There is nothing easy about running a small and medium-sized business (SMB). Limited staff, focused budgets, and competing priorities tend to pull leaders in opposite directions. As we discussed in our recent blog on information technology (IT) solutions for SMBs, the temptation is to hire IT generalists and ask everyone to pitch in. Cybercriminals love this approach because it tends to leave known vulnerabilities unprotected.
Most businesses today depend on the Internet and their IT infrastructure not just to function normally, but for customer satisfaction, compliance, and growth. As the world becomes more digital, IT systems become increasingly complex. The prevalence of bring-your-own-device (BYOD), cloud-based applications, 24/7 availability, and global connectivity brings enormous opportunities for hackers. Unfortunately, as digitization continues to expand, SMBs should expect there to be more, not less, risk.
More bad news.
It isn’t merely a cautionary warning that SMBs are more vulnerable to cybercrime. The 2018 State of Cybersecurity in Small & Medium Size Businesses report (Ponemon/Keeper Security) found that two-thirds of SMBs were hit with a cyber-attack in the last 12 months. Equally, mind-boggling is the cost of the average attack, which is estimated to be nearly $3 million. It is discouraging.
Many businesses turn to add-on security tools to protect their environments. There are upgrades to endpoint security to add more sophisticated advanced malware protection. Better web application security can help prevent web-based attacks. Intrusion prevention is often viewed as a vital technology to stop network attacks and exploits. Not to mention, there is an entire ecosystem dedicated to anti-phishing solutions and employee training.
All these new technologies have a role in keeping businesses protected. The challenge for companies is how you integrate the solutions and manage all the various consoles. With unlimited staffing resources and a massive security budget, an in-house security approach might work. Realistically, there probably aren’t enough people or resources to manage and continually update all the tools necessary for robust security.
What is the answer?
A security environment isn’t just a firewall and padlock on the front door. More digital devices and more employees equate to more ways into your network. For SMBs thinking about the right security solution, there are a few pieces to solve:
- Employee Training. The ideal scenario would be to stop the attack before it ever reached your company‚Äôs network. A cyber-secure mindset is critical to keeping the other ways into your network closed. Unfortunately, cybersecurity education and training isn’t a one-time course. You need to deliver ongoing support to help employees make the right decisions and be on the watch for whatever the future holds.
- Security Monitoring. Security monitoring and scanning tests are the foundation of most programs. Many companies are starting to hire a Managed Service Provider (MSP) to provide this service. With employees available and working nearly 24/7/365, this operation never gets a break. The average cybersecurity engineer’s salary is almost $130,000 per year, which makes it difficult for SMBs to deliver continuous support with an in-house team.
- Incident Response. When there is a problem, your company needs to be ready with a response. Lack of planning here can be devastating for a business. Consider how long your company can remain offline without access to critical information. Would your organization be able to recover after a day offline? What about after a week? If your data was unavailable for a week and you had to pay damages, would the business remain profitable? These are questions no one wants to consider but are essential for security planning.
- There is more to incident response than responding to the threat and moving on. It is important to consider whether the underlying threat is persistent (ATP) or capable of propagating. The best remediation programs look at:
- What systems were impacted?
- What are the characteristics of the incident?
- Are there processes allowing the issue to continue?
- Once the threat is isolated, the incident response team can ensure the response covers all affected systems and services.
In most situations, the impact of the incident on the business is determined by how quickly the business can respond. Larger companies will monitor, test, and track their response times. These mature security teams balance response time with risk to minimize the probability of a severe impact. It is a rigorous process that involves investigating and tracking all the avenues hackers may have into the business, documenting the steps, assigning responsibilities, and testing.
What if your company doesn’t have a certified cybersecurity incident responder team and cyber intelligence experts? The solution in this situation is not to look away and hope that your organization can be one of the small minority that isn’t hacked.
Today’s MSPs are doing more than simple monitoring. It is possible to have less than 250 employees and have the right cybersecurity environment for your company. MSPs have certified and trained cyber professionals that harness the latest innovations to provide services to SMBs that don’t break the budget. If it was a choice between creating an in-house team for cybersecurity and risking the $3 million average attack cost, you might need to pause and weigh the options. For a fraction of that cost, organizations can outsource their cybersecurity and be protected.
Our recommendation for SMBs is to drive improvements in cybersecurity with a focus on a secure culture. The threat landscape is too complicated and dynamic to do it alone. The number and types of potential attacks are always expanding and changing. Don’t do it alone. Find the right MSP that can create a robust security strategy that will continually evolve.
When you are ready, we know a company with over 40 years of business experience, expanding technology partnerships, and a commitment to security you can count on. Schedule your security assessment.