Cybersecurity On A Small Business Budget
Is it possible to protect your organization from ransomware, phishing, and other forms of cybercrime without overspending on cybersecurity?
When the news covers a data breach, more often than not, they’re focusing on the big fish. You’ve probably heard about all the major cybercrime events of the past few years:
- This year, Capital One was penetrated, and the personal information included in credit card applications of 100 million Americans and up to 6 million Canadians was leaked.
- Food delivery service DoorDash announced late last month that their systems had been breached by hackers, affecting close to 5 million customers’, drivers’ and merchants’ data.
- In late 2013 Target was hit with a major credit card fraud malware attack when hackers gained access to their network through the corporation’s HVAC vendor Fazio, who had been given external access for business purposes.
It’s this kind of cybercrime news coverage, biased towards major companies, that has probably led you to believe a certain myth…
Aren’t You Too Small To Be A Target?
You might think so – but you’d be wrong.
In fact, in almost half of all the cyber breaches that have occurred, a small business was the target. Consider these stats reported in Verizon’s Data Breach Report and Forbes:
- 58% of all breaches in 2018 involved small businesses. 43% of all breaches involved small businesses in 2019.
- Ransomware attacks are still going strong, accounting for 24% of the malware incidents analyzed and is the #2 most-used malware type.
- Outsider threats remain dominant (69% of breaches) with insiders accounting for 34%.
- More than half (56%) of data breaches took months or longer to discover.
However, no matter how dangerous cybercrime maybe, you might still think it’s not worth investing that much money on a cybersecurity defense. The assumption here is that cybercrime events aren’t that expensive…
What Does Cybercrime Cost?
Do you understand all the costs that come with being the victim of a cybercrime attack? It’s not just the cost of repair, or the cost of the time spent resolving the issue.
For example, let’s consider the many costs associated with ransomware:
- Ransom: This is the most obvious cost, and it just keeps going up. According to cybersecurity company Coveware, what was an average ransom of $6,733 in 2018 has increased to $12,672 in 2019.
- Downtime: As Kaspersky notes, 34% of businesses hit by ransomware take up to a week to regain access to data. In that week, you’re still incurring costs associated with downtime while you and your staff can’t access your data. That’s time in which you can’t get work done, can’t serve your clients, can’t gain new business, and still pay your employee wages and ongoing costs to keep the lights on. Put simply? Lots of expenses with no revenue.
- Remediation: Lastly, there’s the cost of damage control. Do you have to hire an IT company to help you out? Do you have to hire a forensic cybersecurity crew to determine how you were attacked? Do you have to pay fines for breaching HIPAA or FINRA regulations? These all get added to the bill for getting hit by ransomware. These costs can be so high that they bring small business operations to a halt for weeks or even months. In 60% of reported cases, the victims are forced to suspend operations after a cyber attack, and never reopen for business.
How Should You Be Investing In Cybersecurity?
The fact is that it’ll be more cost-effective to invest in defense now, rather than pay the price as a victim of cybercrime later. By taking the necessary steps ahead of time, you can mitigate many potential threats, and avoid having to pay.
A three-tiered defense will protect you from external cybercriminals, as well as internal human error, and technology failure:
1. Securely Manage Your Network: This includes firewalls, routers, and switches. As key aspects of your network (and the defense of your network), these devices need to be configured properly to make sure optimal security. As explored above, the default configurations of such devices may not be sufficient. It’s up to you to make sure they are made secure.
- Keep these devices configurations in line with secure configurations defined for each type of network device in use by your organization.
- Make use of automated tools in order to verify standard device configurations, as well as to detect any unauthorized changes that are made.
- Implement multi-factor authentication and encryption for all network devices.
- Keep all network devices up to date and patched.
- Segment administrative tasks and elevated access to machines dedicated for that use. As mentioned above, such devices should be air-gapped from unnecessary parts of the network when possible.
2. Train Your Staff: A comprehensive cybersecurity training program will teach your staff how to handle a range of potential situations:
- How to identify and address suspicious emails, phishing attempts, social engineering tactics, and more.
- How to use business technology without exposing data and other assets to external threats by accident.
- How to respond when you suspect that an attack is occurring or has occurred.
3. Trust Your Data To The Right Services & Vendors: Overall, the cloud is more secure for SMBs and any misconception that the cloud is not as safe is outdated. Most SMBs have their network in a room that is unlocked, only has one source of power and internet, is not ventilated properly, and is sitting on network infrastructure that SMBs can afford. Cloud data centers use multiple resources for power and internet and sit on enterprise-level infrastructure. Find a trusted resource for this as data centers like Microsoft Azure invest billions in the security of their center, are established to host companies with high compliance regulations like HIPAA, PCI, GDPR, etc. and are SOC 1,2, & 3 compliant.
Ask For Help If You Need It
The right IT company will help implement security measures like administering complex security devices like firewalls, patching, antivirus software updates, intrusion and gateway protection, to name a few.
Furthermore, they should support your cybersecurity processes and practices, by implementing 2-factor authentication, employee security training, and password reset policies for your company. Make sure to properly interview an MSP to have the ability to do these entry-level basics for security as not all MSPs are the same.
MSPs also should have the ability to provide or have a partner that provides security operation center (SOC) services, especially if your business falls under some sort of compliance (HIPAA, PCI, GDPR, GLBA, etc.)
If you’re not sure about how to ensure your protection against ransomware and other cybercrime threats, then don’t try “fake it ’till you make it”. Be sure to consult an IT company for assistance.
Like this article? Check out the following blogs to learn more: