Earl Duby
CISO | Trusted Advisor | Board Member | Change Agent | FBI CISO Academy
The Growing Threat to SMBs: Cyberattacks on Par with Large Enterprises
According to the recently released 2023 Verizon Data Breach Report (DBIR), the number of cyberattacks against small and medium-sized businesses (SMBs) is nearly identical to the number of attacks on large enterprises. Gone are the days where small business leaders could argue that they were too small or too obscure for cybercriminals to attack.
In fact, the data in the new DBIR “illustrate the fact that SMBs and large organizations have increasingly become similar to each other (p.65).” The report further states that “there is so little difference based on organizational size that we were hard-pressed to make any distinction whatsoever (p.65).” So, while SMBs can expect to be attacked at the same rate and ferocity as large enterprises, they are severely more at risk, as the report points out: “However, what is very different is the ability to organizations to respond to threats due to the number of resources they can deploy in the event that they are attacked (p.65).”
The Financial Toll of Cybercrime on SMBs
When you consider that the global cost of cybercrime is predicted to be as much as $8 trillion annually by the end of 2023, according to a report released jointly by consulting firm Cybersecurity Ventures and managed security services provider eSentire, the SMB space is facing significant financial losses. The statistics are staggering and sobering. Add into the mix the often-cited number that 60% of small businesses fail within 6 months of a cyberattack, and it’s clear that SMBs need to address their cyber defenses with urgency.
What can SMBs do to improve their odds of successfully defending themselves from the online wolves that seek to prey on them? The answers aren’t as simple as taking on new or upgraded technologies, though that will definitely help. The real answer involves a combination of people, technology, and process improvements. Most business leaders can understand buying tools like multifactor authentication (MFA), endpoint detection and response (EDR), secure backups and firewalls. But they also need to commit to processes like vulnerability management and security awareness and education.
The Critical Role of People in SMB Cybersecurity
However, the most important component is people. This is where large enterprises have a distinct advantage over their much smaller business partners. In many cases SMBs have no human resources devoted to securing the organization. All the technology in the world won’t save you if there is nobody to properly configure it, manage it, or respond to the alerts it generates.
The SMB dilemma is further exacerbated by the fact that many SMBs have no real understanding of what the risk is, because there is nobody to explain it to them or provide them with a reasonable roadmap for addressing the risks.
Cyber risk is no longer an avoidable issue, even for SMBs. It is a fundamental business risk that needs to be addressed like operational risk, financial risk or regulatory risk. To address any other business risk, companies of all sizes assign people and budget to go figure out what needs to be done – which usually results in buying technology and implementing processes.
Leadership is Critical to Building a Solid Cyber Defense Strategy
SMBs need to invest in a security leader who can then drive the conversation around the rest of the necessary components of a proper cyber defense strategy. In many cases, the SMBs won’t be willing or able to hire an experienced Chief Information Security Officer (CISO), so they should consider bringing aboard a virtual or fractional CISO. A virtual CISO could then learn the company, understand the risks, and then help the SMB put a proper strategy in place that includes:
- Selecting a control framework that best fits the company’s objectives (e.g. NIST, CIS18, HITRUST, PCI-DSS, etc.)
- Perform a risk assessment against that control framework
- Prioritize the gaps and determine proper remediation steps
- Set a budget (typically 10-20% of IT spend) and fit the remediation roadmap within the budget
Obviously, there are many other steps that need to be taken, such as selecting the right tools, determining the proper staffing levels, and considering a Managed Service Provider (MSP) to partner with. But it all starts with selecting one person to lead the conversation and drive the solution. We all know that if many people are responsible, nobody is responsible. Meanwhile, the wolves are at the gate, looking to victimize any company that is unprepared for the attack. Let’s hope the leaders of those companies have somebody that is going to lead them through the chaos.
Author
-
Earl Duby is a proven cyber security leader with over 25 years of experience leading security teams in multiple industries, ranging from large financial services companies to Fortune 150 manufacturers. Recently, Earl spent 6½ years as the Chief Information Security Officer (CISO) for Lear Corporation in Southfield, Michigan. Before that, he was Vice President of Security Architecture for Synchrony Financial as it spun off from General Electric. Earl has held several other security leadership roles and has earned Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Certified Fraud Examiner (CFE), Certificate of Cloud Security Knowledge (CCSK), SABSA Certified Foundation and Certified Information Systems Auditor (CISA) certifications.