Sabre On Point - Small and Medium Business Cybersecurity

One of the most common misconceptions in cybersecurity is that small and medium businesses (SMBs) are at low risk of falling victim to cyberattacks. However, this has been proven not to be the case. According to the Verizon Data Breach Investigations Report, 43% of all cyberattacks in 2019 involved small business victims with fewer than 250 employees. Attackers typically don’t care about how big their target is, meaning that whether you have 20 employees or 20,000 employees, it’s vital for your business to have a strong, layered cyber defense strategy.

“Why should I care about cybersecurity? What could an attacker possibly do to my company?”

The risks to SMBs from a cyberattack are massive. The Hiscox Cyber Readiness Report states that the average cost of a cyberattack, regardless of target size, is $200,000. For any company, that’s a devastating figure, but for many smaller businesses, that cost shuts them down. Indeed, 60% of SMBs go out of business within six months of being victimized by a cyberattack. However, even if a business can afford the money, there’s more to lose.

Consumers are constantly protecting their private information, and businesses are trusted to keep customer information safe as well. If a business gets breached, then all its stored customer information is potentially at risk as well. Credit card information, email addresses, passwords, and more could all find themselves in the hands of malicious actors in the blink of an eye, tarnishing the reputation of that business. From there, customers can have the perception of, “if they got breached once, what’s to stop the same thing from happening again?” The reputational damage to a company after a breach is difficult to quantify, but nonetheless palpable.

Only 14% of small businesses are adequately prepared for a cyberattack, according to Global Consulting Firm Accenture. Being part of the other 86% could spell disaster for your company and livelihood. Luckily, the proper defensive measures are indeed achievable and investing in the proper defensive cyber controls drastically increases the probability to save your business down the line.

“How can I protect myself from cyberattacks? Where do I start?”

The key to being prepared for a cyber incident is to have a layered strategy. There are many components that can come together to provide a strong defense. Your business is like a castle and it should have a multifaceted defense that repels attackers and mitigates them if they attempt to attack your organization. Having multiple layers of cybersecurity controls is commonly referred to as defense-in-depth. Below are just a few of the most vital steps and controls you can take now to protect your business.

When it comes to prevention, one of the most essential aspects of protecting your organization from a cyberattack is implementing a Security Awareness Training program for your employees. While this step may seem strange or pointless, the fact is that the number one risk, or potential cyber defense benefit, to an organization is its people. An employee base with no training on how to spot phishing attempts, how to avoid falling victim to social engineering or password security can prove to be a strong business liability. Attackers are extremely creative. Continually training your employees on how to be smart and cyber-aware will help you protect your business from evolving attack strategies. Educating and training your employees to identify and report phishing attempts can assist your organization in determining potential threats as well as enable advanced mitigating controls such as blocking suspicious email senders, domains, or attachments.

In addition to Security Awareness Training, it’s extremely important to know your cyber environment inside and out. What devices you have, what software and versions are being used, and who has access to the organizations sensitive data are all key pieces of information to determine in the unfortunate situation of a cyber-attack. Additionally, deploying a firewall, implementing a patch management program to keep your devices and software up to date, and using access control features, such as multifactor authentication and computer auto-lock, can significantly increase the security of your devices. Policies and procedures will be unique to your organization, but to achieve the best fit, a deep understanding of your environment is essential.

After understanding your environment and its assets, research what threats may impact your organization. Every organization is unique and understanding threats such as malware, distributed denial of service (DDoS) attacks, man-in-the-middle, allows your business to prepare and plan. For example, looking at the MITRE ATT&CK Framework, which is a constantly evolving knowledge base of attacker tactics and techniques, will allow you to develop a deeper understanding of what threats are currently out there. The MITRE ATT&CK Framework is a globally recognized source for attack information and is a valuable asset for organizations of all sizes.

Once you have done the research into potential threats, you can use that knowledge to develop policies and procedures for everyday use. Plan for how to prevent a cyberattack through day-to-day activity, what to do in case an attacker gets through, and how to recover from a cyberattack. Planning for all possible stages of an attack with detailed procedures helps ensure that everyone knows their role in protecting the company and how to perform their role effectively. However, writing the policies and procedures isn’t enough— it’s just as important to review and revise them frequently. The cyber world is constantly evolving, and your business should evolve with it.