Small and medium sized businesses (SMBs) are the dynamo of the US economy. What CrossKey calls “high risk SMBs” are those of you engaged in sectors such as law, healthcare, life sciences, pharma, biotech and financial services.
High risk because you handle the highest value business or consumer information that cyber criminals want; and as a result are heavily regulated and subject to higher standards of security and compliance with privacy than other SMBs.
If you are worried about cyber security or if you have already been breached, recent statistics show you are not alone and that there is much work to be done:
- 67% of SMBs have experienced a cyber attack; and 58% of those experienced a data breach
- 43% of all types of cyber attacks target SMBs
- 52% of SMBs attest to feeling helpless to defend themselves from new forms of cyber attacks
- 56% of breaches takes months or longer to discover
- 71% of ransomware attacks are aimed at SMBs
- 62% of SMBs say they lack the skills in house to deal with security issues
- 53% of SMBs acknowledge that protection from cyber attack is one of their biggest priorities in the next two years
- 60% of senior SMB decision-makers admit they have no effective plan for preventing a cyber attack
- 70% of SMBs were used as an entry point to breach a larger enterprise client of the SMB
- 48% of those cases negatively impacted the SMBs relationships with larger clients, with 22% admitting they lost the larger corporation as a client
Why SMBs are so vulnerable to cyber attack.
The types, sophistication and intensity of cyber security attacks are always increasing, against large and small companies alike.
Yet many SMBs have limited IT staff, a lack of dedicated cyber security professionals or sufficient budget to build a robust cyber security infrastructure. A worldwide dearth of expensive cyber security security talent means using outsourced cyber security expertise is often the affordable path for SMBs.
SMBs are also less likely to conduct regular employee IT security training and education, which is vital to counter the most common forms of attacks, like phishing emails.
Many SMBs still believe they are too small to attract the attention of dedicated cyber criminals or be subjected to business crippling ransomware. Experience proves otherwise. Ransomware which forces payments to release your data and applications can be quick and easy money from even the smallest companies.
Cyber criminals often target SMBs who have weaker security but who are vendors to larger companies as a route to penetrate the security of the SMBs larger client. This destroys hard won business relationships and exposes SMBs to significant liability.
Particularly attractive to cyber criminals are businesses of any size in high risk and high value industries like: law, healthcare, life sciences, biotechnology, pharma, banking and financial services.
Finally, the ever growing range of cybersecurity threats — and the proliferation of technology, software and service providers to counter them — can be overwhelming for SMBs.
And over two thirds of SMBs in the US do not have cyber breach insurance which can help their business survive an attack.
The consequences of data breach for SMBs.
Among the many potential consequences of a cyber attack for SMBs are:
- Lost business: can you afford to close for two or three days or weeks without warning? That’s the likely consequence of a denial of service (DOS) attack, resulting in frustrated customers and loss of revenue.
- Lost trust: customers rely on you to safeguard personal information they share with your company. If this information is compromised, many customers will never trust your company again.
- Lost data: many cyber attacks result in file corruption or other forms of data loss you need to run your business or service your customers.
- Destroyed reputation: bad press and social media about an attack can quickly ruin the reputation of a business of any size. Once lost a good reputation is almost impossible for SMBs to recover since they lack the PR, crisis management and other resources of larger companies.
- Lost money: in the aftermath of a cyber attack you may have a lot of unexpected expenses, including the need to notify customers of the breach and replace compromised equipment and softwre. In heavily regulated businesses subject to regulations like HIPPA, CFPB, law firm professional rules of conduct, or the EU’s GDPR, you may face large fines and lawsuits.
- Crippled business: if you were targeted with ransomware, you may be unable to get access to your own files, data and software unless you pay off the criminals, effectively freezing your business in place amd unable to service customers or clients.