Small businesses are particularly prone to cyber-attacks.
We rationalize, “If I’m small, then I’ll be able to fly under the radar.” It’s an easy mistake to make, but cybersecurity doesn’t work that way.
For the first time, Verizon’s 2020 Data Breach Investigation Report (DBIR) records that the number of cyber incidents related to small businesses is now greater than those of large businesses.[1] That alone should give us pause and help us realize that, ultimately, size doesn’t matter. On the surface, it appears that small businesses are being increasingly targeted…a frightening proposition.
As much as we might fear foreign malicious actors purposefully targeting our small and unprotected businesses, the reality is mundane…but more actionable. Small businesses are disproportionately hit with security incidents because they lack the wherewithal to balance cost and risk—and this requires a trusted agent with whom to discern risks and options to mitigate cyber risks. Large businesses often have resources to invest in cyber defenses, train for moments of crisis, and are more aware of being in the public eye. Small businesses, however, often lack a prudent approach to mitigate cyber risk appropriate for their size. The biggest risk for many small businesses is making a profit, but a 2021 Sophos report reveals that recovering from ransomware attacks alone cost individual companies an average of $1.85 million[2]—mitigating cyber risk should be a top priority.
As a small business owner, a reasonable first step to protect your company from cyber-attack is to identify the voice you trust. At the Carolina Cyber Center, we believe that there are three reasonable and prudent ways to look for a trusted partner:
- Look for somebody who understands the broad landscape of cybersecurity risks, threats, and solutions.
Is this partner focused on, even obsessed with, pragmatic cybersecurity solutions to known/validated threats? Cyber professionals need to “see the unseen” (bad guys)–and are thus insatiably curious. The field of cybersecurity is a quickly evolving field and so it’s necessary to locate professionals who don’t lose sight of the forest for the trees.
- Require a mission mindset.
Character drives good cybersecurity. Find professionals who demonstrate a commitment to defending the community they serve, rather than simply making money. While we recognize that they, like you, need to make money to continue providing services, it should not be their only driving force. Mission matters.
- Practice your critical thinking and see past over-hyped claims.
Not everyone is who they claim to be. Your anxiety level should rise when a vendor relies on fancy clichés. Look for a straightforward discussion and a disciplined assessment tailored to your unique situation. If the service claims to have 100% risk elimination, run for the hills—risk is never eliminated, only mitigated.
Once you have identified the voice you trust, it’s time to have a conversation to assess your risks and design a prudent, unique security plan for your business. Questions to discuss may range from whether normative cyber risk or vulnerability assessments are warranted, or whether a PenTest or a proactive recovery approach is more appropriate. Topics could also include things like ongoing threat detection and response, identity and access management strategy, cloud security, insider threat programs, and social engineering training and mitigation. Make sure you find a partner that can clearly and succinctly define these (and other) techniques and create a reasonable, tailored defense approach.
Here at the Carolina Cyber Center, we realize cybersecurity is a journey toward reasonable and prudent defense and resilience. Don’t hesitate to let us know if we can be of service to you and your small business. Interested in becoming a cyber professional? Apply for a Carolina Cyber Center Academy cohort beginning this summer here and become a trained Cyber Analyst!
[1] Verizon 2021 Data Breach Investigations Report, pg. 65. https://www.verizon.com/business/resources/reports/dbir/2021/
[2] The State of Ransomware 2021, pg. 3. https://www.sophos.com/en-us/medialibrary/pdfs/whitepaper/sophos-state-of-ransomware-2021-wp.pdf?cmp=120469
