As 2020 approaches, cybersecurity is top of mind for C-suite executives at virtually every company, in every sector. Indeed, shifting consumer sentiment, increased government regulation and escalating costs have made this problem unavoidable.
The latest Cost of a Data Breach Study revealed that the average breach costs a company nearly $4 million, and the immediate financial implications are just the beginning. For instance, a recent study found that 81% of consumers would stop interacting with a brand online after a data breach, depriving businesses of a critical opportunity to connect with their customers during the recovery process.
At the same time, privacy regulations like Europe's GDPR and California's CCPA are indicative of the wave of government oversight coming to companies around the world.
Taken together, it's clear that today's data landscape is increasingly challenging to navigate. This is especially true for SMBs, which are disproportionately impacted by data breaches. According to Accenture, more than half of all SMBs incurred a data breach in the past year. Unfortunately, 60% of SMBs that experienced a data breach will go out of business within six months.
For SMBs, cybersecurity is a bottom-line issue, and getting this aspect right can be the difference between a flourishing business and bankruptcy. By rightly understanding the risk, SMB leaders can take the proper precautions to ensure their data is secure.
What makes SMBs vulnerable?
After years of high-profile data breaches at companies like Yahoo, Equifax and Marriott, many hackers have turned their attention to SMBs and local municipalities to collect people's personal information. By August, The New York Times counted more than 40 governments that were victimized by costly ransomware attacks this year. Similarly, a recent study by the Ponemon Institute found that SMBs are experiencing an uptick in cybersecurity threats on many fronts, in some regions of the world, increasing by as much as 21% year over year.
From phishing scams to insider threats, cyber incidents have become a normative part of running an SMB. Here's why.
1. SMBs operate with limited budgets.
By their very definition, SMBs have fewer resources to dedicate to cybersecurity initiatives than their corporate competitors. Unfortunately, cybercriminals are aware of this disparity, making SMBs susceptible to opportunities for cybercrime.
Interestingly, cybersecurity is a significant concern for these companies. A recent survey by Untangle found that 80% of SMBs rank IT security as a high priority. However, the study, which polled more than 300 SMBs, found that nearly one-third of these companies dedicate less than $1,000 of their annual budget to cybersecurity defense, and more than half don't have a dedicated cybersecurity professional on staff.
That doesn't mean that these companies aren't tech-savvy. More than half of SMBs have more than 100 devices on their network, and 40% operate in at least five different locations.
In other words, SMBs are heavily reliant on tech capabilities, but their budgets create a chasm between their business ambitions and the realities of today's threat landscape.
2. SMBs struggle to acquire top talent.
Perhaps unsurprisingly, businesses that don’t prioritize cybersecurity in their budgets also struggle to acquire top cybersecurity talent.
Currently, cybersecurity talent is one of the most in-demand skill sets, as companies of all sizes strive to protect their IT infrastructure from cyberattacks. Deloitte estimates that, in Canada alone, companies will need to fill 8,000 cybersecurity roles by 2021. Consequently, many SMBs are being priced out of the market.
Therefore, many small businesses are turning to less experienced personnel to protect their data. McAfee’s 2019 Cybersecurity Talent Report found that 54% of small businesses employ cybersecurity personnel with no cybersecurity credentials, while 24% of midsize businesses do the same.
At the same time, the novice talent that they can acquire often demand on-the-job training that limits their effectiveness and continues to balloon the cost of cybersecurity talent. In total, it’s estimated that demand for cybersecurity professionals will soon require an additional 4 million trained workers, which means that SMBs will need to get creative when it comes to acquiring and retaining the cybersecurity specialists who will help keep the company’s IT secure.
3. SMBs face fatigue and burnout.
As companies struggle to allocate sufficient resources toward cybersecurity priorities and personnel, those responsible for protecting company data are facing alarming burnout rates. According to a 2019 study by Goldsmiths, nearly two-thirds of cybersecurity personnel have considered quitting their jobs, and 64% are contemplating leaving the industry altogether.
This reality only exacerbates the cybersecurity dilemmas at SMBs that often ask employees to manage high-stakes responsibilities that exceed their expertise. Taken together, SMBs have a difficult job ahead. Not only are they collecting and storing more data than ever before, but bad actors and accidental data thieves are compromising this information from seemingly every angle.
How can SMBs succeed at data security?
Fortunately, data security doesn't have to be a hopeless endeavor. In contrast, there are active steps that every company can take to protect their information and their long-term viability in today's hostile digital environment.
1. Expect the expected.
In many ways, cybersecurity can feel like an existential threat that is both unidentifiable and undefinable. In reality, some risks are more prominent than others, and SMBs can cover many of their basis by expecting the expected.
Specifically, a company's own employees represent one of the most prescient threats in today's data landscape. For instance, Verizon’s 2019 Data Breach Investigations Report found that fully 30% of all data breaches are attributable to insider threats. Whether employees maliciously steal company info or accidentally expose sensitive information, they are often the ones working directly with data.
To protect this valuable information, every company should consider some iteration of employee monitoring or data management software that can regulate data access and movement while holding bad actors accountable for their actions.
Of course, employees compromise information in other ways, as well. More than a quarter of all cyberattacks start with phishing attacks that coax unsuspecting employees into handing over their credentials and giving bad actors unparalleled access to company data. That's not to say that most employees are foolish or fraudulent. Rather SMBs should expect the expected threats, and they should appropriate their resources to address these vulnerabilities.
2. Automate whenever possible.
SMBs can support their cybersecurity initiatives – and their beleaguered IT staff – by instituting automation whenever possible.
Today’s employee monitoring and endpoint data loss prevention software is more capable than ever before, and the best options come equipped with automation tools that reduce the strain on overworked cybersecurity staff. For example, SMBs can automate access to sensitive data sets, making it less likely that this information will end up in the wrong hands. Moreover, placing automated restrictions on data movement or privacy controls helps ensure that data privacy is a priority down to the software level.
This is especially important for supporting already-exhausted cybersecurity staff. Cisco’s 2019 Asia Pacific CISO Benchmark Study found that Australian organizations receive over 100,000 security alerts every day, a number that’s so large that it can feel like an abstraction. However, it’s indicative of the significance of the task and the importance of lightening the load whenever possible.
3. Prioritize cybersecurity communication.
Effective cybersecurity initiatives require an all-in approach from SMBs, which means that top-down communication and collaboration are crucial. Actively train employees about the magnitude of the data threat, and provide them with the information they need to successfully protect company data. Since a company's very survival could be on the line, everyone has an incentive to get this priority right.
In addition, communicate data handling and management standards. If employees shouldn't access company data on personal devices, let them know, and enforce that standard with the right technology. Whatever the expectation, make regular communication an integral part of your cybersecurity strategy.
It might help identify additional best practices for data security, and it will undoubtedly help employees do their part to keep information secure.
It's estimated that improving cybersecurity will collectively save companies more than $5 trillion over the next five years, which means that SMBs have much to gain and everything to lose by embracing this priority.
For many consumers, data privacy and cybersecurity are becoming the differentiating factors when choosing where they want to spend their money, time and attention. In truth, today's data landscape is as much an opportunity as it is a liability, and companies that can deliver on this prerogative have positioned themselves to flourish in today's digital environment.