The cyber intrusion headlines may focus on the Fortune 100 being hacked, but they’re not the only victims. Not by a long shot. Naturally, since 99.9 percent of all U.S. businesses have fewer than 500 employees, and few of those retain dedicated information security staff, cyber criminals find small and medium enterprises to be attractive targets. Surprising to many, however, is that foreign intelligence services also are interested in SMEs. After all, they produce 16.5 percent times more patents per employee than large patenting firms, and are far more likely to develop emerging technologies than large firms. Making matters worse, targeted attacks against SMEs appear to be increasing dramatically. Perhaps this is because, as third-party vendors, SMEs also tend to be softer targets than the larger businesses they serve. The facts bear out this hypothesis. Smaller businesses are significantly more likely to be running spyware and keystroke loggers than large companies. They also are getting hacked twice as often through brute force attacks, reflecting that SMEs are more likely to permit the use of default user credentials, easily guessable credentials, or weak credentials that cannot withstand the onslaught of an automated dictionary attack.
The good news is that SMEs can significantly reduce their cyber risk against the greatest potential harms even without a large IT budget. The first step is, and always will be, to prioritize what truly needs to be protected. Consider engaging your managers in worst-case-scenario planning. Explore real-world events that, if they happened to your business, would compromise confidentiality, integrity and/or availability of (1) your information systems, especially keeping in mind those with unique or hard-to-recreate functions such as proprietary software applications or industrial capabilities; or, (2) the information processed, stored and transmitted on your network. Would the event cause your operations, assets, or people to suffer limited, serious, or severe harm? By first evaluating the impact of a compromise without dismissing low-likelihood scenarios, you will ensure that your team remains on heightened alert to protect those specific assets should the nature of the threat increase over time. It is at this point, having identified your greatest potential losses, that you should prioritize your risks by factoring in their probability.