Small Business. Soft Target
Small businesses are under attack. The UK Government’s Breaches Survey of January 2021 revealed that 38% of micro and smaller businesses had identified a breach or attack within the previous 12 months. When Covid-19 hit last year, organisations of every shape and scale were thrown into chaos. Cyber criminals were quick to exploit universal disruption as an opportunity to strike not just larger, high-profile targets, but also smaller, more susceptible victims.
So why are SMBs so prone to attacks, and how has the pandemic made matters worse?
Less Budget. Less Resource
Smaller businesses have smaller pockets. That means less budget to splash out on the best security expertise and latest technologies. With lower headcounts, SMBs are less likely to employ technical specialists to spotlight cyber security as a strategic priority or provide full-time in-house support.
When Covid-19 struck the UK in March 2019, SMBs had their hands full coping with the operational challenges of vulnerable staff, homeworking, social distancing and interrupted demand and supply. Security became just one of many conflicting business issues for under-resourced small business leaders to juggle.
New Norm. New Threat Landscape
2020 was the year when working practices were re-engineered, perhaps forever. Offices were closed, workers redeployed at home and face-to-face collaboration became unthinkable for millions of employees. In some respects, the playing field between large and small companies was levelled when kitchen tables up and down the UK were repurposed as home-offices. But, in general, bigger organisations were better prepared and resourced to meet the heightened security threats of home or hybrid working.
A 2020 BullGuard survey of 3,083 SMBs taken pre-pandemic revealed that almost one in four (23%) in the UK and US had no endpoint security in place. Meanwhile, 43% of SMBs with fewer than 50 employees lacked any cyber security defence plan. It’s easy to see why many cyber criminals saw SMBs as defenceless targets during the early days of the Covid crisis.
Poorly Prepared. Slow Response
The sudden transition to homeworking caused corporate attack surfaces to balloon like never before. Workers resorted to using corporate and personal devices for work, operating within insecure household networks and sharing more and more sensitive data online. With insider threat incidents costing an average of $7.68 million, homeworking magnified the risk of an attack with expensive consequences.
Yet 22% of SMBs lacked a cyber security threat prevention plan when they moved from premise-based to remote working last year. Without incident response and disaster recovery prepped in advance, proper security training or easy access to the right expertise, many small businesses were woefully ill-equipped to either identify breaches or take prompt and effective action.
Minding the Gap
But it’s not all bad news. First, the UK Government’s Breaches Survey of January 2021 shows that whilst 38% of SMBs suffered a breach in the 12 months to Jan 2021, this was a reduction of 8% on the previous year.
The vulnerability gap between large and small is slowly shrinking. SMBs are catching up by investing more in cloud technologies, software as a service (SaaS) and other modern resources. According to Interpol, cyber criminals may be refocusing too:
“To maximise damage and financial gain, cyber criminals are shifting their targets from individuals and small businesses to major corporations, governments and critical infrastructure…”
Despite this, small businesses need to do much more. Figures from the UK Government suggest that in the last 12 months, the proportion of SMBs with up-to-date malware protection, cyber security policies and rules for moving and storing personal data are down from the previous year.
When it comes to cyber security, many small businesses still need to think bigger.