When cyberattacks make the news, they usually are focused around large organizations, like Colonial Pipeline, Accenture, or JBS, the largest meatpacking company in the world. So midsize companies don't have as much to worry about, right? If only that were true. Cyber threats are on the rise, and organizations big, small, and midsize must find ways to combat the growing risk and cost of these attacks.
Cybersecurity threats increasing
The number of global ransomware attacks against businesses of every size rose 151% in the first half of 2021, according to SonicWall research. And in the U.S., the 2021 Verizon Data Breach Investigations Report found that ransomware was responsible for 30% of all cyberattacks in 2020, a number that’s probably even higher because many ransomware incidents go unreported. Organizations don't want to highlight any security vulnerabilities that affect their customers, patients, or investors.
Although the risk may not always make the news, it’s still there. The FBI warns that there are 100 strains of ransomware currently circling the globe. With ransomware payouts often in the millions, ransomware stands as a profitable crime – one likely to continue.
Cost from threats are complex and escalating
When companies are hit by ransomware attacks, they lose out financially, whether they pay the attacker or not. No matter how quickly an organization responds, they still experience downtime, which results in lost revenue and customers. Organizations may face penalties for failed contract obligations and governmental fines for noncompliance. Then, they may have to fight civil suits and try to repair a damaged reputation. Next, they need to recover the data lost and invest in more robust security infrastructure.
If the company pays a ransom, that quickly raises the debt and doesn’t address the security vulnerabilities the organization has in the first place. And, if the company doesn't pay and the attacker does not provide access to the ransomed data, the company faces a long period of rebuilding and recovering their information.
Add in the cost of ransomware incidents, which Cybersecurity Ventures predicts will exceed $265 billion by 2031, and it’s clear that all companies, no matter what size, must take cybersecurity seriously.
SMBs concerned, but not prepared to respond
While most companies are concerned about the security of their data, many need to do more. In our recent report, we found that midsize companies are feeling more vulnerable to attacks than in the past. The biggest threats were email fraud (53%), phishing (47%), cyberattacks (45%), and ransomware (35%). As a result of the increase in threats, only 11% of IT leaders surveyed feel more confident in their cybersecurity protection than 18 months ago.
Interestingly, despite the concern about attacks, only 35% completed a cyber risk assessment in the last year. This comes even though 60% of the respondents said they had a known breach or attack within that time.
Of the organizations that did suffer an attack, one in four responded that they lost customers and 31% indicated a loss of daily operations and productivity. Making matters worse, nearly 20% of midsize organizations said that it took between one and six months to fully recover their business with another 12% taking even longer.
How to minimize risk
To proactively protect customers, patients, data, and intellectual property from threats, midsize companies must go beyond basic security processes or government requirements to ensure the security of their IT infrastructure. Effective safeguards hinge on the following: Have the right technology to implement the policies needed; quickly assess the threat and understand its impact on the business; and have the right group of experts providing cross-industry experiences to guide the process.
As companies work to improve their cybersecurity, they should consider these five steps:
Despite best efforts, no measures are 100% effective at stopping all cybersecurity threats. Also, cybersecurity isn’t a one-and-done situation. Stay vigilant in defending customers, employees, and data. Ransomware and other threats constantly evolve, so SMBs need to ensure their cybersecurity takes all of this into account.
Patrick Hayes, chief information security officer, UncommonX