Size Does Not Matter For Cybercrime

Most small- and medium business owners think that they are not a target for cybercrime. Well, if you think you are safe because you are just a little fish in a big pond, think again. Cybercriminals have chosen small and medium sized businesses (SMBs) as their prime attack targets. 

If you think you are safe, you really need to think again

The problem with thinking you are safe is that smaller companies have already become the preferred target for cybercrime. The reason is that many SMBs lack the expertise, budget and time to really defend their network like the big companies do. The bad guys know this too, and so SMB becomes the low hanging fruit for cybercriminals. 

Reality shows this; nearly 62% of data breaches occur at SMBs according to Verizon Communication’s yearly Data Breach Investigations Report. Often, attackers go after a small company as they are a vendor of a bigger company which is the ultimate target and the small company can act as a point of entry to penetrate the big company network. A good example was a small HVAC company that had access to the corporate Target network.

Complexity Expands Your Attack Surface 

Compared to just five years ago, most IT networks are now a lot more complex, having grown organically and things like BYOD and cloud services having been added. 

But unfortunately, very often IT security policy, procedures and awareness have not kept pace with these additions. Have a look at your own environment - are employees using their personal devices for business purposes? Do your users bring their personal Android or Apple tablets to access your intranet, or use your corporate network browse the Internet at lunch time? Is personally identifiable customer information (PII) or employee protected health information (PHI) being uploaded to the cloud? If you answered yes to any of these questions, your existing security policy and procedure is probably outdated and your attack surface exponentially expanded at the same time. 

An additional problem is that Security Awareness Training for all employees is often perceived as a luxury item or done only once a year for (PCI) compliance reasons and not budgeted for by C-level execs. However, it seems not necessary until you calculate the cost of a data breach and losing your customer information. With that number on the table, training all employees becomes a no-brainer.

The last five years, cybercrime has gone pro, and attacks on employee workstations are becoming quite sophisticated. Business owners need to start thinking think about the cyber-risks of tomorrow, today. Start with an updated corporate security policy, review and refresh your company security policies, and immediately start "new school" security awareness training. From there on down, the endpoint protection you choose should not bring workstations to their knees, should be easy to manage, and make compliance transparent. You need protection to secure your endpoints, web and email. It makes a lot of sense to do this using the defense-in-depth model. (See graph).

And for sure, your security requirements will change over time, but taking steps now before the problem becomes too big will help you stave off Eastern European cyber mafias that are trying to get an employee to open an attachment and encrypt all your company data files with ransomware.

A large amount of SMB's rely on nothing more than luck to stay off the radar of cybercrime. It's a good idea to act now so that your luck doesn’t run out. The wrong thing to do is nothing. Many IT security experts have recently said that the best bang for your security dollar is effective security awareness training. Find out how affordable this is.