Q&A: How Can SMBs Keep Up with Cybersecurity Risks?
Cisco's Paul Barbosa outlines the key takeaways and surprises from the 2018 SMB Cybersecurity Report
More than half of all cyberattacks result in financial damages over $500,000, including lost revenue, customers, opportunities and out-of-pocket costs. That could be enough to put an unprepared small- to mid-sized business out of operation.
According to Cisco’s SMB Cybersecurity Report, “Small and Mighty: How Small and Midmarket Businesses Can Fortify Their Defenses Against Today’s Threats,” 53 percent of survey respondents experienced a breach, often having lasting financial impact on a company.
For midmarket companies, 30 percent said breaches cost them less than $100,000; 20 percent said it cost between $1,000,000 and $2,499,999.
SMBs and midmarket organizations face fewer than 5,000 security alerts a day, but midmarket companies are investigating only 55.6 percent of those alerts.
SMBs are most concerned with targeted attacks against employees such as phishing (79 percent), advanced persistent threats (77 percent), ransomware (77 percent), DDoS attacks (75 percent) and the proliferation of BYOD (74 percent).
For more insight into the report’s findings, Security reached out to Paul Barbosa, Cyber Security Sales Director, U.S. Commercial, at Cisco.
Security: SMB owners and stakeholders frequently say their businesses are unlikely targets for cybercrime due to their size. The Cisco report shows that is not accurate. What steps do you recommend SMBs take to get more serious about cybersecurity?
Barbosa: Many SMBs realize they are an attractive target for cybercriminals to attack and are equally exposed to similar threats as their enterprise peers. For those businesses who haven’t made security a priority, it’s important to remember that more than half (54 percent) of all cyber-attacks result in financial damages of more than US$500,000. That amount is enough to put an unprepared small/midmarket business out of operation – permanently.
Another key issue following an attack is system downtime, which undermines productivity and profitability and is a significant issue for businesses following a cyber-attack. We learned SMBs experienced eight hours or more of system downtime due to a severe security breach in the past year. The lack of resources such as talent, tight budgets, and technologies also present an issue to respond or prevent against threats.
With these challenges in mind, we recommend SMBs:
- Drive simplification and integration in their security architecture.
- Look for quick wins; does this technology cover a wide swath of threats across multiple internal assets?
- Invest to develop internal security talent.
- Where internal talent has not developed, consider partnering with an MSSP, but ensure that MSSP is driving simplification to produce high fidelity incidents and sound remediation plans.
Security: Finding and retaining qualified staff is a challenge for every organization size; how do you recommend SMBs designate, attract and retain cybersecurity personnel? How are the requirements for an SMB cybersecurity professional different than an enterprise cybersecurity professional?
Barbosa: This challenge is not unique to SMBs. The entire industry is struggling to recruit, develop and retain security talent. SMBs should look first to internal IT resources that have knowledge of their environment and invest in security training with a qualified training provider. SMBs should also seek out local universities with a cybersecurity curriculum or degree program. They can be a great source of early-in career talent.
Security: How can outsourcing security management or technology help SMBs in particular? Are there some functions that need to stay in-house? Are there any pitfalls to outsourcing security that SMB stakeholders should be aware of?
Barbosa: Many SMBs are challenged with keeping up with the sprawl of multiple security tools, developing security practices, and having a smaller number of trained personnel to manage and respond to threats. By outsourcing security management or technology, it can help address these types of challenges, but specifically make the most of limited resources. The ownership of risk should remain internal and owned by an executive. Given the cost of a breach can be more than $500k, and potentially put an SMB out of business, executives should own primary responsibility for risk. SMBs should thoroughly investigate the MSSP’s offerings and ensure that they have capabilities beyond basic prevention. They should ask about SLAs on managing, alerting and remediation.
Security: What findings surprised you most in this report?
Barbosa: More than half of security alerts go uninvestigated. This indicates that there are too many tools that don’t integrate with each other to provide a holistic view of the current state of the threat surface. Integration and threat intelligence are keys to producing actionable incidents and providing SMBs with tools that can see more, block more, and respond quicker.
Security: If you had to select one key takeaway for SMB leaders, what would it be?
Barbosa: Companies don’t have to recreate the wheel to establish an effective security program; they can look around them, learn from others in the industry, and apply measures that will bring value in their own community. For SMBs to drive improvements in security, it’s important they recognize that incremental change is better than no change.