Is your small business at risk? The answer is most certainly yes. According to Brad Anderson, corporate vice president for Microsoft 365, of the 79 million global SMBs (representing 95% of all companies on the planet), “55% weathered cyberattacks, 52% of these breaches were caused by human error, and, in a quarter of these cases, sensitive customer data was breached. The average cyberattack will cost an American SMB $190,000. And after a ransomware attack, only one-third of SMBs can remain profitable.”
What’s worse, Anderson says these numbers “will only increase because 90% of SMBs do not currently have any data protection.”
The 2019 Global State of Cybersecurity in Small and Medium-Sized Businesses from the Ponemon Institute commissioned by Keeper Security underscores Anderson’s point. Dr. Larry Ponemon, chairman and founder of The Ponemon Institute, says, “Cybercriminals are continuing to evolve their attacks with more sophisticated tactics, and companies of all sizes are in their crosshairs.”
- Overall, attacks are increasing dramatically—76% of U.S. companies were attacked within the last 12 months, up from 55% in 2016.
- Attacks that rely on deception are rising—Overall, attacks are becoming more sophisticated, with phishing (57%), compromised or stolen devices (33%) and credential theft (30%) among the most common attacks waged against SMBs globally.
- American companies are a target—82% report experiencing a cyberattack in their company’s lifetime, higher than any other region
- Data loss a common impact—69% of businesses in the U.S. reported an incident involving the loss of sensitive information about customers and employees in the past year, up from 50% in 2016.
- Low budgets—88% of U.S. respondents indicated they spend less than 20% of their overall IT budget on security
Chris Wayne, the Chief Technology Officer at Yahoo Small Business, says, “A staggering 71% of ransomware attacks targeted small businesses last year. With an average cost of $200,000, many small businesses simply don’t have the resources to withstand a cybersecurity attack once it’s already happened.”
Location, location, location
Where you live matters. According to a recently released report, Cybersecurity in the City: Where Small Businesses Are Most Vulnerable to Attack, cloud security provider Coronet, America’s top 5 Least Vulnerable Cities are:
- Salt Lake City
- Albuquerque-Santa Fe
But, you need to be extra cautious if your business is in these cities, which Coronet named America’s Most Cyber Insecure:
- Las Vegas
- New York
- Miami-Fort Lauderdale
If you experience a breach Yahoo’s Chris Wayne says it’s crucial to take “immediate actions.” Wayne suggests businesses should:
- Contact law enforcement agencies and disclose the breach.
- Contact your IT department or cyber protection provider to begin first steps on your breach response.
- Run a full investigation of the breach to determine possible origins, causes, weak spots and more. This step should be in full collaboration with your IT department or cyber protection provider.
- Once the scope of the breach is determined and the attack is controlled, notify customers about the data breach.
Prevention is key
According to Chris Wayne, “Prevention is key. The best defense is a good offense.” Bigger businesses have the infrastructure, the budgets and right personnel, like Chief Security Officers (CSO), to mount a good defense. Smaller businesses are obviously more challenged. To help SMBs be more secure, Anderson says Microsoft wants to bring the CSO to them. The company recently launched Microsoft 365 Business, which delivers enterprise-level security, plus the productivity tools of Office 365. Anderson says he believes it “offers SMBs the best possible opportunity to be secure and productive at the lowest possible cost.”
Before launching Microsoft 365 Business the company talked to their partners and hundreds of SMBs about the challenges of cybersecurity. Anderson likened the need for a CSO to having CPAs and attorneys to help businesses with accounting and legal issues. He explains in a blog post, “While many SMBs don’t have the resources to hire a CSO of their own…[you] can use Microsoft 365 Business like a CSO. [Go to] YourNewCSO to learn how to use these resources right away. No matter where you are on your security journey, the site and these eight quick (and funny?) videos will show you steps to better secure your business.”
Anderson doesn’t think small business owners are purposely ignoring the threat of cyberattacks. “Most SMBs know they need to have protection, but they don’t know where to start.”
As they were developing the product, Anderson says one of their priorities was simplification. And he adds, they can “give SMBs the same level of security and protection they offer to bigger businesses, deliver it in a way SMBs can understand, help them be compliant, and be the security team they can’t afford.”
Microsoft 365 Business, which is custom-tailored for SMBs, comes with lots of features, including anti-virus protection, automatic back up, anti-phishing and more. It also gives you the ability to separate company data from personal data, so when employees leave your company, you can wipe the business data from their devices.
The power of the cloud
“As the world moves to the cloud,” Anderson says, “there’s a lot of insight in automation.” Microsoft’s Office 365 has over 200 million monthly users and drives 30 billion authentications a day. He says, “We see every attack that happens and can learn at scale and apply that to all our customers. For instance, we can see a phishing attack on one business and apply [the fix] to all our customers in minutes.”
Anderson adds, “There are one million new pieces of malware reported daily and 50,000 identities are compromised every month [many by giving up their passwords]. We see and learn and update algorithms every day…We can pull it out of inboxes.”
Train your employees
In his blog post, Anderson writes Microsoft found “creating a culture of security is one of the biggest first steps you can take. Right now is the time to educate your employees about how to identify security threats (e.g., don’t click that suspicious link, and if you do, please let someone know).”
Employee education is key. As Yahoo’s Chris Wayne notes, “Employees often play a role in a cyberbreach or attack. Many times it is unwittingly, and these mistakes can be mitigated through proactive efforts like mandatory cybersecurity training with regularity. The landscape changes so quickly that it’s important to have semi-regular training sessions—quarterly ideally—to bring the team up-to-speed on the latest risks.
“The bad guys are innovating constantly,” add Anderson. That’s why it’s vital small business owners get proactive about protecting their companies from cyberattacks.