COVID-19 saw an unprecedented number of companies move online for the first time. However, the pandemic also strained budgets, exposed serious gaps in tech skills, and highlighted the fact that many businesses are unprepared to meet the modern demands of cybersecurity.
In pre-pandemic times, data privacy and insurance against cyberattacks were more prominent in high-risk industries like healthcare, finance or information technology (IT), but the boom in online business means that is no longer the case.
Different sectors adapted quickly. Many companies embraced remote work, started e-commerce operations, and transitioned their daily duties online. Unfortunately, in that rush, security was not the top priority for many small businesses trying to stay afloat.
Over the past two years, attacks on small and mid-sized companies have increased by 150%, while also growing in sophistication. Many businesses have not kept pace, and that lack of knowledge has left them vulnerable.
Small businesses are more likely to be targeted by cyberattacks
For smaller companies, the problem stems from a lack of assets and expertise. Small and medium-sized businesses usually don't have dedicated cybersecurity experts to keep their systems secure. In fact, less than 10% of companies with fewer than 50 employees have dedicated financial resources for cybersecurity.
As a result, developing a secure online presence can be challenging, since it often requires expensive tools and well-trained professionals.
The rise of remote work has also given huge numbers of personal devices (mobiles, tablets and laptops) access to sensitive information. Unfortunately, many employers do not require regular scans of their phones and laptops for malware and other vulnerabilities, if they do at all. Plus, few small businesses can afford to provide access to secure working VPNs or password management software, while home Wi-Fi networks are often prone to attacks.
Simply put, the remote working environment does not offer the level of protection businesses need to operate safely. Cybercriminals commonly look for gaps in data protection with ransomware — threatening to leak private data, or denying access to vital computer files until the ransom is paid.
Recent, high-profile examples include malware like TeslaCrypt or Cryptowall, which encrypts sensitive data and demands payment in crypto currency in return. All of this points to the idea that cyberattacks are becoming more sophisticated. Social engineering, machine learning malware, and other complex attacks became much more common, reaching 35% of all security breaches during the pandemic.
Since these kinds of attacks require a custom response from security experts, small and medium online businesses quickly became easy targets during the pandemic.
Cybersecurity in a post-COVID world
Though the pandemic has come to an end, small and mid-sized businesses are more vulnerable to data breaches now than in 2019 because the same remote-working habits from the lockdown remain in practice to this day. The expanded use of unsecured networks and cloud solutions leaves more room for malicious attacks. If the current pace continues, it is predicted that small businesses could be attacked between 56,000 and 86,000 times in 2022.
When the pandemic hit, companies of all sizes focused on survival. So, it is natural that among small and medium sized businesses, employee computer literacy and online safety training were not prioritized. In fact, cybersecurity ranks among the lowest priorities for small businesses even as we move out of the pandemic.
Building data privacy and cybersecurity strategy from scratch
Lost customers is one thing, but the potential damages of a cyberattack could bankrupt a small business. Hefty payouts, lawsuits and criminal investigations are all common outcomes too. So, the best prevention is to work to bolster cybersecurity before an attack occurs.
- Understand what sensitive information the organization holds, where it is stored, and the ways of accessing it.
- Keep up with cybersecurity trends. Consider every scenario and set up preventative measures for the most common attacks: malware, ransomware, social engineering and distributed denial-of-service (DDoS). Small business security leaders need to be able to recognize different types of attacks, understand the consequences of each, and how they can respond to them once a cyberattack or data breach occurs.
- Conduct a pre-purchase evaluation. All of cyber tools have to be vetted and evaluated. For example, what is the supplier’s stance towards security, is the company and its products certified (ISO, SOC2), and can the business be affected by third-party suppliers?
- Outsource experts. Having someone in house full-time is ideal for a risk mitigation position; however, that’s not an option for most small businesses. Small business leaders may hire a consultant to evaluate cyber posture and create an incident response plan.
- Make use of available security tools. Start with updating all devices and software to the latest version, then install 2FA where possible. Remember to have a password manager and control who has access to sensitive data.
No matter the size of the company, cybersecurity and data privacy are two of the most pressing issues faced by every business today. The difference is that large businesses and enterprises will almost always have the assets to weather the storm.
It’s no surprise that small and mid-sized businesses were hit the hardest during the pandemic, and the ones that did make it through are now facing a renewed threat to their operational survival in cybersecurity.
As small and midsize businesses grow, they become an increasingly valuable target for cybercrime. Now is the time to invest in cybersecurity to protect small businesses and user data.