This blog was originally written by Van Ngo and published on 24 August 2018. It has been updated to include new statistics for small businesses and actions to be taken in light of new and evolving threats. The update includes content contributed by Charlotte Murphy.
1. Data breaches do not discriminate
Data breaches in 2021 jumped 68% to the highest total ever, according to Identity Theft Resource Center’s 2021 Data Breach Report. That translates into 1,862 breaches versus 1,108 in 2020.
Statistically, you stand a 50% chance of being breached as a small business.
Contrary to popular belief (57% of small and medium enterprises do not believe they would be targeted by cybercriminals), threat actors do not discriminate when it comes to launching malicious attacks.
They seize every opportunity to steal data. It doesn’t matter if the data is stolen from a multi-national company (MNC) or a small and medium enterprise (SME).
In fact, SMEs like yours are easy targets for attackers because small companies usually lack the budget and resources to deploy the necessary technology and skilled personnel to defend themselves compared to larger corporations.
2. Data breaches suffered by small businesses can cause damages of up to US$120,000
IBM’s Cost of a Data Breach Report 2021 found that the average total cost of a breach increased by 10% to US$4.24 million, with the average total cost of a ransomware breach at US$4.62 million.
The average financial loss suffered by small and medium enterprises (SMEs) like yours has been calculated to be up to US$120,000, according to Kapersky Lab’s report.
Financial losses are just a part of the story, though. Your organization can suffer from other losses which will have huge impacts on the business but yet might not be easily accounted for in monetary terms, such as:
- Lost Business
- Damage to Credit Rating / Insurance Premiums
- Extra PR (to repair brand damage)
- Penalties and Fines
- Employing external professionals
- Improving software & infrastructure
- Additional Internal Staff Wages
- New staff
3. Human error and negligence are two of the largest contributors to data breaches
The IBM Cyber Security Intelligence Index Report found human error to be the number one cause of successful data breaches.
You might be surprised to learn that an alarming 95% of all cyber security breaches are caused by human error. A common example of this is when an employee downloads a malware-infected attachment, fails to use a strong password or is an unwitting victim of phishing attempts.
Phishing attacks are one of the biggest security threats that modern businesses face today. Data from Cisco's 2021 Cybersecurity threat trends report suggests that phishing is responsible for approximately 90% of all data breaches.
Human errors and negligence also lend themselves to being conduits for malware to invade your cloud infrastructure.
Malware attacks are another big threat facing businesses and encompass a variety of cyber threats such as viruses, ransomware, and other threats. It usually comes from malicious email attachments, website downloads, or from connecting to infected devices.
4. Ransomware is evolving and becoming more sophisticated.
RansomwareRansomware usually starts off as a credential compromise (where a cybercriminal was able to obtain the login details of a staff member), a phishing email, or human error or negligence.
Once in, the malware traverses your cloud infrastructure, probing for ways to escalate its access permissions, such as exploiting users’ unsecured and simple passwords in order to gain access to your sensitive data.
As soon as they strike gold, the malware goes to work exfiltrating the data to the cybercriminals’ servers and then encrypting the data.
At this time, the malware is known as ransomware because the cybercriminals will then contact you for ransom. They will threaten to release the data or sell it to the highest bidder if you don’t pay up or, in some cases, even destroy all your data.
The best way to protect your company from phishing attacks is by downloading high-quality security software and educating your employees on how to spot a phishing scamhow to spot a phishing scam.
4 things you can do today to minimize the risks
1. Include cybersecurity in your company culture
Cybersecurity is in fact a business enabler. Yes, growth and efficiency are important, but all that comes to naught when you are hit by a malicious attack.
Just like you would close and lock your front door before settling in for the evening at home, make cybersecurity your top priority. Your investment will go a long way in ensuring that you are able to, as we like to say here at Horangi, innovate without fear.
A company culture that includes cybersecurity ensures that everyone in your organization is aware of the risks and takes intentional steps to be safe, e.g. knowing how to identify phishing emails and reporting them.
Everybody starts somewhere, and building this culture can be simple. You could lead by example and start reading some cybersecurity 101 articles and pay attention to the news every day. Familiarize yourself with how to avoid simple mistakes and share what you’ve learned with your employees and encourage them to share.
Further, building such a culture costs next to nothing. If you are interested in how you can achieve cyber hygiene with limited resources, listen to our recent podcastlisten to our recent podcast where our guest shares tips for SMEs and startups to do just that.
2. Start with the basics and prepare an incident response plan
Complying with security frameworks and industry compliance standards industry compliance standards is a good starting point to securing your cloud infrastructure. Some, like the NIST framework, are easy to understand and implement.
Other compliance standards you should look at are those that help secure and protect the privacy of your customers, such as GDPRGDPR, PDPA, etc.
Cyber attacks are a matter of “when” and not “if”. Start engaging with professionals to build your incident response strategy and plan, or get together with your executive and IT teams to discuss and formulate a response plan to outline what you might do in such a scenario.
3. Get help
Hiring and retaining skilled cybersecurity personnel takes time and is expensive.
Instead, think about engaging services that put a team of professionals or even a Chief Information Security OfficerChief Information Security Officer (CISO) at your disposal and will help formulate and implement some best security practices for your organization within your budget.
Even if you already have a small team, think about augmenting their capabilities with these teams so they don’t burn out from issues like alert fatigue (where your staff is overwhelmed by and overloaded with security alerts).
You can also choose to engage cybersecurity services on an Adhoc basis to perform penetration testingpenetration testing (where they help to test if your cloud infrastructure can be breached), managed threat huntingmanaged threat hunting (where a team of cybersecurity professionals hunts for hidden threats within your network), or other servicesother services.
4. Invest in the right technology
There’s a myriad of technologies out there that purport to help you implement and achieve a healthy cybersecurity posture, but going through every offering can be daunting. Even the acronyms can be hard to remember!
I will advise looking at investing in a Cloud Security Posture Management (CSPM) tool Cloud Security Posture Management (CSPM) tool as a start.
CSPMs offer you visibility into your cloud assets (visibility is the most important in any cybersecurity strategy — you can’t protect what you can’t see, right?) and most help you to comply with privacy and industry standards (see point 2 above), monitor and remediate identified threats.
Ensure that you choose one that is easy for you and non-technical staff to install quickly, and even help train your staff when it comes to remediating threats with step-by-step instructions so even non-technical people can upskill in the course of performing these remediation tasks.
Finally, while a CSPM may cost an initial upfront financial investment, they help you save on overheads in the long run.
We have a whitepaper that can help you select onehelp you select one that you can download to learn more, so go ahead and grab it!
Cybercriminals do not discriminate when launching malicious attacks against organizations. SMEs like yours are as likely to be attacked as big corporations, so cybersecurity needs to be the first thing you put in place before thinking about growing and expanding your business.
I hope that the 4 statistics and ways to minimize the related risks here have been helpful. If you’d like more information, feel free to talk to us at email@example.com. We’ll be happy to help!