Debunking the Myth that SMBs Aren't Cyber Targets

Released: December 4th, 2023

TL;DR: Small and medium-sized businesses (SMBs) often downplay their vulnerability to cyberattacks, but recent trends show they are increasingly targeted due to lax security measures and valuable data. Cybercriminals exploit SMBs' weak defenses, interconnected supply chains, and the simplicity of becoming a "Bad Actor." Data breach costs for SMBs can range from thousands to millions, impacting finances, reputation, and customer trust. Factors affecting costs include breach identification time, data type, regulatory fines, and business losses. To mitigate risks, SMBs must conduct cybersecurity assessments, implement robust security policies, educate employees, deploy security solutions, regularly back up data, establish incident response plans, and collaborate with cybersecurity experts. Cybersecurity is no longer optional; it's a necessity for all, regardless of size.

Let's face it, these phrases are as overused as a Kardashian catchphrase.

"We are too small to be a target!"

"Nobody cares about us, we aren't Google!"

"We don't have any valuable data!"

These are examples of common thoughts used by many companies, especially in the small and medium-sized businesses (SMBs). Unfortunately, and proven by recent events, this mentality is no longer just outdated; it's downright dangerous. Cybercriminals are increasingly targeting SMBs because they often lack the resources and expertise to defend themselves against sophisticated attacks. In fact, according to the 2022 SMB Cybersecurity Report by Verizon, 86% of SMBs experienced a cyberattack in the past year.

There are a number of reasons why SMBs are attractive targets for cybercriminals (Talk Nerdy Term: "Bad Actors").

SMBs often have less stringent security measures in place than larger enterprises. Either due to a risk-ignorant mentality or limited budgets. This makes it easier for attackers to gain access to their systems.
SMBs often collect and store valuable data, such as customer information, financial records, and intellectual property. This data can be used for identity theft, financial fraud, or to disrupt business operations.
SMBs are often part of larger supply chains, and bad actors can exploit these connections to gain access to larger enterprises. By attacking an SMB, they can gain access to sensitive data or systems that they could use to disrupt the entire supply chain.
Becoming a Bad Actor is much more simple than in the past. Developers sell access to scripts and applications, known as Ransomware-as-a-Service (RaaS) for either a flat fee or in a profit-sharing model. Some of these solutions are purchased for as low as $10 per month. It's a cheap investment with a high potential reward, so the methodology is to find the "low-hanging fruit" and exploit it. Check out Crowdstrike's RaaS write up, it's definitely worth the read.

According to IBM's 2023 Cost of a Data Breach Report, the average cost of a data breach for organizations with fewer than 500 employees is $3.31 million. The average cost per breached record is $164. This data is based on an analysis of 550 data breaches that occurred between March 2021 and March 2022.

The 2022 State of SMB Cybersecurity Report (ConnectWise): This report found that the average cost of a data breach for SMBs ranged from $826 to $653,587.

Important Note: 2023 > 2022 > 2021

It's important to remember that these are just averages, and the actual cost of a data breach can be much higher or lower depending on the specific circumstances. However, these figures give you a sense of the potential financial impact of a data breach on an SMB. Here are some additional factors that can influence the cost:

Time to Identify and Contain a Breach

The longer it takes to identify and contain a breach, the more expensive it will be. I know, duh!

Type of Data Breached

The type of data that is breached can also impact the cost. For example, a breach of personal information will be more expensive than a breach of non-sensitive data.

Regulatory Fines

Depending on the type of data that is breached, a company may be subject to regulatory fines. According to the Ponemon Institute report, the average cost per breached record is $429. This means that even a small data breach can have a significant financial impact on an organization.

Loss of Business

A data breach can also lead to a loss of business, as customers may lose trust in the company.

If you've made it this far then you're probably tired of the bad news. There are many ways SMBs can protect themselves from these cyberattacks.

Conduct Cybersecurity Assessments: Know where you are at and regularly assess your cybersecurity posture to identify vulnerabilities and implement necessary safeguards.
Implement Strong Security Policies: Establish clear security policies that outline protocols for password management, data access, and device usage. This can include complexity requirements, multi-factor authentication (MFA), conditional access, etc.
Educate Employees: Train employees on cybersecurity awareness to recognize common threats and avoid falling victim to phishing attacks or social engineering tactics. The easiest way into a secure network is through human error.
Implement Security Solutions: Invest in appropriate security solutions for a defense in depth, such as endpoint and network detection & response, firewalls, intrusion detection systems, etc to protect their networks and data. Check out the Cybersecurity page for more information.
Regularly Backup Data: Develop a policy and regularly back up essential data to immutable storage and ensure recovery in case of a cyberattack. It's extremely important to test recovery periodically for effectiveness and improvements.
Establish Incident Response Plans: Develop plans for responding to cyberattacks, including communication strategies, data breach notification procedures, and remediation steps. No matter how many mitigation strategies and technologies are used, ALWAYS assume a breach will occur.
Collaboration with Experts: Consider partnering with cybersecurity experts who can assess your company's unique risks and implement robust security measures. Having someone that will take an agnostic and offensive viewpoint is often beneficial.

As you can see, Cybersecurity is no longer an option but a necessity for everyone, especially SMBs. Don't believe me, check the data and watch the news. There is no such thing as too small or not-important data, everyone is at risk due to the ease and ability to become a bad actor with little training and capital. Scripting and AI have assisted these folks tremendously through Ransomware-as-a-Service (RaaS). Generally, there's no longer a target and a plan, it's whoever is an easy win for some quick cash (or crypto). So, by understanding the risks, implementing appropriate safeguards, and educating employees, SMBs can significantly reduce their vulnerability to cyberattacks and protect their valuable data and business operations. Now, I gotta ask; "Do you still believe you're not a target?"

Page updated

Google Sites

Report abuse