You might be using an unsupported or outdated browser. To get the best possible experience please use the latest version of Chrome, Firefox, Safari, or Microsoft Edge to view this website.
As the owner of a small or medium-sized business, you know the importance of protecting your employees, your customers and your brand against cyberthreats. But with so many daunting headlines about ransomware, questions from customers about data privacy and security and ever-evolving technology, it can be difficult to know where to begin.
Unfortunately, failing to take action is not an option. Based on Verizon’s 2021 Data Breach Investigations Report, 43% of online attacks are targeting small businesses, resulting in more than half of the businesses with confirmed breaches. In an incident’s wake, businesses are faced with average remediation costs reaching $200,000, which is enough for about 10% to go out of business in the months that follow.
So what can small and medium-sized businesses (SMBs) do to fight back and protect their business and data? To help, I’m answering some of the most common questions I hear from fellow small and medium-sized business owners.
In today’s increasingly connected world, SMBs can no longer hide in digital noise made by bigger players in the market. In fact, SMBs are facing the same cybersecurity threats as those making national headlines.
In particular, ransomware is continuing to wreak havoc, threatening the availability of a business’s data if a ransom isn’t paid to unlock it. Unfortunately, ransomware is often the result of another major threat to SMBs, social engineering, which uses phishing techniques to manipulate a legitimate user to share confidential information or credentials with a criminal.
Many businesses are also failing to put proactive maintenance of their systems, applications and hardware on their priority list, allowing criminals to take advantage of commonly known vulnerabilities to gain unauthorized access to your network.
Whether your business relies on an internal IT employee or a third-party provider for security depends on several factors. Chief among them are the qualifications, skills and knowledge that your in-house IT professional has about cybersecurity and your business’s threat environment.
However, given the range of technology that your business uses each day, the security policies that need to be implemented and updated, and the wide range of existing solutions and services out there made for businesses such as yours, bringing in an external team may be worth the investment in the long run. This can also allow your in-house IT team to focus on more strategic business initiatives.
The answer to this question depends on your industry, regulatory requirements, company size, customer expectations and even your business’s appetite for risk. What is more certain, however, is the fact that it is usually less expensive to prevent a cyberattack than it is to recover from the financial and reputational costs of one.
Just as one data point, one report found that the average company spent about 11% of its IT budget on cybersecurity or about $2,700 per full-time employee per year. The same study found that the biggest elements of those budgets were threat monitoring, endpoint and network security tools, and identity access management solutions, respectively.
Even before the dramatic shift toward remote work arrangements and the use of digital services to connect with customers, employees were on the front lines of their business’s cybersecurity.
Although security technology has continued to improve its ability to filter out most threats, it will never fully eliminate all risks from reaching the employees that are often the target of cybercriminals. This is where security awareness and other training can empower your employees and give them the tools to play their part in your cybersecurity strategy.
Begin with providing a foundation of strong security practices, such as the importance of password management, the need to use secure networks, phishing awareness and their role in incident response. Then build out the processes to regularly reinforce their knowledge and emphasize their role in protecting your business’s customers, brand and even their colleagues.
One study found that 30% of SMBs do not have an incident response plan to call on in the event of an attack.
While there is no universal approach, here are some key elements that should help to get your own incident response plan started:
Between balancing human resources challenges, developing marketing strategies and handling day-to-day budgeting and operations, SMB leaders have plenty on their plates.
Fortunately, there are a lot of resources out there to help SMBs learn more about the best practices and tools they can employ to strengthen their organization’s cybersecurity. Good places to start are with the U.S. Department of Homeland Security tier-based road map, CISA’s SMB Toolkit and list of related resources and the online and in-person events sponsored by the National Cybersecurity Alliance.
Ultimately, it is important to remember that cybersecurity isn’t a one-and-done exercise; it’s a continuous journey that SMB owners and their employees will be taking together.
Jack Koziol is president and founder of Infosec, a leading security awareness and anti-phishing training provider. With years of private vulnerability and exploitation development experience, he has trained members of the U.S. intelligence community, military and federal law agencies. His extensive experience also includes delivering security awareness and training for Fortune 500 companies including Microsoft, HP and Citibank. Jack is the lead author of The Shellcoder's Handbook: Discovering and Exploiting Security Holes. He also wrote Intrusion Detection with Snort, a best-selling security resource with top reviews from Linux Journal, Slashdot and Information Security Magazine. Jack has appeared in USA Today, CNN, MSNBC, Wall Street Journal and other media outlets for his expert opinions on information security.
Rob is an SMB writer and editor based in New Jersey. Before joining Forbes Advisor, he was a content producer at Fit Small Business. In that role, he was responsible for writing, editing, and strategizing content geared toward small business owners. Before that, he worked at PCMag as a business analyst.