contact email@example.com.