Any way you look at them, the numbers are pretty sobering: according to its 2019 Identity Breach Report, the cybersecurity firm, 4iQ, states that targeted attacks on small businesses by cybercriminals grew at an inordinate rate in 2018 — up nearly 425% from the previous year. Dig a little deeper and you’ll find that, during the same period, about 70% of all ransomware attacks targeted small businesses, with a median ransom demand of $10,310 (Beazley Breach Report 2019).
What Gets in The Way of Better Cybersecurity?
With statistics like the ones above, you would think that cybersecurity would be a top priority for every small organization, right? Instead, it’s an area that’s often overlooked. And, because it’s overlooked, these organizations are constantly under-protected. Which, in turn, makes them the easiest targets for an attack. And so, the vicious cycle continues. . . It’s a phenomenon that seems to defy logic—until you actually walk a mile in someone’s shoes who either owns or runs a small, growing organization. There are lots of reasons why small organizations actually don’t feel the need to prioritize cybersecurity. Sometimes they don’t have the money or people to pull from their IT staff to devote to security; many don’t even have a full-time, dedicated IT person at all. Some organizations think they’re too small, or what they do is too mundane to be of any interest to a hacker. Some don’t understand their business risks and exposure that relates to network or data security. On top of all that, you can add the fact that cybersecurity is a complicated and intimidating topic for most people. Mix all this together, along with all the day-to-day issues that have to be dealt with, and you can see how cybersecurity can get relegated to the back burner.
The 2 Biggest Cybersecurity Mistakes
With all of this said, the two biggest mistakes small and mid-sized organizations make are ones rooted in mentality. They are: 1) thinking that they’re not at risk, or 2) not thinking cybersecurity is a high enough priority to do something about it.
There are times, even after being educated on the risks and potential damage that a cyberattack can cause, decision makers will choose to hold fast to the status quo they’re comfortable with. A sign this is happening is when we hear statements like, “We’ve been in business for almost 10 years and nothing bad has happened,” or “I don’t know anyone else I’ve ever dealt with that’s been hacked.” Unfortunately, these statements couldn’t be farther from the truth. The reason it’s incredibly rare to hear about a business associate is because most small to mid-size organizations that experience a ransomware attack or a data breach work very hard to quickly and quietly make it go away. Attacks are rarely publicized; but just because no one shares that info, doesn’t mean they don’t happen. Add in the 425% growth in attacks statistics cited and it’s not a question of “if” it will happen, but merely “when.”
Another reason it’s hard for smaller organizations to get excited about cybersecurity is that, for all intents and purposes, it’s a business expense that will never be “seen.” No one can hold it in their hand, or take it home in their paycheck, and it doesn’t directly contribute to the “bottom line.” And because its important work is done quietly in the background, an investment in cybersecurity is difficult to prioritize above others. Out of sight, out of mind. Organizations can be told about cybersecurity risks and best practices, but not being able to physically see the danger makes it seem less important. But, in reality, cybersecurity should be taken just as seriously as the physical security of your organization. Few people would be comfortable leaving their physical space and the business assets inside it under-protected the way networks often are. But, just like your office or warehouse, your network can be broken into, your network resources hijacked and your data stolen or held for ransom.
Certain organizations are especially vulnerable
Small and mid-sized organizations in financial services, healthcare, as well as smaller local governments (towns/cities/counties) are the most targeted by cybercriminals. Some of the reasons for their higher than average vulnerability are the same basic ones that make all small businesses a target. They experience a considerable amount of turnover, which can result in employees that are not properly trained and may not have strictly enforced privacy and cybersecurity policies. At the same time, the value of data that these types of organizations hold is considered nothing short of a gold mine to a cybercriminal.
Always remember, that cybercrime is an extremely lucrative “business.” Cybercriminals continue to ramp up their use of automation, which enables them to cast an ever-wider net in their effort to find targets. Financial, medical, municipal and student records generate big money on the dark web for hackers who can easily harvest dozens to hundreds of thousands of records from a server in short order. In addition, if the typical ransomware attack can generate $10K of income, and even if that’s the only attack that pays off in a given day, that’s a phenomenal return on investment. So good, in fact, that it makes every organization with a connection to the Internet open to an attack.
Don’t wait until you’re attacked
Based on everything we know about how and why cybercriminals target small and mid-sized organizations, no one should be waiting for the other shoe to drop. Don’t wait to become a victim of a cyberattack before you take action. Sixty percent of small businesses fold within 6 months of a cyber-attack due to lost revenue, customer goodwill, and large unplanned IT recovery costs. Advanced Network Systems has comprehensive, enterprise-quality security programs, designed for small and mid-sized organizations. Contact us for a no cost, no-obligation consultation to learn more.