Most observant and thoughtful senior executives are by now familiar with the threat posed by hackers and the core concepts of cybersecurity. Likewise, sophisticated Small and Medium-sized Business (SMB) leaders have also paid attention to the cybersecurity landscape and have invested some effort to protect themselves from a breach. Nonetheless, Verizon’s 2020 Data Breach Investigation report shows us that cybersecurity is still a vitally important topic as 28% of all reported breaches in 2019 involved small to medium-sized businesses.
Verizon’s Data Breach Investigation Report is based on an analysis of thousands of incidents and confirmed breaches and identifies the most common IT vulnerabilities. What we have learned from the data is that web applications are the most common attack vector for SMBs, usually via stolen credentials. While stolen credentials represented 80% of the perpetrated attacks, the remaining 20% of data breaches successfully exploited known vulnerabilities in systems and software. This data implies that SMBs are not keeping up with patches nor are they upgrading their operating systems and software. [Learn how to Reduce Your Legal Exposure After a Cybersecurity Incident.]
It appears that few SMB executives are using this important information in any strategic way whatsoever, and even fewer are learning the tactical lessons to avoid common security pitfalls. These considerations are important because each decision must recognize the impact on both competitive requirements as well as the security posture of the organization. Why? Because after a breach, almost 25% of SMB-sized companies file for bankruptcy protection, and another 10% completely go out of business. A decision to make any investment that reduces the likelihood of a breach actually improves the viability of the enterprise, making it a strategic decision by definition.
Before you continue reading, how about following us on LinkedIn?
Small and medium-sized businesses (SMBs) have adopted Cloud and web-based applications because they are both economical and efficient. Unfortunately, these applications are also prime targets for cyber attackers. While most SMBs may consider themselves too small to warrant a focused attack, they are nonetheless vulnerable to distributed attacks that target a wide range of businesses. Phishing is the biggest threat for SMBs, accounting for more than 30% of breaches. Stolen credentials led to 27% of the breaches while password “dumpers,” which is when a site’s security has been exposed and the contents of the web site are dumped on the web, accounted for another 16%. [Learn the 5 Most Common Pre-Breach Cybersecurity Mistakes and How to Avoid Them.]
While SMBs may believe that they are too small to fail at cybersecurity, they clearly need more of the security measures in place that larger organizations employ. One way to meet this need is to outsource IT security to a managed services provider to share the costs with other SMBs. This reduces the capital outlay and allows SMBs to enhance their security posture. Another area of focus should be on educating workers to avoid phishing scams and other clickbait. Employees are the weakest security link at any organization, be it big or small. Conducting regular security awareness training is a relatively small investment and an effective way to reduce the risk of successful phishing attacks. For those with a limited budget, there are several freely available trainings online that provide a knowledge foundation on working securely (both IT and office) and raise awareness on best practices in the workplace.
According to Verizon’s report, one area where SMBs have an advantage is the time it takes for an incident to be discovered. For an SMB, it usually only takes a few days to discover a breach as compared to months for large companies. The reason for this is that smaller organizations have a reduced attack surface, which makes it easier to determine that a breach has occurred. This gives small businesses more agility in dealing with an attack and allows them to minimize the damage done by limiting the time hackers can take advantage of a breach. [Read 10 Recommendations for SMBs to Improve Cybersecurity Posture.]
For SMB’s interested in continued growth and profits, developing a successful cybersecurity strategy should be viewed as a strategic investment that looks ahead over some years. For its own good, a security strategy should try to predict the likelihood, character, and impact of security incidents or events (i.e. Risk Assessment/Risk Management). While prediction is always difficult and seldom very accurate, it is undoubtedly far better than not trying to predict what risks you are taking at all. In fact, every cybersecurity strategy and every business decision involves making a prediction about the future, whether it is your customers, the market, or your competitors. The goal is to be more systematically aware of the risks and their impact so that you can act on them in an offensive rather than a defensive or reactive fashion—this is the real virtue of security management. The result will be a cybersecurity strategy that includes an estimation of the organization’s risks and a plan for a timed sequence of conditional moves in response to those risks.
The complete 2020 Data Breach Investigations Report can be found here: https://enterprise.verizon.com/resources/reports/dbir/
This post was written by Prajna Priyadarshini, Cybersecurity Analyst at Idenhaus Consulting.
Learn how Identity and Access Management can help secure your organization in our book, Reimagining Identity Management: How To Design, Choose And Implement The Right IAM Solution For Your Business.
Idenhaus is honored to be featured in the Top 10 Identity Governance and Administration Consulting/Service Companies of 2019.
By going to work quickly to solve the most challenging cybersecurity and identity management problems, Idenhaus takes the pain out of securing corporate information and assets for companies that aspire to maximize their potential in this digital age. Click here to contact us