How Prepared is Your SMB to Handle the Fall-Out of a Cyberattack?

January 9, 2024

Threat actors continually come at you and your employees. Here’s how to protect your business.

  • Thoughts from the experts
  • Deeper dive into SMBs silent struggle with evolving cyber threats
  • SMBs need to watch out for phishing attacks
  • Ransomware attacks are on the rise
  • Legal, healthcare and financial regulations continue to change in North America
  • What are the steps to build an effective cybersecurity framework for SMBs?
  • Should you buy cyber insurance?

From the Experts

Businesses and organizations are constantly at risk for cyberattacks and the types of attacks keep changing. But what is surprising is that small and medium-sized businesses (SMBs) are the most vulnerable to cyber threats for various reasons, including a lack of IT staff expertise and resources, among many others.

To make matters worse, a StrongDM article featured some truly contradictory findings. Nearly half of the small businesses surveyed with fewer than 50 employees have no cybersecurity budget and 51 percent of small businesses have no cybersecurity measures in place. Additionally, 59 percent of small business owners with no cybersecurity measures believe their business is too small to be attacked.

This is concerning, to say the least.

In today’s business environment, if you haven’t already suffered from a cyber incident, unfortunately, it’s only a matter of time before your business becomes a target. Even if you have an IT person or department, they probably aren’t dedicated to security issues. Know that there are steps you may not have taken that can build stronger defenses to protect you, your customers and your trusted partners.

Deeper dive into SMBs silent struggle with evolving cyber threats

The problem isn’t that SMBs aren’t aware of evolving cyber threats and cybercrimes. They frequently appear in the media, especially when big companies are affected. However, according to multiple surveys and studies, there’s a general lack of knowledge about everything SMBs need to defend against the threats – sufficient budgets, knowledgeable personnel, a suitable defense strategy and the right IT security infrastructure. Lacking any of these elements makes SMBs an easier potential target than larger organizations, which usually have better resources. In some cases,  threat actors like to leverage SMBs to gain access to the larger organizations with whom SMBs are trusted partners.

It’s not only difficult to prevent attacks for SMBs, but also generally harder for them to deal with a successful attack because theylack resources. The absent expertise includes reputation management, dealing with regulators (and the need to know if, when and how to report an incident), and how to communicate effectively with customers, partners, suppliers – even their own employees. No wonder SMBs usually suffer the most following a cyberattack. The consequences are huge, including losing customer trust and damage to the organization’s reputation, in addition to what can be severe financial losses.

SMBs need to watch out for phishing via social engineering

These days, more often than not, cyberattacks are automated, which means they can attack hundreds and even thousands of SMB targets at once. Fewer defenses, relaxed policies, and lack of threat  awareness along with the time and resources to prevent them, SMBs have become easy targets for threat actors.

Cybercriminals have become particularly adept at social engineering to target individuals within a business instead of exploiting technological vulnerabilities, although those also present considerable risks in the current threat landscape. Recent studies consistently identify phishing attacks as the top threat for SMBs. In fact, phishing attacks account for 90 percent of all security breaches faced by organizations. Over the past year, phishing attacks have increased by more than 60 percent, exceeding more than $12B – yes, billion – in business losses.

How does a phishing attack work?

Phishing involves an attacker who pretends to be a trusted contact, often posing as a reliable partner, respected company or authority, who then entices a user to click on a malicious link, download a malicious file, or provide access to sensitive information, account details or credentials. These attacks are becoming ever more sophisticated, especially when it comes to Business Email Compromise (BEC). Threat actors use phishing campaigns to steal email account passwords from high-level executives, then use their accounts to request what seems like legitimate payments from unsuspecting employees fraudulently.

Ransomware attacks are on the rise

Second to phishing are ransomware attacks. In this case, the threat actor encrypts company data so that it can’t be used or accessed and demands a ransom to unlock the data. According to Forbes, 70 percent of ransomware attacks in 2021 were directed at SMBs, including a small furniture company that was forced to pay $150,000 to resume operations. According to a report from the  University of Maryland, 82 percent of all ransomware attacks are targeted towards the  SMBs. And once hit with a cyber-attack, one in every five businesses cease operation entirely until it is resolved. Healthcare organizations are especially at risk.

This may partly be explained by careless practices in the office, such as post-it notes with passwords stuck on a computer, which can easily put sensitive information into the hands of unauthorized people.

Legal, healthcare, and financial regulations continue to change in North America

If personal data is lost or stolen without adequate safeguards, it may result in substantial fines and loss of trust in your business. While the right safeguards and compliance are especially important to the legal, healthcare and financial sectors, every SMB in the U.S. and Canada is legally required to protect sensitive data and meet both federal and local regulations. Recent studies show that the average cost of a data breach to a small business in the U.S. can range from $120,000 to $1.24M. And because transferring services to a third party doesn’t also transfer liability, exposure to third parties can become a huge problem for SMBs in the event of an attack.

Data and customer protection regulations vary throughout North America. In the U.S., there are no nationally applicable laws governing potential security and data breaches, so federal and state regulators have established some. But it’s a patchwork, and many regulations apply based on the industry in which a business operates. For example, in June of 2023, the FTC published amendments to the Health Breach Notification Rule (HBNR) to strengthen breach notification requirements for entities that collect health information but are not necessarily organizations covered by HIPAA’s privacy or security requirements. Accordingly, FTC investigations are expected to increase in volume and scope.

In addition, a growing number of states are enacting privacy statutes or modifying existing statutes to protect and govern privacy as well as breach notification requirements. Like federal agencies, state agencies – including attorneys general – have increased the number of investigations following breach incidents, which are costly to defend and may be followed by  civil penalties and potential lawsuits at additional costs.

In Canada, the key protection statutes include the Federal Personal Information Protection and Electronic Documents Act (PIPEDA), which governs the collection, use and disclosure of personal information by organizations during commercial activities. The Privacy Commissioner of Canada oversees compliance with PIPEDA. There are also provincial laws that may apply instead of PIPEDA in Alberta, British Columbia and Quebec that are deemed very similar to PIPEDA, but in many circumstances, provincial law applies instead of federal law. However, when more than one law applies, SMBs must comply with both when private information disclosure crosses local borders.

What are the steps to build an effective cybersecurity framework for SMBs?

While all of these attacks and the potential consequences can seem intimidating, understanding the basics of how cybercriminals behave along with your potential vulnerabilities is the way to plan your defense against cyber threats. In other words, it’s time to act as if your business will become the victim of an attack – and knowledge is power.

First, put cybersecurity at the top of your management meeting agendas. Surveillance requires that your senior team be immediately notified of any cyber threats, and oversee cybersecurity defenses. Another critical aspect is to have a plan in place for the worst-case scenario in the event that you do become the victim of an attack.

Next, assess the risk for your business. If you don’t yet have IT security support, there are ways to protect your data and operations. These include:

  • Securing all payment processing by working with your banks and card processors to use the most trusted and updated customer data protection tools
  • Ensuring all software patches are made as soon as they become available
  • Controlling access to your business computers, employee laptops and mobile devices
  • Making sure administrative privileges are only given to trusted IT staff or personnel
  • Conducting access audits to prevent former employees from acquiring sensitive data
  • Backing up data on a regular basis on all of your computers in the event of an attack
  • Auditing the data and information you’ve stored in the cloud (Dropbox, Google Drive, Box, Microsoft Services, etc.) and appointing administrators to give employees access to only the information they need
  • Providing regular training to your entire staff on cybersecurity and best practices, including what to watch for with email, using separate passwords for each account and adding multi-factor authentication to safeguard access to accounts

The U.S. Small Business Administration lists helpful steps to take with associated links to resources that can help you protect your security, some of which are free.

Should you buy cyber insurance?

Undoubtedly, the financial fallout from a cyberattack can be extremely expensive. Reports vary, but one from February 2023 cites that SMBs will pay between $826 and $653,527 following a single incident. However, that doesn’t include what the eventual loss of business and reputation end up costing a small or medium-sized business. The same report cited that only 17 percent of small businesses have this type of insurance and that 48 percent of companies purchase cyber insurance after an attack.

Today, more SMBs are considering adding cyber liability insurance to help protect their risk. At the very least, adding this insurance enables you to comply with regulations that require a business to notify customers when their personally identifiable information is involved in a breach. Preparing and qualifying for a cyber insurance risk policy takes time as it involves insurance questionnaires and calls with risk analysts. An insurance carrier may also require you to choose from their panel of providers. But according to Insureon, the average cost of cyber liability insurance for small businesses is about $145/month. Of course, the actual cost will depend on your industry, what your business does and the types of customer data you handle.

Therefore, it’s imperative to have adequate cybersecurity measures  to defend against and mitigate the impact of a cyberattack before you apply for cyber insurance. Insurers are understandably reluctant to underwrite a customer that doesn’t have these measures, and insurance is not a substitute for robust security infrastructure and management. Cyber insurance typically doesn’t include coverage for damaged equipment or cyberattacks on third parties with whom your organizations collaborate.

Get professional support from a trusted security expert

This advice helps you better understand cybersecurity risks, preventive steps, and the importance of cyber insurance. However, many SMBs lack the resources to handle their own security. That’s why it is crucial to find a reliable partner who is familiar with your industry, understands your pain points and specific needs. Such a partner can provide professional advice and technical know-how for an affordable solution tailored to your needs.

Konica Minolta fully understands the threat environment and offers more than 20 years of experience helping SMBs with their security needs. We offer an impressive pool of IT expertise, from cybersecurity and networking to fully managed print solutions, Intelligent Video solutions, and the latest highly secure cloud solutions for the full backup and peace of mind you need.

Our team will help you determine your security requirements to find the right solutions for your budget and needs based on informed decision-making and full consideration of ROI for your business. And because these needs will continue to evolve and grow with your business, our services also include ongoing evaluation and review to ensure your security is up to date.

For more information, please visit our IT security website.

Konica Minolta

Konica Minolta is reshaping and revolutionizing the workplace to achieve true connectivity through the Intelligent Connected Workplace. The company guides and supports its clients’ digital transformation through its expansive office technology portfolio, including IT Services (All Covered), intelligent information management, managed print services and industrial and commercial print solutions.