August 18, 2015
With all the media focus on mega breaches, it’s easy to assume that smaller businesses are not being targeted. But the research shows quite the opposite. Here’s what small and medium-sized businesses (SMB) need to know.
A business is never too small. Cyber criminals are after any and all confidential information including credit card data, heath data, and intellectual property. In 2013, the Data Breach Investigations Report found that close to 62% of data breaches were at the SMB level. Small business cyber security is just as crucial as it is for large businesses.
Cybercriminals are opportunistic – and smart. “We think threat actors are beginning to target medium-tier businesses because they typically cannot match the sophisticated cyber security technologies and processes of the largest companies,” said David Burg of PwC in a CSO article. The Global State of Information Security Survey 2015, sponsored by PwC, showed compromises of mid-size firms rose 64% from 2013 to 2014.
SMBs are easy picking. A 2014 online survey by financial services provider The Hartford showed that 43% of mid-size businesses experienced a data breach in the last three years. Smaller organizations are vulnerable for several reasons including lack of expertise (IT generalists, for example, are often in charge of security), dated security defenses, outsourcing security to unqualified companies, and inadequate endpoint security. “There is a very clear correlation between the amount of money spent and the effectiveness of a company’s security program,” said Burg. The PwC survey showed that firms with annual revenues less than $100 million cut security spending by 20% in 2014.
Smaller businesses are an entry point to larger targets. B2B companies are increasingly entwined electronically, and that creates easier access into larger organizations by cyber criminals. A small business data breach is viewed as a stepping stone to data at larger organizations.
It’s easy and inexpensive to target SMBs. In the CSO article, Greg Shannon of the Software Engineering Institute at Carnegie Mellon University explained that SMBs are a huge target because attacks are often automated with cyber criminals using inexpensive viruses or ransomware that can attack thousands or millions of companies. According to a propertycasualty360.com article, 34,529 known computer security incidents occur every day in the U.S. while many other data breaches go undetected or are not reported.
A breach is costly. The Hartford survey showed that after a small business data breach, 41% of companies incurred investigation expenses, 21% incurred notification expenses (most states have notification laws) and 15% suffered damage to their reputation. The 2014 Cost of a Data Breach Study showed that data breaches cost $3.5 million on average while the cost per lost or stolen record is on average $145. The National Cyber Security Alliance said that 60% of small businesses will fail within six months after a cyber attack.
Here’s how to improve small business cyber security:
Did you know that outsourcing document destruction reduces the risk of a data breach while it embeds an important security procedure right into the workplace? Here’s how to choose a reliable shredding company.