In the information security space we tend to have a focus on the big guys, you know the large enterprises, government, and NGOs. So what about everyone else the small-medium size businesses (SMB) that make up a majority of economic activity in almost every country you visit. SMBs employ nearly 63% of the active workforce globally, and produce the most new jobs year after year. So what gives, why is the discussion about information security focused primarily on the large players rather than where the most economic activity happens.
Below we would like to highlight the information security challenges that SMBs face which have potential to disrupt entire economies. Perhaps this applies to your business or maybe it provides insight into the struggles one of your partner organizations faces. In either case let’s have the discussion.
The first of challenges is one of awareness. The common assumption among small business managers is that hackers only target larger targets and that they are too small to be a relevant target. However, when it comes to data, hackers do not discriminate.What’s important to hackers is not the size of the business but the data it holds. Small businesses hold financial data, client credentials, vendor credentials, customer data, etc. The types of data that SMBs hold could be valuable to the right hacker. It is for this reason that SMBs must do everything possible to protect against data breaches, because in the end that’s what cyber attackers are after, the data.
Cyber attacks on small businesses do not normally happen because they’re an intentional target but rather because their lack of security measures make them vulnerable to hacker’s automated efforts to identify and act on security vulnerabilities. Awareness of the basics of information security would prevent many attacks. This includes education about changing common passwords, removing administrative rights, rotating passwords, sensitive information policy, and keeping system updated.
Financial Capital Restraints
Another significant challenge facing SMBs is the lack of financial resources to afford either security personnel or information security software. This restraint also extends into the hardware and software that firms are using to manage data and operations. Many SMBs still use unsupported Windows XP for non resource intensive applications. The costs of OS upgrades can be very heavy for SMBs who have very restrained cash flows. Additionally with other investments considered mission-critical such as product development or marketing, security investment takes a backseat in terms of priority,
There has been discussion about bringing economies of scale to information security software within US government departments. However there have been few policies or investments towards achieving this.
For SMBs who are aware of the business threats that a lack of information security exposes them to, there are not many resources available to them. SMBs find themselves lost when trying to face more complex threats. They need support from the larger business community or from government to provide resources to ensure information security systems are in place. Measures from larger actors requiring SMBs in their supply chain to meet certain security requirements is good on their end but it does not address where and how an SMB can enhance their security.
Hackers in the past would attack SMBs by chance through automated identification of vulnerabilities. However as the case with Target has demonstrated, deliberately targeting small businesses may pay off big for cyber criminals. In the case of Target hackers acquired access to Target’s database by using credentials they acquired from an small HVAC vendor. The vendor had no idea they were the victim of a phishing attack, but found out they were the cause. With examples like this leading to successful data theft from large organizations SMBs will be subject to ever increasing attacks on their data. The most significant threats to SMBs in 2017 are: ransomware (WannaCry), social engineering, rouge insiders, weak passwords, mobile vulnerabilities, and browser based malware. These are advanced efforts that a small business may have a much harder time protecting against.
To recap, SMBs face significant hurdles to having adequate information security systems. These being lack of awareness, financial capital, resource availability, and increased threat advancements. In order for SMBs to be secure coordination needs to happen between larger actors including governments, large enterprises, and NGOs in order to achieve better security outcomes overall.
Atkinson, W. (2015, February 9). Cybersecurity challenges for small business. Retrieved from http://www.benefitspro.com/2015/02/09/cybersecurity-challenges-for-small-business?slreturn=1496535348
Federal Communications Commission. (2017). Cybersecurity for Small Business. Retrieved from https://www.fcc.gov/general/cybersecurity-small-business
Forrest, C. (2017, April 3). Report: 52% of businesses still running Windows XP, despite support ending in 2014. Retrieved from http://www.techrepublic.com/article/report-52-of-businesses-still-running-windows-xp-despite-support-ending-in-2014/
Huspeni, A. (2016). The Major Security Risks Small Businesses Face and How to Defend Against Them. Retrieved from https://www.entrepreneur.com/article/275737
Security Exchange Commission. (2015). The Need for Greater Focus on the Cybersecurity Challenges Facing Small and Midsize Businesses. Retrieved from https://www.sec.gov/news/statement/cybersecurity-challenges-for-small-midsize-businesses.html
Sophy, J. (2016). 43 Percent of Cyber Attacks Target Small Business. Retrieved from https://smallbiztrends.com/2016/04/cyber-attacks-target-small-business.html
World Trade Organization. (2016). World Trade Report 2016: Sme Participation in International Trade. Author.