According to Hiscox, in the UK one small business is successfully hacked every 19 seconds, with small UK businesses facing around 65,000 hacking attempts on a daily basis.
While these numbers are a current reality, they do not have to be the future. Cybersecurity has historically been seen as an abstract, complex and expensive add-on which does not directly contribute to improved business performance or growth figures, and therefore has often not been allocated much attention or budget.
However, in 2020 downtime from data breaches cost companies an estimated $1.52m worth of lost business according to IBM. Global ransomware attacks were already projected to cost $11 billion before the pandemic hit, while there is widespread evidence of the additional threat posed by opportunistic bad actors, such as the 63 percent increase in Covid-19 related cyber-attacks. The need for a change in mindset for businesses is becoming unavoidable. Robust security infrastructure and operations must be integrated holistically and proactively prioritized across business functions.
The shift in mindset
Especially in the context of today’s pandemic-driven shift towards remote working, businesses are relying on secure network access even more. SMEs count approximately 75 percent of employees as working remotely.
As IT ecosystems grow and develop, secure boundaries, traditionally set around business infrastructure like a moat with a drawbridge, are becoming more permeable. According to a Varonis data risk report into financial services for example, every employee has access to nearly 11 million files on average. Business functions and employees require various devices and equipment to operate, increasingly in remote environments, which each serve as a potential threshold for external actors to attempt to breach.
As such, increasingly complex IT infrastructure requires increasingly robust security standards. Security shouldn’t be an afterthought; it should be considered by leaders with the same level of importance as performance goals, product development initiatives and sustainability and employment objectives - if not with greater importance. Put simply, without a reliable security strategy, performance increases, product innovation and other developments are all functioning on borrowed time.
This shift in mindset needs to go beyond just acknowledging the importance of basic security standards. Yet according to McKinsey, over 70 percent of security executives predict that for the 2021 fiscal year their budgets will be reduced.
The security imperative needs to see active support from senior management to receive adequate resources and ensure that a vigilant attitude towards security is a natural part of company culture. With each employee’s device acting as a doorway, every employee must be aware of their role as a link in the chain. While larger businesses might have a greater attack surface due to greater numbers of employees and devices, small businesses can’t afford to become complacent in their approach.
The need to evolve
It’s important that business leaders remember that neither security equipment, hacking methods, networks nor businesses themselves are static. Security frameworks must evolve to cater to all moving parts.
All businesses, whether they are small, medium, large or global, are all dynamic entities, responding on a daily basis to natural shifts such as employee changes, ecosystem updates and new partner or supplier relationships. Security systems and strategies should be just as flexible to cater to these changes without dropping their level of protection; security and business leaders should be aware and abreast of such fluctuations.
Similarly, security equipment and networks are evolving too, so businesses must ensure they are up to date to avoid potential vulnerabilities. For example, in 2019, a survey group of 3,000 security professionals found that 60 percent of breaches were associated with a vulnerability that had a patch available, just not applied.
A survey conducted by Dell found that 63 percent of companies admitted that their data was possibly compromised as a result of a security breach at the hardware - or silicon - level in the last year. Looking ahead, as the roll-out of 5G capabilities increases bandwidth across connected devices, cyberattacks will likely become more common among IoT devices.
Hacking methods themselves are also evolving in line with threat actors' changing target focus - monetary funds, data, reputations, state information and more. Ransomware attacks for example increased by 485 percent in 2020 compared with 2019, and DDoS attacks grew by 154 percent.
Consequently, basic security hygiene simply isn’t enough. Renewing your passwords regularly is certainly important, however in order to evolve alongside the growing number and complexity of threats, a business’ entire approach must change. It must not only ensure that malicious actors cannot get in, teams must be able to practice threat detection and rapid response to anticipate and react to attacks before and as they happen. In short, they must be able to ensure that operations can continue as normal.
The business opportunity
Having solid security practices not only means a company is fit for business; it means a company can stay competitive and flexible. From a financial and regulatory perspective, flimsy security approaches can be fatal: Accenture found that the average cost of a malware attack on a business is $2.6 million; GDPR fines in its first year alone amounted to $63 million, and Vodafone estimated that 1.3 million UK SMEs would collapse after falling victim to an attack.
Customers too, are demanding greater commitment to security, as data becomes more and more valuable, and personal information and individual digital footprints are increasingly targeted via stakeholder interactions. Marketing Week found that 31 percent of consumers would say their experience with businesses has improved overall since GDPR has been enacted. It’s a given that happy customers are those that feel safe, and are subsequently more likely to return.
It’s also logical that being able to quickly detect and recover from attacks, as well as mitigate them as much as possible in the first place, is crucial to operational flexibility and ultimate success. In having a strong security system, companies will be able to react faster, minimize impact on the business, be that operational or financial, and stop attacks up to four times faster.
Time to act
Many SME leaders assume that cybersecurity strategies are too abstract, technical or expensive to tackle. Worse, they might assume that being small means being a less likely target for malicious actors, therefore equating to a reduced urgency to ‘get round to’ implementing. Staggeringly, over 77 percent of organizations do not have an incident response plan for cybersecurity incidents.
The fact is, security solutions can be tailored to suit the individual needs of every business, from small enterprises just starting out to larger, established corporations. While differently sized businesses have distinct cyber needs, making direct comparison of budgets and strategies unhelpful at times, SMEs have just as much of an opportunity to embrace fully integrated security solutions as large, resource-heavy corporations.
Nowadays, security technologies are advancing with end-users in mind. Components are increasingly deployed on the cloud, greatly simplifying implementation, deployment and maintenance operations. Full-service cloud networking options, like Nebula Together, are available without on-site hardware installation, and security solutions can be customized, pre-integrated and easily managed by SMEs via central consoles.
Selecting integrated, scalable and flexible solutions that can save businesses time and effort while keeping pace with modern practices and threats is key. However, this should be in addition to, rather than in place of, ongoing basic security hygiene practices, such as regular testing and patching, and password updates. It is only through embracing the right attitude and recognizing the commitments necessary towards implementing a robust security strategy that SMEs can give themselves the best chance to thrive.