How to Protect Small and Middle Businesses From Cyberattacks

Cybersecurity is crucial for companies of all sizes, but small and medium enterprises (SMEs) are particularly vulnerable to cyberattacks. This article discusses how these attacks impact businesses, how to mitigate these risks effectively, and how much it would cost.

Why SMEs Are at Risk

CNBC recently reported the story of Pat Bennett, an entrepreneur selling granola in Cleveland. She received a message on Instagram from a person she knew, asking her to vote for them in a contest via a link. Following that, her accounts were hijacked. The scammer demanded nearly $10,000 to return access. Bennett refused to pay and had to rebuild her online presence from scratch, which was a costly and traumatic experience for her.

She is not the only one. In September 2023, a report revealed that an astonishing 57% of small and medium-sized companies have experienced a cybersecurity breach at some point in their existence, with 31% targeted within the past 12 months alone. It appears that SMEs are more vulnerable to hackers than large companies as they lack budgets for extensive security protection.

At the same time, SMEs possess sensitive customer information, such as credit card details, which can be monetized by cybercriminals. Some of them even function as intermediaries, suppliers, or channel partners for corporations and have access to third-party systems and data.

What Attacks to Expect

What Bennett faced was phishing. In this case, scammers trick individuals into providing sensitive information by pretending to be trustworthy. These attacks often come in the form of emails, phone calls, or messages that appear to be from legitimate sources, such as banks, business partners, colleagues, friends, or relatives.

Reports show that employees of small entities face 350% more phishing and other social engineering attacks (those manipulating users to make security mistakes) compared to those at larger enterprises.

But attacks are not limited to that. Another popular type that SMEs often face is a distributed denial of service attack (DDoS). This type involves overwhelming a network, service, or website with a flood of internet traffic, rendering the service unavailable to legitimate users.

Cybercriminals use botnets — networks of infected computers — to generate this traffic. They create massive surges that SME infrastructures cannot handle, as unlike larger corporations, smaller companies don’t have dedicated servers, redundant systems, and advanced traffic monitoring tools. The severity of this threat is escalating: according to our own data, the average attack duration hit 4 hours. The longest incident lasted for 464 hours, or almost three weeks.

Another way to hinder the operations of a business is using ransomware. It involves spreading malware that encrypts a victim's data and demands payment for the decryption key. Cybercriminals use various tactics to infect victims' computers, including malicious email attachments, drive-by downloads from infected websites, and exploiting unpatched vulnerabilities on servers. According to Veeam’s report, 85% of ransomware attacks target small businesses.

The report indicates that around 80% of victims end up paying scammers to regain access to their data. But unfortunately, this doesn't guarantee a resolution: a quarter of businesses still couldn’t access it. This is often because attackers either do not provide a decryption key or send incorrect information. One of the most recent examples involved healthcare providers across the US.

They struggled to receive payments following a week-long ransomware outage at a key tech unit of UnitedHealth Group, with smaller providers running low on cash. The unit admitted that it paid hackers $22 million and still faced a data leak.

How Attacks Affect Businesses

Financial distress. A cyber attack is never pleasant, but for SMEs, bearing the costs can be particularly challenging. According to a joint report from IBM and the Ponemon Institute, businesses employing fewer than 500 people lose an average of $2.98 million per data breach, or $164 per breached record. During DDoS on websites, small businesses in general lose between $8,000 to $74,000 for every hour of downtime.

Beyond the direct cost, companies face substantial recovery expenses. Statistics show that small and medium businesses spend an average of $120,000 restoring service and managing operations during a DDoS attack. In addition, these attacks can slow down network performance, or make websites inaccessible. A third of SMEs claim that restoring services to employees, clients, or customers is their biggest burden during a DDoS.

Moreover, it may take up to a week for a small or medium enterprise to recover from DDoS, change IPs, or even host providers. During this time, the company cannot operate, and her place in the search results is automatically going down. Thus, as a result of DDoS, the firm might also lose all the time and money it has spent on SEO optimization to crawl to the first position in Google search.

Reputational damage. Trust is a crucial asset for SMEs, and a breach or DDoS can severely erode customer confidence. Not only do some of the current clients leave, but it may also become hard to acquire new ones. Approximately two-thirds of US consumers would hesitate to rely on a firm that suffered a breach with their data. While market leaders like Vans or AT&T can weather reputational damage, the same may not hold true for SMEs.

Legal and regulatory penalties.  Businesses can face penalties for non-compliance with data protection regulations such as the General Data Protection Regulation (GDPR) or the California Consumer Privacy Act. These may include fines for failing to adequately protect data, legal action in the form of class action lawsuits, and regulatory investigations into the cause and extent of a breach. GDPR violations can result in fines of up to €20 million or 4% of annual global turnover, whichever is higher.

Among the companies that have already faced such penalties are not only giants like Meta, Amazon, TikTok, and Google but also Clearview AI, a face recognition startup founded in 2017.

Mental Impact. This one is usually overlooked. However, a report from the Royal United Services Institute highlights that incidents affecting small business owners often have a greater psychological impact due to the close intertwining of their personal and professional lives.

Entrepreneurs have reported feelings of self-blame and doubt about their business decisions and management. Some have even been left feeling suicidal.

How to Mitigate the Risks

The good news is that mitigating risks and losses is possible, even without a massive budget. Here is how to do it.

• Start by identifying your digital infrastructure, from hardware and software to data storage and network configurations. This way, you will better understand what assets you have and what needs to be protected.

• Outline a risk model. It can be simple, consisting of two elements: the likelihood and potential impact of various cyber threats on your organization. To build this model, consider historical data analysis (including past incidents within your company and industry) and feeds and reports from cybersecurity vendors. When evaluating impact, take into account the sensitivity and criticality of affected data, operational disruption, financial costs, compliance breaches, and reputational damage.

• Prepare detailed procedures for detecting, reporting, and responding to incidents, including DDoS attacks, outlining steps for containment, eradication, recovery, and post-incident analysis. Organizations like the National Institute of Standards and Technology provide resources and guidelines that can serve as a foundation for your plan.

• Think about compliance with essential regulations in advance. Develop a plan for notifying affected parties and regulatory bodies in the event of a data breach. It can be quite detailed and include templates for notification letters. You may need to work with legal experts to understand the implications of cyberattacks and implement the necessary measures.

• Consider acquiring insurance as it might cover potential damages. For small businesses, cyber liability insurance costs an average of $145 per month. Make sure your policy meets your specific needs and provides adequate coverage for you in case you face a breach of data or DDoS attacks.

  
  

With your strategy in place, proceed to solutions.

• Be strategic: rather than purchasing numerous tools, focus on understanding what you really need. For instance, if you use Mac computers at work, you likely do not need firewalls. Ask a professional consultant whether you need to equip your devices with firewalls, spam filters, or anti-DDoS solutions, and how to do that.

• Implement multi-factor authentication for all accounts to add an extra layer of security. Ideally, use encryption to protect sensitive data both in transit and at rest.

• Use anti-DDoS solutions that analyze traffic and filter malicious requests. This way, they help to protect the company from potential threats, maintaining its operability.

• Remember that threat identification is vital. You have to implement detection rules for relevant threats and tools like intrusion detection systems (IDS) and security information and event management (SIEM) systems to continuously monitor your network for suspicious activity. In addition, automated alerts can help quickly respond to potential attacks. To configure these programs, hire a pro on a temporary contract. Once this job is done, they can check and update systems once in a while (every quarter, for instance).

• Log management is also crucial, so you can monitor employee activities to detect insider threats.

• And of course, regularly audit your security measures and update all software and operating systems to guard against known vulnerabilities, including new ones in the industry. Remember that malicious actors are constantly evolving their operations and creating more sophisticated DDoS attacks that are harder to prevent and neutralize.

Very often team members are tricked by scammers who want to get access to sensitive information from the company. Therefore, you have to train your staff to protect them as well as your business. Moreover, 74% of all breaches happen because of human mistakes, such as using weak passwords. Training sessions don’t have to be expensive, but they should be engaging and interactive. For example, you can perform phishing simulations and other mock attacks to test employees' responses.

Make sure these classes are held at least once a year to keep staff up-to-date on the evolving tactics of cybercriminals. If in-house expertise is lacking, consider hiring cybersecurity consultants. Join industry groups or cybersecurity forums to stay informed about the latest threats and best practices.

As a general rule, SMEs should spend between 10% to 20% of their IT budget on cybersecurity. But if that's too much, don't worry. Taking even small steps to protect your business is far better than doing nothing at all. Every little bit helps in keeping your company safe and secure.

Feature image from Unsplash