The State of SMB Cybersecurity in 2020

Happy 2020! As we embark on a new year, we predict a key trend among SMBs will be a focus on cybersecurity. For one, we expect small businesses to invest more on cybersecurity than ever before. A recent report found that SMBs plan to increase cybersecurity budgets this year, and for good reason.

According to Accenture, cybersecurity attacks on SMBS are on the rise; more than half suffered a data breach in the last year and the majority of those that do will be out of business within six months.  Data security has never been more important for SMBs, as their limited budgets, stretched workforces and unique challenges make them prime targets for hackers. As such, more SMBs are looking to outsource their security to external cybersecurity providers. Here's what your business needs to know about cybersecurity priorities and maximizing your provider relationship as we move into the new year.

1) Education is key. Consider a people-first approach to cybersecurity.

Your staff can be your greatest defense to thwart attacks; but they can also be your weakest link. Training your staff on basic cybersecurity concepts can help ensure a better defense for your business and turn your people into a strength rather than a weakness.

In our experience, there’s a few best practices to follow when setting up an effective training program:

  • Keep in mind that cybersecurity is everyone’s responsibility when planning and scheduling the course content. It should involve everyone at your firm, from your front-line customer service reps to your leadership team.

  • Train early and often, as security threats will continue to evolve over time.

  • Make the training holistic and impactful. Help your employees make a connection between the unique risks they face in their role and the impact this could have on their job and the company’s operations.

  • Make the training enjoyable. Engaging content and a fun presentation will improve recall and retention of the training topics.

We recognize that it can be a bit daunting to establish an effective cybersecurity training program. What concepts and best practices do you teach? How do you deliver it in a way that resonates with your staff and ensures adherence? There’s plenty of resources available to help you get started. Check out this post we did on five cybersecurity training tips your employees should know. Forbes also just published a piece on preparing your employees for today’s biggest cybersecurity threats.

If you seek a third-party trainer, look for a vendor that prioritizes relationships and focuses not just on technology but on the people using the technology.

2) Know the signs.

Phishing. Spoofing. Malware. Oh my! The size and frequency of cyberattacks continues to grow, especially among SMBs that operate with limited cybersecurity resources. Hackers know this all too well, but 2020 is your year to fight back. To start, make sure you understand the most common risks facing your business. Phishing, for example, is a popular tactic among hackers seeking to obtain financial or other confidential information from your firm. Hackers may pose as trustworthy individuals and send fraudulent emails to manipulate your staff and solicit access or information.

To combat this risk, know some of the common signs of a phishing email and educate your staff on what to look for. Common messages may be about reporting suspicious activity, sharing a fake bill or invoice, asking for a payment, or offering a coupon.

One effective solution is to provide cyber-simulations to your team. This Phishing.org site has a library of phishing examples, including emails, attachments, social media exploits, and CEO fraud scams. Use simulations or “tests” with your staff and ask them to click or not click, depending on how safe they think the message is. Follow this up with training and resources so they’ll be armed to not click next time.

As early as possible in 2020, you should also make sure your business has the right security software installed to mitigate some of these common risks. This includes an up-to-date antivirus program that is installed on all systems, including mobile devices. Another good practice is to install multi-factor authentication on your accounts. And, of course, always back up your data and information. This will help you recover your information and reduce downtime in the event an attack does occur.

3) Reevaluate your risk profile.

Your business will present different risk factors than the business next door. To some extent, these risk factors may also vary by industry. The risks facing a small law firm, for example, will not necessarily be the same risks facing a retail store or, say, a medical office. In 2020, resolve to uncover these risks and mitigate the unique threats you face.

For your business, this might include digital assets, PII, customer or employee records, intellectual property, financial information, or general business communications. There’s also plenty of less typical risk factors, such as vendor risks from point-of-sale providers and payment processors. Many businesses hire an outside expert to help uncover these issues and create a robust mitigation plan.

If you do work with a third-party vendor to assess your risk profile, be prepared to think about or ask a few key questions about your business, including: Where are we now? Where will we be next year? And what do we need to do to get there?

While the new year is an opportune moment to evaluate your risk profile, plan to do so at least once every year. Assessing your IT security posture is an important ongoing activity and should be a priority among the decision makers at your business. For more on how to establish a proper budget for cybersecurity measure, please see this post on how to incorporate an assessment into your annual or quarterly budget planning process.

4) Hope for the best, prepare for the worst.

In 2020, keep this unfortunate-but-true sentiment in mind: It's not if, but when you will suffer an attack at your business. Unfortunately, SMBs often fall short here. While the majority of small businesses rank IT security as a high priority, one study found that one-third of them dedicate less than $1,000 of their budget to cybersecurity. Even fewer SMBs lack a dedicated cybersecurity staff member.

Take steps now to ensure your company is prepared in the event of a breach. You can’t call the Ghostbusters, so who you gonna call? What communications need to go out, both internally and externally? Remember, just as important as what you do following a breach is what you say. In the wake of an attack, how can you retain customer trust and limit the reputational damages?

A key part of this process is to establish a regular or automatic backup plan to avoid data loss in the event of a breach. This might include everything from basic Word documents to large databases to financial or human resources files. Consider partnering with a qualified vendor to create a customized backup plan that will help you get up and running as quickly as possible in the event your data is deleted or compromised. Customization is key, as you need a plan that suits your firm’s unique requirements or regulations for uptime and recoverability. As we mentioned above, seek a people-first vendor that can also assist you with a stakeholder communication strategy to preserve your hard-won customers and reputation.

5) Close security gaps.

As we plan for the new year, the last thing to keep in mind is the rest of it! Cybersecurity is a constantly changing, amorphous beast. Threats, entry points, and the sophistication of hackers will evolve every day. Be sure to consider ways to continually improve your security posture, throughout 2020 and beyond.

We do have some good news for your business on this front. Given your smaller size, your firm actually has a greater ability (versus large corporations) to be nimble and quickly respond and adapt to these evolving threats. When it comes to closing security gaps and planning ahead, SMBs have the advantage.

Think about how to improve all facets of your IT environment this year, including desktop and mobile security, internet security, and infrastructure security. Think about low-hanging fruit: What affordable tools could you implement in the first quarter, such as a password manager or multi-factor authentication? What other more robust monitoring services could you implement by mid-year? What will it take you to get there? These are all important questions to ask today, so that you can protect your small business tomorrow.

We wish your business growth and success in the new year. Make 2020 the year of cybersecurity to protect your operations, preserve your reputation, and remain a competitive force in the year ahead. We hope you consider our team at N8 Solutions as a resource for all of your cybersecurity questions and needs.

Please get in touch with us anytime to make sure your business is ready for 2020 and beyond.

Ready to get started?