In recent years, the number of cyberattacks has been increasing at an alarming rate – and small businesses are particularly vulnerable. In fact, 43% of all cyberattacks target small businesses. This is because they are often seen as an easy gateway into larger companies through the supply chain or payment portals.
Even a single cyberattack can have a swift, devastating impact. On average, it costs small businesses $690,000 to recover from a cyberattack. Of those small businesses that experience a cyberattack, 72% are not able to fully restore their company’s computer data, according to a recent study by the Ponemon Institute. Further, 60% are forced to close their doors within six months.
Despite the looming threat of a cyberattack, 83% of small-business owners don’t have any cybersecurity measures in place – with many mistakenly believing they are too expensive or difficult to implement. But as the number of cyberattacks continues a steady climb upward, companies are beginning to invest significantly more dollars in cybersecurity. In fact, cybersecurity spending has seen a 67% increase over the past three years.
Now more than ever before, it’s critical that small-business owners develop a robust cybersecurity plan that will help keep their data safe and secure. But in order to be most effective, companies will first need to be aware of the latest trends in cybersecurity for small business:
Small businesses play a vital role in our nation’s economy, accounting for 54% of all U.S. sales and 55% of U.S. jobs. They are also a top target of cyberattacks, which can be caused by a variety of threats – from viruses and worms, to phishing and malware.
However, many small-business owners lack the expertise needed to successfully monitor and protect their computer systems and sensitive information, making them particularly susceptible to crippling cyberattacks. But as cybersecurity has become a major priority on a national scale, federal agencies are now turning their focus to protecting small businesses from this threat.
As part of this effort, the U.S. House Committee on Science, Space and Technology approved the NIST Small Business Cybersecurity Act of 2017 on May 2. Sponsored by the National Institute of Standards and Technology (NIST), this bipartisan bill would provide the key resources, tools and best practices to help small businesses cost-effectively identify, assess, manage and reduce their cybersecurity risk, if enacted into law.
In recent years, companies of all sizes have been challenged with navigating a constantly shifting cyber threat landscape. Ransomware – an attack in which cybercriminals hold a company’s digital assets hostage in exchange for money – has recently emerged as a very serious threat for small-business owners.
At least 190 types of ransomware currently exist, with more created every day. Once a malicious link is clicked, the malware encrypts files on a victim’s computer and locks access until ransom is paid, which can cost anywhere from $200 to $30,000 per incident. In most cases, ransom is demanded in bitcoins – making the transaction difficult to trace.
And ransomware is only becoming more frequent, effective and costly. The number of ransomware attacks spiked 6,000% last year – infecting an average of 4,000 computers worldwide per hour, according to the FBI. Further, ransomware robbed companies of nearly $1 billion in 2016 alone. This is just the tip of the iceberg, as ransomware attacks will likely spread to internet of things (IoT) devices, point of sale (PoS) systems and ATMs this year.
When hit with a ransomware attack, businesses have three options: pay up, restore from a backup or suffer the consequences of not having access to critical business systems. The problem is, this business model works – 70 percent of companies paid ransom to get their data back, according to a recent study by IBM Security.
With the rise of the digital workplace, IT is no longer the purveyor of all systems and applications within a company. Instead, employees are increasingly turning to the cloud to meet their evolving technology needs. But as cloud storage offers on-demand access and less IT involvement, cybersecurity has become a major concern.
The appeal of cloud-based services such as Gmail, Asana or Dropbox is readily apparent – data can be stored online and accessed from anywhere, effectively allowing employees to get their tasks done quicker and more easily. According to a recent report by the NPD Group, 76% of respondents reported using a cloud-based service over the past year. However, this has led to a huge problem – the rise of shadow IT.
In simple terms, shadow IT is when cloud services are used without IT’s approval. For every instance an employee uses an IT-approved cloud service, there’s another using a personal, unsanctioned version. Even with approved apps, nearly half of users are accessing them from non-corporate email accounts – ultimately exposing sensitive data to external threats.
To address this growing issue, more than three out of five companies are putting formal usage policies in place to mitigate the risk of shadow IT on the cloud. By creating a cloud usage strategy, small-business owners can be better equipped to monitor and prevent unauthorized cloud usage – before it becomes a security issue.
The advent of IoT has opened the door for a new realm of hacking opportunities – the most recent being distributed denial-of-service (DDoS) attacks on IoT devices. In simple terms, a DDoS attack is when a hacker overwhelms a system with data – most commonly a flood of website traffic that causes a web server to crash – ultimately preventing legitimate users from accessing the system.
Most recently, DDoS attacks have spread to IoT devices within the workplace, such as printer/copier machines, IP-connected security systems, internet routers and climate control systems – presenting hackers with an unexpected means of accessing business networks.
In the rush to roll out a variety of IoT devices, security has taken a backseat – making DDoS attacks that much easier (and likely) to occur. According to a recent report by Cisco, 17 million DDoS attacks are projected to occur annually by 2020 – a 260% increase in only five years. And more than 25% of all identified attacks will involve IoT devices, according to Gartner.
In response, the Federal Trade Commission recently began cracking down on security by targeting IoT device manufacturers whose devices lack adequate security – and security spending has increased as a result. In fact, worldwide spending on IoT security is expected to reach $434 million this year, nearly a 25% increase from 2016.
Of all forms a cyberattack can take, phishing is reportedly the most common. More than one million phishing attacks were detected in 2016 – a 308% increase year over year, according to a recent report by RSA Security. Even more alarming, phishers launch a new attack every 30 seconds.
Most recently, there has been a sharp spike in phishing attacks that impersonate a company through email and SaaS services, such as MailChimp or Salesforce. Without malware or bad links in the email to filter out, these types of attacks can bypass traditional security defenses – making them difficult to catch.
In response, many email service providers are adopting domain-based message authentication, reporting and conformance (DMARC), an email-validation system that protects email users from phish by blocking same-domain impersonation attacks as soon as they are attempted.
In addition, DMARC generates a report of all rejected emails for the domain owner – providing an opportunity to catch phishing attacks in real time, as well as to identify any “shadow” services that employees might be using without approval.
In today’s modern workplace, companies store more sensitive information online than ever before. But there seems to be a disconnect – although small businesses are the top target of cyberattacks, most are still not covered for lost or stolen digital assets.
Surprisingly, 65% of small businesses don’t have any funds budgeted for cybersecurity, nor plan to make funds available in the future – despite the fact that one out of three can’t go without access to critical business databases for any length of time, according to a recent survey by CyberScout. And even though small businesses lack the resources to overcome a cyberattack, 75% have no cyber liability insurance as a protective measure.
When cybercriminals breach a company database, they can get their hands on a wide variety of sensitive information – from identifying data such as social security and credit card numbers, to business data that can be used to open and access accounts, drain money and destroy credit.
Like other types of coverage, cyber liability insurance covers companies in the event of a cyberattacks. As small-business owners work to recover sensitive information, this insurance covers associated expenses such as network damage, credit monitoring, lost revenue, crisis and reputation management, customer notification and investigative work. It’s certainly a small price to pay in comparison to the cost of restoring company systems – or even going out of business.
However, it’s important to keep in mind that cyber liability insurance will not prevent a cyberattack from occurring. Instead, small-business owners should incorporate cyber liability insurance into an overall cybersecurity strategy that includes prevention safeguards and an incident response plan.
Contact Evolution Capital Partners at (216) 593-0402 or use our online contact form.
Are you ready for the next phase in your evolution as a company, leader and entrepreneur? Receive insights, resources and actionable advice delivered directly to your inbox to help take you and your small business to the next level.
We respect your privacy. Your information stays with us.