Small and medium businesses are highly vulnerable to cyber-attacks because of lack of cyber-awareness training imparted to their employees.
Employees at small and medium businesses are vulnerable to phishing attacks via e-mails and regular cyber-security training can help such firms tackle the threat, says security firm ESET.
While bugger firms employing a large number of people have in-house cyber-security teams and awareness programmes, small and medium businesses cannot afford the best-in-class cyber-security protocols nor are they able to provide regular cyber-awareness training to their employees, says security firm ESET who recently conducted a survey on the level of cyber-awareness in SMBs.
"A large enterprise has a number of backstops and usually has a response ready when it happens. But a small organization … the initial infection can probably lead to something more serious and greater," says Stephen Cobb, senior security researcher at ESET. The fact that smaller firms often act as vendors or suppliers to bigger firms exposes the larger firms to phishing attacks or data breaches.
"In the last five years, we have observed a steady increase in attacks targeting businesses with less than 250 employees, with 43 percent of all attacks targeted at small businesses in 2015, proving that companies of all sizes are at risk. It’s not just Fortune 500 companies and nation states at risk of having IP stolen–even the local laundry service is a target. In one example, an organization of 35 employees was the victim of a cyber-attack by a competitor," noted Symantec's Internet Security Threat Report published last year.
In the United States, one in every three small and medium businesses do not impart cyber-security training to employees at the moment. This has resulted in such firms becoming prime targets for hackers looking to steal confidential data which they can sell in the dark market. According to Symantec, while only 18% of all businesses targeted by phishing attacks in 2011 were small businesses employing up to 250 people, the figure rose to 43% in 2015. At the same time, the percentage of large businesses falling victim to such phishing attacks came down from 50% in 2011 to 35% in 2015.
In an interview given to The Economic Times recently, Kelly Bissell, MD of Global Accenture Security said that end-to-end cyber-security isn't present in most businesses and the reasons behind this are lack of funds available to smaller businesses, lack of skilled cyber-security talent and poor implementation of biometrics.
He added that company boards should discuss and implement tough cyber-security standards so that repeated incidents of cyber-attacks do not cause potential loss of business and financial loss. This is especially significant since the GDPR, which will take effect from next year, will impose fines of either 4% of a company's annual worldwide turnover or €20 million, whichever will be higher, if the company fails to secure confidential customer data from cyber-attacks.
Commenting on why small businesses cannot implement modern cyber-security standards due to lack of funds, Bissel said that such firms can address that by automating certain tasks that are repetitive and save funds to upskill employees dealing with cyber-security. He added that small firms are often in a rush to introduce new goods or services in the market, and as such do not pay much attention to cyber-security.
Back in April, a research conducted by Oxford Economics and commissioned by cyber security experts CGI revealed that an average of 1.8 per cent is wiped off share prices of all listed companies following cyber-attacks and data breaches. Oxford Economics examined 315 breach events with a focus on 65 'severe' and 'catastrophic' breaches that have taken place since 2013 across seven global stock exchanges. They found that the monetary loss to investors was quite severe- to the tune of at least £42bn.
According to the Payment Card Industry Security Standards Council (PCI SSC), the total costs incurred by businesses because of their failure to protect customer data may go up to £122bn from a mere £1.4bn in 2015, thanks not only due to stricter fines imposed by GDPR but also because cyber-attacks are becoming increasingly powerful and can exploit vulnerabilities easily.