Earlier this year, the AppRiver Cyberthreat Index for Business took the pulse of cybersecurity readiness among small and medium-sized businesses.
AppRiver, which is owned by my company, Zix, surveyed 1,059 decision makers, including CEOs, presidents, owners and others, who seemed to indicate that leadership takes cyberthreats seriously. A 58% majority felt that data breaches have become more detrimental than traditional disasters, such as break-ins, fires or floods.
Data breaches are on the rise, and they’re becoming more expensive as companies collect and store an increasing amount of data. According to Accenture and Ponemon Institute, breaches could cost a total of $5.2 trillion over the next five years, and companies suffer an average loss of $13 million for each cyberattack. That price tag is high enough to close the doors of 48% of small businesses.
The fact that 90% of small businesses ignore data protection entirely is an indication that they are either small enough to work completely within secure, cloud-based apps or that they don't understand the risks. To count yourself among the 10% that takes strong precautions, follow these three steps:
1. Evaluate your needs and assess your budget.
Establishing a budget is a foundational part of the defense against cyberthreats. Between cloud-based email services and managed network access, you should look at allocating several hundred dollars per employee per year.
Executive leadership is often one of the biggest obstacles to establishing a budget, especially in larger organizations with siloed departments. However, even at the enterprise level, setting aside the resources necessary to protect against cyberthreats is key.
Executives at Equifax may have thought their cybersecurity spend was sufficient to protect against a breach, but clearly, it was not. Spending money doesn’t guarantee complete protection, but it does establish a baseline from which you can decide what protection you can afford.
2. Address gaps in cybersecurity information.
The entire C-suite needs at least some knowledge of cybersecurity basics. Too often, cybersecurity responsibility is delegated solely to the CIO, but that means the rest of the organization operates with almost complete ignorance. To be effective, leaders should understand the basic risks and how to mitigate them. Making case studies out of well-known lapses (such as the Equifax breach) is a good way to provide a basic overview of cybersecurity and communicate what’s at stake.
Just because an organization spends money doesn’t mean it effectively mitigates risk. For example, spending a fortune training employees to spot phishing attempts might reduce the chance of a breach, but a more efficient expenditure could be stopping the phishing attempts from ever reaching inboxes. Once you have a budget and the right expertise, you can decide how to use it most effectively.
3. Acquire or access the right cybersecurity talent.
Thanks in part to the well-documented skills gap in the tech world, hiring cybersecurity experts internally is cost-prohibitive for most small and medium-sized businesses. For those that can afford it, building a team internally might be the right move. Otherwise, outsourcing needs to a managed service provider (MSP) can be a cost-effective decision.
In fact, we estimate that there are more than 100,000 MSPs across the United States that can serve as a new civil defense force for cybersecurity -- one that could help bridge the gap between governments or enterprises and the SMBs that need higher levels of protection they can't afford on their own.
The right MSP offers several advantages to clients. First, cloud computing allows organizations to mitigate the risks of storing data on-premise while eliminating expensive and often irregular hardware purchases. Instead, businesses that choose cloud computing operate with a fixed cost that allows for easy scaling as the needs of the organization grow. In addition, MSPs can keep applications updated to the most secure versions and intervene at the earliest signs of a cyberthreat so that it doesn’t result in a costly breach.
Organizations need to determine whether they have the breadth of knowledge necessary to protect themselves or whether they can acquire the right internal expertise. If the answer to both is "no," outsourcing to an MSP is the right move. Most small and medium-sized businesses won’t recover from a data breach, and those that do will have to overcome severe setbacks. Regardless of company size or budget, the best way to deal with cybersecurity risks is to establish a strong defense against them.