Back to top

Why Cyber Security Is So Challenging for Small and Midsize Organizations and What to Do About It

Nick Cavalancia

This is the second blog of a four-part series intended to help small and midsize organizations understand the challenges of managing technology and why they should consider outsourcing to a Managed IT Service Provider (MSP).

If you’re like most small or medium size businesses (SMBs), you’ve already experienced some kind of cyber incident that put your security to the test.  According to the Ponemon Institute’s 2019 Global State of Cybersecurity in Small and Medium-Sized Businesses report, on average just under two-thirds of SMB organizations have experienced a cyberattack (66%) or a data breach (63%). It’s no longer safe to assume that cyberthreats to businesses only happen to larger organizations.  

Should you experience an attack, there are real costs to remediate any damages done. According to cyber-insurer Hiscox’s 2019 Cyber Readiness Report, even the smallest of SMBs still incur some expense:

Nick Blog Security image.png

Source: Hiscox

With limited or no IT staff, and no in-house security specialists, it’s pretty likely that you’re unprepared. According to Hiscox, 74 percent of SMBs categorize themselves as “Cyber Novices” with no real ability to plan for, nor remediate an attack.

Get a Free Dark Web Scan

What Types of Attacks Are the Major Threats for Small and Midsize Organizations?

First off, it’s important to note that every cyberattack method that enterprise organizations experience is also used against SMBs. In fact, hackers and bad actors intentionally target smaller organizations since they are softer targets that are easier to exploit.  Here are several threat vectors (methods commonly used by cybercriminals to carry out their attacks) that you should be concerned about:

  • Phishing – One of the most prevalent attack vectors used and, according to the Ponemon report, experienced by 53% of the SMB. These attacks are email-borne and use social engineering to trick users into clicking on malicious links and attachments in an attempt to obtain user credentials or install malware.
  • Malware – Malicious code is used by attackers to allow them to gain access to your network for purposes of data theft, fraud, espionage, and even using your environment as home base for an attack on another organization.
  • Ransomware – These attacks encrypt data and entire systems across your network, intent on holding your data for ransom. This year, ransomware has risen in frequency by 3x and now costs an average of over $36,000 per attack.
  • Insider Threats – Data theft and fraud committed by your own employees is a growing issue. For example these insiders are responsible for 31 percent of data breaches. According to Ponemon, this threat has grown 18% over the last two years.
  • Denial of Service – Attackers can seek to temporarily or indefinitely disrupt web-based services (whether ones you host or ones you use to operate). These attacks keep the business from running.

There are plenty of other types of attacks, as well as specific techniques and methods used, but these can serve as a high-level list that can materially impact your ability to stay in business.

What’s the Best Way to Secure Your Environment?

Before you attempt to identify how to best protect your business, it’s important to first outline your security goals:

  1. It needs to be comprehensive – It can’t be just one facet of security, such as installing antivirus on your computers; attacks are becoming so sophisticated, proper security requires that you utilize a layered security approach (one that addresses security from a number of directions to be able to thwart attacks). A good security program should address:
    1. Security awareness training to help staff recognize and avoid threats.
    2. Effective lifecycle and patch management for hardware and software to ensure vulnerabilities are mitigated.
    3. Endpoint security to ensure protect against malware, exploits and insider threats.
    4. Regulatory compliance and data privacy especially in regulated industries like healthcare and financial services.
  2. It needs to protect and prevent – You want to minimize the potential for a successful attack as much as possible. Cyberattacks today can be devastating to organizations, with 1 in 10 shutting down completely after an attack. So, prevention should be the primary focus of your security efforts. 
  3. It needs to include restoring operations – If a Managed IT Service Provider (MSP) or anyone else tells you they can 100% secure your environment, pass on them. There will always be a small percentage of attacks that make their way past defenses, infecting networks. So, having an ability to recover any part of the network environment that may have been altered (e.g., data in a ransomware attack, your network directory in the case of a data breach, etc.).
  4. It needs to be right-sized for SMBs– There are plenty of solutions available today. But, as you know, the SMB has some specific constraints around budget, staffing, and internal expertise that may make solutions designed for enterprises too cumbersome (from more than one perspective) to utilize.

So, what kinds of security and data protection measures should you have in place?

Below are some recommendations on what kinds of solutions you should think about putting in place as part of that layered strategy, previously mentioned:

  • Perimeter Security – Firewalls, application firewalls, and secure web gateways help to minimize any malicious network traffic from coming into your environment.
  • Endpoint Security – Anti-virus/Anti-malware, as well as Endpoint Detection & Response help protect desktops and laptops from becoming infected with malware.
  • User Security – Security Awareness Training educates users on proper security practices. Web and Email Scanning ensure the two biggest sources of malicious content a user interacts with are clean.
  • Identity Security – Multi-Factor Authentication (MFA) strengthens the logon process by validating the provider of logon credentials is actually the owner of the account.
  • Environment Security – Security Information and Event Management (SIEM) solutions collect, monitor, and alerts on suspicious activity from endpoints, the network, users, and more.
  • Data Security – Data Loss Prevention (DLP) ensures data that meets sensitive, critical, or otherwise valuable criteria remains within the network and can’t be sent externally.
  • Data Protection – Having comprehensive backups of your critical systems and data in the cloud is necessary to recover from ransomware attacks, data breaches, and any other attack that may alter your environment in the process.

Why Outsource Security to a Managed IT Service Provider (MSP)?

Many SMB’s attempt to manage their IT environment themselves, generally with a small or part-time IT employee or a contract IT break/fix person. But, given the amount of protection truly needed by an SMB, there are several important reasons SMB’s should consider outsourcing to an MSP:

  1. Staffing – Regardless of how you currently do IT, you probably don’t have the proper staffing to ensure your business is secure and risks properly mitigated. MSPs make it their business to keep you protected daily, and to be there should a situation arise that requires remediation.
  2. Expertise – Even with someone on staff, it’s likely they lack deep expertise on how to properly secure your environment. An MSP has engineers on staff with years of experience addressing SMB cybersecurity needs, from implementation to remediation.
  3. Cost-Effectiveness – Rather than needing to pay for a full-time in-house security expert and then all the individual security management solutions, most MSPs bundle security services that address some or all the layers mentioned above into a simply monthly payment.
  4. Updated Solutions – Security threats evolve quickly, and the tools needed to protect against them need to keep up.  The security solution you put in place two years ago may be outdated, reducing its effectiveness against ever-changing attacks. A good MSP with a security focus relentlessly evolves their offerings to stand toe-to-toe with new attack methods.
  5. Better Security – It needs to be said: by putting your trust in an MSP that focuses on security and data protection, you will have people, processes, and technology that far outshines anything you’d put in yourself, making your business less susceptible to risk, and more prone to remaining operational.

How to Explore Managed Security Outsourcing Options

If you have concluded that leaving security in the hands of professionals is a better idea than attempting to do it yourself, consider the following steps:

  1. Explore how an MSP like Logically can address your security challenges.  Ask them to conduct an assessment and identify vulnerabilities and priorities.
  2. Request a free dark web scan.  Find out if your credentials have been stolen and are available on the dark web.
  3. Take a business-centric approach to security, where you and your MSP discuss your business, what’s critical to you, and then determine how to best secure it.
  4. Understand that security is much more than an insurance policy.  The increase in attack frequency and sophistication make becoming a victim an issue of “when” and not “if”. So, when you look at costs, think of security as a necessary part of operations that will help ensure business continuity, protect your business-critical data, and help ensure your business is not in tomorrow’s headline on the latest breaches.