We’ve all seen the headlines when a large multi-national corporation suffers a data breach, but are small businesses able to ‘fly under the radar’ for cyber crime? Well, according to Verizon’s annual data breach incident report, the opposite may be the case. While large organisations make headlines, the report found that 58% of data breaches actually occurred in small and medium-sized companies.
“Many small businesses don’t have the resources focused on security and training, and employees are not cognizant of being at risk,” according to the Vice President of Experian Data Breach Resolution, Michael Bruemmer. “Some of these businesses, especially startups, may have no or small revenue, but they may be processing credit cards or holding personal data for other companies, and they don’t realize they have to protect it.”
Half of all cyber attacks are currently believed to target small businesses (Source: Verizon Annual Data Breach Report)
Five years ago, it was estimated that only around 20% of cyber attacks targeted small businesses and medium-sized organisations, however, today most studies are putting it around the 50% mark. Many small business owners assume that they are safe because they don’t see data breach headlines involving smaller companies. Unfortunately though, targeting small businesses has proved profitable for cyber criminals and this trend is expected to continue.
Small businesses store data the same as any other organisations – financial information, internal operational data, customer contact details, mailing lists, staff information and more – and this data is usually incredibly important for the business to operate. Hence, small businesses are known for paying criminals when they get hit by ransomware, making them attractive targets for cyber attacks.
Because they are small, they may not have dedicated cyber security or even IT staff in-house, and cyber criminals also know this. Often, they are lacking crucial tenants of modern cyber security, such as next-generation firewalls, a backup & disaster recovery system and cyber security awareness training for staff. They are also less likely to have a comprehensive cyber security framework in place, and strict company-wide policies to protect data and prevent breaches. In other words, while they may not have the money that a large organisation does, small businesses are often easier targets for cyber criminals.
In particular, phishing and social engineering are often used to target small businesses, as tricking users is seen as an easier and more reliable route for cyber criminals than trying to bypass complex technological protections.
“One of the key takeaways from the 2018 Verizon [report] is that employees are falling victim to more sophisticated social engineering and phishing attacks,” said David Vergara, Director of Security Product Marketing with VASCO Data Security. “These findings are not surprising, as attacks, especially those based on advanced phishing techniques, are evolving quickly.”
85% of all data breaches can be traced back to human error, including reuse of insecure passwords, clicking on bad links that download malware in phishing emails and not practicing good cyber hygiene when surfing the internet. One click is all it takes for a network to become compromised and allow cyber criminals access to sensitive data, be it an organisation large or small.
Small businesses are turning to managed providers to ensure their security is up-to-scratch
While a dedicated IT professional on staff can cost a company €40-80k or more per year, small businesses are finding it much cheaper and secure to simply outsource their cyber security to managed security providers, especially with the GDPR right around the corner. For a fraction of the cost, small businesses can be protected by cutting edge, enterprise-grade cyber security solutions, provided by dedicated cyber security experts.
Managed security providers also often have special deals with security vendors, allowing them to reduce costs for antivirus software, firewalls and other security hardware, and even on training software to ensure staff are alert and educated about the risks they face. They actively monitor to ensure that all protections are working as intended, backups can be quickly spun up in the event of a disaster and can spot and respond to cyber incidents as soon as they happen.
Managed security providers are constantly updating their policies and procedures as best practice changes, ensuring that the businesses they protect are prepared for the changing threat landscape, and allowing them to focus on their own business. Lastly, a managed security provider will always do everything within their power to protect their clients, as their own business and reputation is on the line should a breach occur under their watch.
If you’re the owner of a small or medium-sized business and think that working with a managed security provider could benefit your company, then speak to us today to inquire about our range of services and get our top advice on bringing your organisation’s cyber security in line with the requirements of the GDPR.