We hear this all the time. Consider, why would hackers target a small or medium-sized business (SMB)?
#1. Because They Can
Like many crimes, cyber attacks are often a crime of opportunity. SMB’s are often a “soft target”, having employed less preventative and restorative controls than their enterprise counterparts. Bad actors often cast a wide net, looking for the easy target; a company that has not patched their software, changed default configurations, or trained their employees to counter social engineering attacks. If you haven’t identified your cyber vulnerabilities and taken action to remediate them, you might get caught in the net. Once the attacker identifies and exploits a vulnerability, it’s just a question of whether it’s worth their time to hold you for ransom, defraud you, or simply vandalize you.
#2. Because Your Customers Are a Target, and YOU May be THIER Vulnerability
In more sophisticated attacks, the criminals look for a path to penetrate larger players… and you may be it. We see examples of supply chain attacks often, where a supplier is either deliberately or opportunistically targeted as a path to the larger target. And if we put testimonials or client case studies in the public domain, we may even help the bad guys identify our connection to the ultimate target.
Though few of us fit into the scale of the SolarWinds attack, it’s a real-time example of a supply chain attack using a vendor to penetrate the ultimate target. In the SolarWinds case, the target being the US Government and 18,000 other (likely enterprise-level) clients.
How Real Is The Threat?
That’s an important question and one that we always evaluate in a formal risk assessment. Here’s just a couple stats from late 2019. It’s not gotten better in 2020.
- Forty-three percent of cyberattacks are aimed at small businesses, but only 14% are prepared to defend themselves, according to Accenture.
- Cyber security incidents cost businesses of all sizes $200,000 on average, according to insurance carrier Hiscox.
- Sixty percent of these companies go out of business within six months of being victimized.
- More than half of all small businesses suffered a breach within the last year.
What can you do?
Start with the basics. Ask your IT team or Managed Service Provider (MSP) about your security vulnerabilities and what is currently in place on your behalf. Here’s a great set of questions to start with. https://cisomag-eccouncil-org.cdn.ampproject.org/c/s/cisomag.eccouncil.org/21-questions-managed-service-providers/amp/
Don’t forget to take a look at the “low hanging fruit” you can do yourself. You can find our “5 cyber security tips for small businesses” on the Arizona Commerce Authority website. https://www.azcommerce.com/small-business-boot-camp/week-24/top-5-cybersecurity-practices-for-small-businesses/
What Else Should SMBs be Considering?
First, anticipate that more cyber security regulation is heading your way. It may be private regulation, as your larger clients implement their own Vender Vulnerability Management plans to ensure you don’t put them at risk. Have you seen cyber security questionnaires coming your way in RFPs or in the sales process? You will.
Second, if you do business with the government, watch for the regulation to come faster and more formally. The best current example, beyond the familiar HIPAA regulations for healthcare, is the Cybersecurity Maturity Model Certification (CMMC) for defense contractors. This Department of Defense (DoD) security regulation is rolling out now to all DoD prime and subcontractors. With the recent successful breaches on federal agencies, such as the Treasury and Energy Department, regulations are likely to expand quickly beyond the DoD. States will not be far behind. Our best guess is CMMC will be a key part of these broader regulations.
Finally, consider a third-party security assessment from a company such as ourselves, Cosant. The scale could be anything from a vulnerability scan to a full Risk Management and Business Continuity Plan. In addition to the tactical vulnerabilities, we’ll help you identify what regulations are headed your way and when, and build you a roadmap. We can also share how to ensure security questionnaires don’t slow your sales process down with our executive report, “Data Security Requirements for Winning RFPs, https://cosant.com/top-5-data-security-requirements-for-winning-rfps/.
Stay safe out there.