These days it’s difficult to catch up on current events without coming across an article that involves a data breach at some large enterprise. We’ve read about them all – Equifax, Verizon, Capital One, NASA, Target and a host of others. While it is usually the large enterprises that you hear about in the news, small-mid-sized-enterprises, or “SMEs”s are actually more prone to breaches than their larger counterparts. Thought leader Marc Wilczek stated: “The bad guys see small/midmarket businesses as low-hanging fruit because they typically have only basic security precautions in place and lack the sort of in-house staff equipped to deal with serious IT threats.”
Here are 3 of the top reasons why SMEs are not taking as many preventative measures against cyberattacks.
Disbelief
Executives in many SMEs hold the mindset that a data breach or cyber attack of some sort “can’t happen to me”, and this is largely due to the fact that many don’t see their organization as important enough or big enough in comparison to warrant an attack. In fact, a recent study on SMB cybersecurity found that there exists a correlation between company revenue and the belief of the likelihood of a cyberattack. 62% of participants from companies with revenue between $1M-$500M do not believe a cyberattack is likely to happen to their organization, and for companies with revenue of less than $1M, that number goes up to over 70%. Furthermore, older companies and those with older leadership show greater disbelief that their company will be subject to a cyberattack.
Low priority
For many organizations, cybersecurity simply is not a top priority among business concerns. With respect to security concerns, the same SMB study cited that cybersecurity was ranked last by over 1 out of 5 participants, and within the realm of overall business essentials, 60% ranked cybersecurity as the lowest priority in comparison to others such as driving revenue, recruiting, philanthropy, and more.
Additionally, in smaller companies, where IT security is not a separate department, but rather sits within the IT Operations department, IT security is not prioritized above other IT objectives, which also translates into less allocation of funds in this direction.
Lack of Knowledge and Proper Tooling
Many SMEs are ill-equipped with the knowledge base required to successfully prevent cyberattacks. Either they don’t know where to start, or they lack resources to properly patch systems once already breached. Many do not have the proper tools or they implement several point solutions in order to put preventative measures into place, which becomes cumbersome and confusing and at the end of the day, often do not contain all the necessary solutions required to discover assets, and remediate risks and vulnerabilities. Furthermore, many of these businesses end up with security issues caused by a misunderstanding of the implications of certain configuration changes. Over 25% of breaches are caused by some sort of IT configuration error.
So how do you implement a prevention plan for cyberattacks? While it varies for most, it takes two key elements to get started. First, you must identify who is going to be responsible for cybersecurity – will it be the CIO? Will it appoint a CISO within its IT department? A clear leader will set the structural foundation.
The second, is proper cyber hygiene. This means that you cannot solely rely on putting out fires, but you must have a solid understanding of your entire IT estate at any given time, identify in real-time where the vulnerabilities lie across their assets, and what type of processes must be performed in order to remediate any vulnerabilities. Although it is easier said than done, the process of conducting proper cyber hygiene begins with the acknowledgement that all businesses are vulnerable to cyberattacks, and putting preventative steps in place minimizes future threats, reduces overall IT costs and makes for a safer workplace. This process does not have to be lengthy, difficult, or require excessive training, as it should be conducted with an easily deployable platform that can discover, manage and remediate assets in realtime across all IT assets everywhere within the organization. Bottom line – cyber attacks have increasingly become the weapon of choice and we are all at risk…unless we roll up our sleeves and put preventative measures into place.
Sources: