Photo of a man ordering at a coffee shop

Why Small Business Cybersecurity Isn't a Small Matter

20 Sep 2016 by Bob Violino

Small business cybersecurity should be one of the top priorities of IT departments at companies in every industry during this exciting digital era. Cyberattacks are on the rise and have become increasingly sophisticated. To accommodate for this ever-growing threat, small changes can be made to improve a business’ preparedness. Big businesses are not the only targets of cyber hackers. These days, cybersecurity for small business is equally as important and should not be overlooked.

Less publicized attacks are targeted at small business.

The data breaches you’ve heard the most about are those launched against the larger enterprises, such as Anthem, Home Depot, Sony Pictures Entertainment and Target. Most people are familiar with these companies and many do business with them. Naturally, when they suffer a security intrusion, it’s going to garner a lot of attention and be covered extensively in the media.

Larger organizations are natural targets for attackers. They generally handle lots of money, they have troves of valuable data and they can bring a lot of attention to the nefarious hackers who successfully breach the system.

But this doesn’t mean smaller companies are immune to attacks by hackers and other cybercriminals. Businesses of all sizes and in all industries are vulnerable to data breaches. In fact, Small and Medium Businesses (SMBs) might be especially attractive targets because in many cases they lack the resources to hire specialists that provide IT security for small businesses. Often, these entities also lack the funds to purchase the latest and most effective security technologies.

Security planning and purchasing compromises are to blame.

Small companies that conduct much of their business online as well as professional services firms with high-stakes clients can be victimized by opportunistic hackers. While large enterprises can be significantly affected by a data breach, a smaller company could actually go out of business or face a devastating loss to their client base as the result of a successful attack.

With more sophisticated threats emerging every day, data security should be a high priority for any SMB. This includes learning about the various types of security threats and vulnerabilities, and adding multiple layers of protection including a comprehensive disaster recovery strategy.

A common issue is that many smaller businesses can’t afford an enterprise-level portfolio of security technologies. They also don’t have a full-time business cybersecurity executive or department.

“Outside of the same security threats and risks that all organizations must contemplate, SMBs definitely are further challenged by budget constraints, competing priorities and ensuring they have the most up-to-date knowledge to make the right decisions,” says Ami Kron, director of sales at Insight.

“In many cases, security concerns were not on the planning radar of most SMBs a few years ago. Now the added challenges of server/OS [Operating System] refresh activities have created a significant budget burden that wasn’t well planned for,” Kron explains.

“Compromises are being made either to extend or delay OS upgrades and infrastructure upgrades, or take ‘short cuts’ on overhauling the security infrastructure. The SMB space often doesn’t have the resources to best approach the security-buying journey, so that knowledge gap, along with all the competing priorities, can lead to poor buying decisions,” Kron adds.

On the positive side, about half of small businesses are estimated to at least practice sensitive data encryption, according to the chart below. On the concerning side, a quarter of the businesses out there do not have any key cybersecurity measures in place, like security awareness training, data encryption or business insurance to help them recover from a breach.

Security measures taken by small and midsize businesses to reduce cyber attack risk in the U.S. in 2015

An outside solution for small business cybersecurity

One answer to the resource issue is to hire a managed security services provider, which can take on many of the information security functions of the organization. This is certainly a viable option because it enables companies to protect their assets against cyberthreats at all levels while allowing them to focus on business.

Before moving ahead with a cybersecurity small business strategy, SMBs need to first gain an understanding of what types of threats target their businesses and what weaknesses exist within their own infrastructures. This can be accomplished via a security assessment, which not only provides an excellent security baseline but also helps companies select the best service provider to protect their organizations.

Testing to identify security weaknesses

Engaging in assessments helps close “the knowledge gap that can lead to money being thrown at the wrong problem,” Kron explains. “There are a number of vendors, resellers and independent security-solutions providers that offer various assessment types.”

One of the more common is penetration testing, which can help identify vulnerabilities and/or weak points. “Similar offerings exist by different names, but they share the same focus. Identifying risk, assessments vary in pricing depending on the size of the environment being tested,” he advises. “Some rudimentary tests can even be found at no cost. If a business feels that they are at particular risk or bound by regulatory rules to protect any data or transactions they have stored anywhere, there will be a need to seek out an assessment offering that will specifically cover those areas of risk.”

In some cases, it may be best to obtain assessment services from an independent party that doesn’t sell the products or from a reseller that can offer a broader solution that covers all aspects of security solutions.

A leading concern is new emphasis on how much due diligence is required to extend and trust IT infrastructure services to a party such as a Managed Services Provider (MSP). But the effort is worthwhile if the end result is forging a relationship with a reliable MSP that can help eliminate the worry associated with protecting critical assets.

Kron’s parting advice is: “There are great advantages for SMBs to engage IT-as-a-Service companies that can take ownership of protecting and securing IT infrastructure. The challenge is that a lot of business owners aren’t armed with the knowledge they need to vet the right providers.”

If you need an extension to your IT staff to help secure your SMB, contact Insight at 1.800.INSIGHT. To learn more about emerging security solutions and how they can impact your organization, visit us online.