While small-to-medium-sized businesses and large enterprises are exposed to many of the same security threats, SMBs face a number of additional obstacles and increased risk when it comes to securing their valuable, sensitive data and endpoints.
The reasons for this are numerous. The first is based on erroneous reasoning about the likelihood of being targets of cyberattacks.
With the overall value of small and mid-sized businesses paling in comparison to Fortune 500s and large enterprises, it’s easy for SMB management to conclude that their companies are not likely to be targeted by malicious actors. Google, Verizon, and other major players are big juicy targets with a huge potential attack surface. So the assumption is that hackers will naturally be attracted to them and will overlook SMBs.
We might think of this cybersecurity strategy as a variation on “security by obscurity.” There’s a sort of strength in numbers. Like a zebra, small businesses hope to blend into the crowd to avoid being singled out. But that principle doesn’t work when the pool of attackers is global in size and has worldwide reach. When it comes to how likely you are to be targeted by cybercriminals, most SMBs are in real danger.
Indeed, a U.S. Securities and Exchange Commission report has shown that SMBs are actually the “principal target” of most cybercrimes.
Let’s see why.
Life as the principal target
To set the stage, data breaches are widespread and increasing in severity for all businesses. But SMBs, in particular, are feeling most of the heat. According to a Ponemon Institute report, 61% of SMBs faced a data breach in 2017. That’s up 6% from the previous year.
In spite of this, when polled, small and mid-sized businesses generally indicate that endpoint security is a low priority. Only 28% of SMBs considered endpoint protection an essential security technology.
There is clearly a connection here. The likelihood that a small or mid-sized business will experience a breach is directly correlated with failure to implement security systems that could have prevented it. This lack of focus on endpoint security puts the SMB at a real disadvantage. And the situation is worsening.
To see why that is, let’s take a quick look at big businesses. Enterprise organizations tend to house mountains of sensitive, potentially lucrative data. And this data is widely sought after on black markets.
As a result, enterprises have large information security budgets and staffs dedicated to implementing and maintaining the high-security standards required to protect themselves. So, while big businesses are high-value targets, they’re also often quite well defended. They expect to be attacked — and they’re ready.
Now let’s contrast this with the typical SMB.
The resource squeeze
Small and mid-sized businesses, in contrast, tend to run lean in all areas, and that goes for the security team too. They have far fewer resources dedicated to security, and few in-house experts if any.
Often the SMB has no dedicated security staff of which to speak. Instead, an IT manager, systems administrator, or network administrator doubles as the de facto chief information security officer (CISO).
The security threat landscape is ever evolving. General IT personnel tend to focus on day-to-day system operations. There’s often no one who has the expertise or time to explore and implement evolving cybersecurity defense strategies.
Often what this means is that generalist IT staff rolls out standard anti-virus and anti-malware software. They follow the documentation, Google around, and implement best practices if and when they’re able. And throw in a few prayers that they won’t be losers in the game of data breach roulette. They don’t have the time for anything more.
But this approach is asking for trouble, as we see again and again in the news headlines.
Not surprisingly, most endpoint security systems have evolved to favor big businesses. Because they have such high value as targets, enterprise customers require endpoint security products that fit their needs. And quite honestly, that’s where the big sales are.
But smaller businesses house data that is just as valuable as what’s found in the enterprise.
This mostly leaves SMBs out in the cold. They desperately need professional security defense solutions, but they lack the security staff, budget, and resources to deploy and manage massive, complex security systems intended for the enterprise.
And so, even though the reward of hacking a small business may not be quite as high as that of a multinational corporation, small businesses are low-hanging fruit. They’re less likely to mount a good defense, and so are easier to penetrate. And that alone attracts the attention of cybercriminals the world over.
This culminates in costly, potentially devastating security events like breaches and data loss.
Because of these staffing and deployment challenges, small businesses need security offerings that fit their needs. For example, cloud-based endpoint security systems are an ideal fit for SMBs precisely because they resolve many of these staffing and resource deficits. We’ll see how below.
Getting serious about endpoint security
Now, we know that data breaches are on the rise. So too is the average financial impact of a breach. That cost of has risen 36%, from $88,000 to $120,000, in 2018.
And of course, depending on the severity of the incident, a single breach can pose an existential threat to a small business. A side effect of lacking in-house cybersecurity expertise is that 62% of SMBs tend to lack well-defined, formal security procedures, according to Vistage and Cisco.
Since SMBs face these many limitations, they need affordable, comprehensive endpoint security solutions to help them defend their users and their data. Traditionally this has meant expensive, complex systems that require a skilled security team to manage.
However, the last decade has also seen accelerated migration of many on-premise IT software systems into the cloud. This has resulted in solutions that are easier to use and deploy.
This principle holds true for cloud-based endpoint security solutions. Cloud-based systems enable SMBs to implement enterprise-grade security without an enterprise-sized staff to administer it. And so SMBs no longer have to compromise on power or features when defending their users and their data.
These systems are often designed to integrate with existing infrastructure and don’t require the resource-intensive deployment procedures often encountered with on-prem solutions.
SMBs must not overlook their endpoint security. Instead, they should adopt a strategy consisting of multiple layers of endpoint protection that integrate well and work to defend the organization’s users and data.
With the move to the cloud, modern endpoint security offerings can even be more affordable, easier to deploy, manage, and use than comparable enterprise systems.
And because they don’t rely on extensive local network infrastructure, they can easily accommodate growth as the business grows from small to medium-sized and beyond.
Ilan Paretsky is Chief Marketing Officer at Ericom Software and is responsible for the global marketing activities of the company. Prior to joining Ericom in 2005, Mr. Paretsky held various leadership positions in marketing, business development, project management, and software development in the global software and telecom industries.