Why Aren’t Mid-Market Businesses Talking About Cybersecurity?

Why Aren’t Mid-Market Businesses Talking About Cybersecurity? 

Is your company on their list?  You bet it is! Think your business is too small for cybercriminals to notice? Think again. Mid-sized businesses are increasingly in the spotlight for cybercriminals. Why? Because hackers know the businesses often don’t prioritize security, leaving opportunities for vulnerabilities to be exploited. Watch as we break down the evolving threat landscape, uncover the risks lurking in plain sight, and share actionable strategies to protect your business. 

Whether you’re a CEO or a business leader, these insights could be the key to safeguarding your operations and staying one step ahead of cyber threats. Don’t miss this essential guide to building stronger defenses!

 

Transcript:  

0:01) Hello everyone, I’m Earl Duby. I’m the CISO, the Chief Information Security Officer at Auxiom. (0:16) I just want to talk to you about a question that comes up quite often.

(0:21) So in my work, I deal with a lot of small and mid-sized companies. (0:25) I work with the CEOs and the leadership of these companies, (0:28) and I’m trying to help them mitigate their risk, help them, you know, resolve their cybersecurity needs. (0:37) And this one question just keeps coming up over and over as we’re having these conversations, (0:41) and it goes something like this, in some variation.

(0:45) Yeah, my company is so small, why do I need to worry about cybersecurity? (0:50) Nobody’s ever going to find me, you know, why would they come after me? I’m so small. (0:56) Well, I just want to just reiterate my answer to all of you, you know, (1:01) if you’re curious and seeking out some cybersecurity, you know, advice, (1:06) that sentiment could not be further from the truth. (1:10) The actual reality is that small and mid-sized companies are becoming more and more of a target for cyber criminals, (1:16) just because they know that the level of controls and the types of technologies that are in place in those small businesses (1:26) are really no match for a good, well-funded cyber criminal.

(1:30) They know that they can basically get whatever they want out of those companies, (1:35) and so it’s really imperative that small business owners kind of shift the way that they’re thinking about this (1:41) and not rely on what we call security by obscurity, but really prepare for the attack that is inevitable. (1:51) So I want to go through a few points here, just in this short video, (1:54) just to kind of reiterate my point here that it’s really important. (2:00) So, you know, Verizon comes out with a report every year.

(2:05) Their latest report in 2024 showed that 43% of all cyber attacks are aimed at small businesses. (2:13) So, you know, just think about that. (2:16) Small businesses, companies your size, are being attacked by cyber criminals that are funded (2:23) and geared to attack the largest companies on the planet, (2:27) but they’re also, 43% of the time, attacking small companies (2:32) just because they can establish a nice base of funding from those small businesses to help them attack the larger ones.

(2:41) You know, and this idea, like, that you’re small so no one will find you, (2:45) it’s not like the attackers are looking in the yellow pages to find the companies that they want to attack.(2:50) These are all automated attacks. (2:51) You know, they use a variety of sophisticated digital attack methods, (2:56) such as, you know, scanning the Internet for exposed Internet sites and services that are unprotected.

(3:04) They are buying your information from the dark web on the Internet. (3:11) They’re sending out mass phishing campaigns looking for people to click on links. (3:16) So this isn’t someone specifically looking your name up and targeting you.

(3:20) This is a wholesale attack across the Internet, and you are the opportunistic victim of their attacks. (3:31) And what happens when you get attacked, you know, there’s another report by Sophos, (3:37) the state of ransomware for 2023, which says that the average attack brings a company down for up to three weeks. (3:44) So 21 days on average.

(3:46) 90% of organizations that are hit with ransomware have their operations affected. (3:53) So, you know, this isn’t a small risk that you’re taking. (3:57) If you actually do get attacked and hit with ransomware, (4:02) you can look for your business to be down and inoperable for, on average, three weeks.

(4:08) What is that going to do to your revenue? (4:13) In terms of, you know, the risks are reputational as well as financial. (4:18) So, you know, you think about downtime three weeks, but also think about, you know, (4:22) your customers and how they are, you know, viewing you as a company after you get hit with a ransomware attack. (4:30) This survey from Cisco, they did a survey of, you know, just random people, (4:36) and they said 88% of consumers say they won’t do business with a company that they don’t trust to protect their data.

 

(4:44) So if the news gets out that you have been attacked, (4:48) 88% of your customers are likely to think less of you because you got attacked and didn’t protect their data. (4:56) And 55% of people wouldn’t do business with a company that they thought was incapable of protecting data and their operations. (5:08) So, you know, these are pretty significant numbers in terms of human psychology (5:14) and how they react to companies that have been attacked and suffered under a cyber attack.

(5:20) And then just, you know, in terms of just how quickly these things change, the threat landscape is constantly changing. (5:29) So it’s not like the controls you put in place three years ago. (5:32) So maybe you put a new firewall in three years ago and you think you’re good.

(5:35) You know, unfortunately, the adversary is constantly evolving to the point now where, you know, the old controls just don’t work anymore. (5:45) In fact, you know, ransomware attacks occur every 11 seconds. (5:50) So clearly the controls that were put in place, if any were put in place, you know, aren’t working.

(5:57) You have to keep up with the threat. (6:01) So how do you keep up with the threat? (6:03) You know, this really comes down to the crux of the problem, you know, for small business owners is how do you even know what to do from a security perspective (6:13) once you’ve determined that you have to do something about security? (6:17) Well, you know, the biggest thing you can do to turn your situation around is to get a competent security leader within your organization. (6:26) You know, you have to have somebody whose whole purpose in working for you is to protect you, mitigate your technology risk.

 

(6:36) You know, in large companies, they have CISOs like me. (6:40) They have chief information security officers that spend their entire day, their entire night thinking about how to protect your organization. (6:48) So what do you do as a small business owner? (6:51) You know, if you are large enough, maybe you can hire a security manager, but typically, you know, you would want to outsource that.

 

(7:01) You know, you can get virtual CISOs, you can work with an MSP, and an MSP can provide you with security advisory work. (7:13) Studies show that 76% of businesses without a CISO experience, you know, more significant cyber events than companies that have a CISO. (7:24) So basically, if you have a CISO, even though you may get attacked, you’re going to have much less of an impact because of the controls that that CISO is put into place to help mitigate that risk.

 

(7:36) So having a competent thought leader around security working with your company is one of the best things you can do to mitigate this risk. (7:46) And then from a cost perspective, just how do you deal with the cost? (7:50) Again, you know, this is where, you know, outsourcing that, getting a virtual CISO is important from the leadership perspective, (7:58) but just also understand that, you know, a lot of times the cost or security controls, so endpoint protection, firewalls, vulnerability management, (8:08) you know, these costs aren’t as high as probably what you’re thinking they are. (8:12) You know, and if you have someone that’s working for you on the inside, you know, helping you with your risk mitigation, they can also negotiate better pricing.

 

(8:22) So it’s not as expensive as you think it is. (8:27) You just have to have the right mindset and the right people guiding your decision on this. (8:32) So, you know, that’s just a quick summary.

 

(8:34) You know, those are five points that I think are very important for you to consider as a small business owner. (8:41) If you need any help, reach out to me, reach out to us here at Oxium. (8:45) We can help you, you know, for free.

 

(8:48) We can do a risk assessment for you and just understand where you’re at, help guide you to a right decision. (8:55) Because at the bottom line is I’m interested in helping you reduce your technology risk, preventing you from being attacked. (9:03) So it’s a rough world out there and I just want you to be safe.

 

(9:06) So reach out if you need anything. (9:09) Thank you.