Cyber Security for Small Businesses

June 18, 2019 | 5 min read


All companies are vulnerable to cyber attack, but none more so than small and midsize businesses (SMBs) that are generally less well-defended and have fewer resources to make up the gap. For these reasons, they have become a favorite target of cyber criminals. In 2017, almost two-thirds of all cyber breaches targeted small businesses, up from 53% in 2016, according to the Verizon Data Breach Investigations Report.

The problem is likely to get worse given the maturation of the deep and dark web. Not only are there more tools—many stolen from elite intelligence agencies—there are more threat actors, courtesy of easy-to-use scams and fraud-as-a-service bundles that lower the barrier to entry. There is also more surface area to attack as businesses digitize, networks expand, and employees become more mobile.

Defending against these threats requires advanced capabilities. They include continuous intelligence-gathering, ongoing network monitoring, predictive analytics, a strong, modern and modular IT backbone, and a deep bench of seasoned cyber talent. Finding and funding a defense of this caliber can cost companies anywhere from several hundred thousand dollars to several hundred million annually depending on the size and complexity of their business—a tally that can strain or exhaust many IT budgets. That leaves many SMBs with a Hobson’s choice: divert significant investment resources or expose the company to the near-certainty of a damaging attack.

Fortunately, SMBs now have a better option. The steady advance of managed security service (MSS) capabilities means smaller businesses can now outsource their cyber security to an experienced third party. Instead of cobbling together their own security, they can access superior tools and integrated, round-the-clock coverage—all for a fraction of the typical build cost.

The irony for SMBs is that managing their own security can put them at risk

Organizations need to assume their firewall will be penetrated. They need to assume that encryption keys will be compromised, and they must assume that hackers will be a step ahead of them in deploying malware in their infrastructure. These factors are enough to compel some to look for outside help. But SMBs face additional challenges, among them:

  • Too many gaps: In addition, many SMBs rely on a patchwork of security defenses, such as firewalls, antivirus measures, and occasional network checks—often as a result of their still-growing and often fragmented IT environment. These uncoordinated protections leave too many openings for savvy attackers to exploit. Yet, with limited visibility into the cyber underground and only a few blunt tools and resources at their disposal, many SMBs feel ill-equipped to detect and respond to possible exposures. As a result, many businesses find out about an attack only after it has occurred.
  • Too little financial cushion: In a crowded and competitive global market, SMBs have to work harder than ever to stand out. Delivering a superior customer experience with compelling products and services takes sustained investment in critical differentiators. To fund that growth, SMBs must be ruthlessly efficient—driving out unnecessary spend, cutting back on fixed costs, and improving process performance. Diverting significant resources into important but non-differentiating capabilities, such as bolstering the company’s cyber security defenses, can derail or delay a business’s growth agenda, putting profitability at risk.

For security and peace of mind, SMBs should partner with an MSS

Companies need a coordinated approach to cyber security. Outsourcing these functions to a proven MSS can allow the organization to focus on its business, while the MSS focuses on the company’s security. By partnering with an MSS, companies gain three major benefits:

  1. State-of-the-art cyber security resources: With an MSS provider, companies have access to specialist expertise, a sophisticated suite of tools and techniques, robust computing and analytical muscle, and a deep bench of cyber talent. The combination of human intelligence—threat analysts, deep and dark web experts, data scientists and others—and machine intelligence in the form of advanced analytics and data assets, gives SMBs superior protection, allowing them to take prompt and preemptive action against a range of known and emerging vulnerabilities to protect their business.
  2. Integrated, automated, round-the-clock coverage: Unlike point solutions and manual interventions, a good MSS delivers integrated and automated cyber security protections that keep watch over a company’s systems and networks 24/7/365. The best combine several layers of defense, including advanced endpoint detection, ransomware and malware blocking, network defense, threat intelligence and real-time, remote response—backed by a modern, fully-equipped security operations center. Continuous monitoring and detection helps SMBs close the gaps in their coverage, providing needed peace of mind.
  3. Free investment resources and time. Building an appropriate level of cyber security in-house can cost an SMB $400K or more annually and will not provide the business with differentiating capabilities. Far better to partner with an MSS for whom cyber security protections are the differentiating capability, freeing the company to focus on the needs of its business. With many MSS arrangements, the typical small company pays about $10-15K per month—far less than the cost of one experienced full-time hire and a fraction of what it would cost to acquire the relevant technology and skillsets outright. In addition, since it can take the average organization anywhere from 18 months to two years to build and deploy the necessary cyber security capabilities and IT, the option of partnering with a fully-established MSS can speed results and bring much needed assurance.

***At a time of increased cyber threat activity, partnering with an MSS provider can be a game-changer for smaller businesses.

Too few IT resources:

Expecting the IT organization of a small or midsize business to keep up with the latest attacker moves isn’t realistic. For one thing, many IT departments are already over-stretched meeting the day-to-day demands of a growing business. Staying alert to external threats, patching systems regularly, filtering out the most pertinent intelligence, and anticipating what could put the business or its assets at risk requires a degree of expertise and analytical horsepower that most small businesses simply don’t have.

Related Reading