The recent Colonial Pipeline ransomware attack is a stark reminder of the danger of cybersecurity threats. For business owners, witnessing such a large business be extorted for 4.4 million USD in liquid assets is a wake-up call to the dangers of inadequate security measures. For the average consumer, such impacts can be felt in our checkbooks and our wallets as we go to fill our gas tanks. The impact this event has had on both vital sides of business, the consumer, and the provider, cannot be understated. While you may feel your business is adequately defended or that your business “isn’t big enough” to be affected by cybersecurity breaches, this may not be entirely true.
Small and Medium-sized Business (SMB) owners have reported high levels of confidence in their current cybersecurity measures and system infrastructure. A recent study by David Bisson, a Contributing Editor for IBM’s Security Intelligence team, reported that 95 percent of the businesses they polled were certain they had “at least above average” systems in place to defend them from cybersecurity threats. Furthermore, another 89 percent of businesses polled believed their security systems “could protect their organization against any threat imaginable”3. While confidence can often be beneficial to a team’s feeling of security, it may not contribute to the security of the team itself especially as cybersecurity threats are becoming a growing issue for SMB owners. The events that caused the cybersecurity disaster at Colonial Pipeline have resulted in larger businesses rallying forward with new cybersecurity systems and proper system infrastructure, but where does this place SMB owners?
According to a survey conducted from the National Center for the Middle Market, “55% of SMB companies lack either an up-to-date cyber-risk strategy or any defined cyber-risk strategy at all” and “50% of IT leaders say they don’t know where to start to improve their security posture”. While your IT team may work diligently to protect your data, they may lack knowledge of novel cybersecurity risks, or they may lack an adequate security budget to analyze the risk of cybersecurity threats and properly circumvent them. While your business may have cybersecurity measures in place it is important to be aware that overconfidence can be an Achille’s heel. Furthermore, SMB owners without a proper system infrastructure cannot employ cybersecurity strategies effectively and will be at risk. Overconfidence and unorganized supporting systems may lead to successful breaches of sensitive data and precious time and funding lost due to a crippled infrastructure.
It may be comforting to believe that your business will be unimpacted by cyber-security threats due to the nature of being an SMB, but trends show that SMBs are being increasingly targeted. In only a year’s time cyberattacks have become 32% more common 4. Furthermore, hackers have identified that SMBs serve as a potential gateway to access not only your files but those of your customers and their businesses as well2.The confidence expressed above has allowed hackers to exploit weaknesses in SMBs in order to hold SMBs ransom and reach information that will eventually allow them to access other companies. This adds to the ever-growing tally of cybercrime damages which are expected to increase to 6 trillion dollars by the end of 20217.
There may be the desire to wait until such events happen to justify the purchase of Managed IT Services and set forward critical systems that would deter cyberattacks, but a reactionary method can serve to be more costly than effective as it is not a part of a well-planned strategy5. Once your data has been breached you may lack the ability to recover from such a breach. Furthermore, the number of resources lost in only a single breach cannot be understated. While a breach could permanently damage tangible resources such as your files and data, even more devastating is the damage it may inflict on your customers’ and employees’ trust in your company. A security solution with clear planning should involve five key steps:
- The ability to identify current and evolving threats.
- The ability to protect from these threats as they arise.
- The ability to detect abnormalities and potential areas of concern within a system.
- The ability to respond to any abnormalities.
- The ability to recover from any potential damages that may occur.
These elements must be supported by equally capable and well-maintained IT systems that can interpret and execute each element of the strategy. The issue with reactionary strategies is that they focus on only the last two steps of what a true security solution should provide.
One must have a solid infrastructure and Incident Response Plan (IRP) to confront such issues. SMBs must have a system that is well-organized, consistently managed, and most importantly for cybersecurity threats, protected. To reach such a posture SMBs must ask critical questions on how to protect their company. Where is our company exposed to cybersecurity threats? What is an acceptable level of risk? What can we do to improve in areas where our security is substandard?1. The main reason that many SMBs fall victim to cybersecurity threats is that some do not know where to start. SMB owners must be able to understand the trend of threats to properly identify how those threats are evolving. This is often where SMBs run into complications. These complications can arise due to a lack of experience in technical matters, relying on software that lacks interactivity, or SMBs not being able or willing to dedicate the appropriate resources to such tasks1. While cybersecurity solutions certainly exist, it remains imperative for the owners of SMBs to acknowledge the potential shortcomings of the infrastructure that underlies their key IT systems and data. Furthermore, SMB owners require systems that are comprehensive and responsive to user input either through a helpful User Interface (UI) or a responsive system management team.
Despite fears that systems may not be worth your company’s resources or effort, the need for a holistic solution is becoming an ever-pressing issue that is trending upwards in occurrences. While before SMBs have been shielded by not being a primary target of hackers, the theatre is rapidly changing and SMBs, due to their lack of sufficient solutions, have become recognized as easy targets and the entry point into larger partner systems. Hackers will continue to look for potential weak points they can exploit to make a profit and unfortunately it only takes one problem to have a significant impact on your bottom line. Fortunately, in response Managed IT Service Providers (MSP) are adapting their offerings to address these issues as well. Solutions that incorporate cybersecurity tools into their standard offering are becoming more readily available to SMBs. Furthermore, MSPs have enhanced their offerings to allow you to recognize cost reductions and improved efficiency across the technology spectrum. The importance of having managed solutions that users can interact with has been more readily recognized by MSPs and these providers have stepped forward as a reliable, safe, and efficient asset for SMBs looking to grow and change with the digital age5. While threats are increasing so too are the responses to those threats as the cybersecurity arms race wages on. Through cybersecurity breaches like those at the Colonial Pipeline a new focus upon cybersecurity concerns and cybersecurity preparedness is becoming more readily talked about and discussed among businesses both large and small. SMB owners are pressing ever-onward into the digital age alongside the threats that come with the territory, but with proper vigilance, organized infrastructure, and adaptability these companies can continue trail-blazing with confidence and the ease of mind that they will not be the next Colonial Pipeline.
Peter Frasco is the owner and CEO of Intelligent Integration Technologies and CMMC Registered Practitioner with over 30 years of experience in Information Technology and Cybersecurity including work for the US Army as a Chief Warrant Officer, Silicon Valley Startups, and BlackBerry during their pivot to a cybersecurity powerhouse.
Citations and Further Reading:
1. Michael Benz, Dave Chatterjee,
Calculated risk? A cybersecurity evaluation tool for SMEs, Business Horizons, Volume 63, Issue 4,2020, Pages 531-540, ISSN 0007-6813
2. Better Business Bureau, 2017 Better Business Bureau
2017 state of cybersecurity among small businesses in North America
3. Bisson, 2017 D. Bisson
Small companies overconfident about their security posture, finds survey.
Tripwire (2017, January 31)
4. Deppen, 2018 L. Deppen
Why cybersecurity incidents are up 32% from last year
TechRepublic (2018, July 17)
5. Downing and Jackson, 2018 J. Downing, C. Jackson
Midmarket tech investments: IT governance falls short
The Wall Street Journal (2018, October 9)
6. Positive Technologies, 2018 Positive Technologies
Positive Technologies report: Number of cyber incidents in Q1 jumped by 32 percent
7. Morgan, 2019 S. Morgan
Global cybersecurity spending predicted to exceed $1 trillion from 2017–2021. Cybercrime Magazine
(2019, June 10)