Cyberattacks on Small and Medium-sized Businesses (SMB) continue to grow, causing damage to the individual SMB’s as well as the international business network infrastructure itself.
Why attack SMB’s ?
SMB’s are under increasing attack for several reasons:
- They are often poorly defended because of resource constraints
- The are typically connected to other SMB’s and larger organizations, providing an attack path (or ‘attack vector’) to other businesses
- There are a lot of them
Simply because of their size, SMB’s are typically poorly defended because they are resource constrained and don’t have the IT and/or security expertise on staff.
A recent UK survey showed only 14% of SMBs thought that cyber security threats were of highest priority and felt that they had sufficient skills and resources in place to manage the threat. In another study commissioned by Microsoft, AMI-Partners found that of Involuntary IT Managers (non-technical staff assuming technical duties) surveyed:
- 30% thought IT management was a nuisance
- 26% did not feel qualified to manage IT
- 60% wanted to simplify their organizations IT systems to make their management more feasible
The AMI-Partners survey was of 538 Involuntary IT Managers across 5 countries in companies of 100 employees or less. The survey also found an aggregate loss of over $24 billion due to inefficiencies stemming from the Involuntary IT Manager not performing their primary job duty.
Another reason for targeting SMB’s is that their interconnectivity with other businesses can provide an attack path to larger businesses.
What to do about information security and risk management in SMB’s ?
That, then, is the question. The resource constraints that SMB’s face aren’t going to magically disappear anytime soon. Should the government assist? Or conversely, should that security and risk management be a cost of doing business for the SMB? Should SMB’s face penalties for insecure environments or poor infrastructure support practices? Will that stifle innovation?
I lean towards a hybrid solution where the SMB is responsible for knowledge and awareness of itself and its information risks, but I would like to see the government make resources available to SMB’s (or support industry groups to do the same). These resources could include:
- simple guidelines and minimum configuration standards. (Some of the current policies and directives are so convoluted and difficult to read as to be impossible to implement.)
- simple asset inventory tools
- network mapping tools that assist SMB’s with self-documentation
- simple penetration test tools coupled with results analysis tools
- simple risk management tools
SMB’s themselves, professional organizations/networks, or governments must find a way to better educate and prepare SMB’s.
- How do you think SMB’s should manage their IT & Information Management systems?
- What do you do to protect your business?
- Do you actively manage information risk?
- Do you turn it over to someone else?
- How well do you understand your exposure to cyber attack and compromise?
- Do you avoid altogether because it’s simply overwhelming?