Small and midsize businesses (SMBs) are estimated to have spent $57 billion on cybersecurity in 2020 alone, a figure that is expected to hit $90 billion in 2025. But, a staggering one in three companies in this range are using subpar cybersecurity tools or none at all. Furthermore, the same research by the consultancy firm Analysys Mason indicates that one in five companies have no endpoint security at all, while 43% don’t have a cybersecurity defense strategy in place.
A survey carried out by insurance provider Hiscox revealed that small businesses in the US had lost $25 thousand per incident on average, an alarming number as 23% of surveyed companies have suffered an attack in the last 12 months. Additionally, 83% of SMBs have no funds put aside to deal with the aftermath of a cyberattack, and one in six attacked companies says the incident threatened their very survival.
To counter the threats, some businesses opt for cyber insurance, which covers the expenses if a subject suffers a cyberattack. The numbers reflect that too – according to Global Data, the global market for the cyber insurance industry will more than double by 2025 to exceed $20 billion.
However, cyber liability insurance is not a replacement for having a comprehensive cybersecurity strategy in place, says Algirdas Sakys, Information Security Manager at NordVPN Teams:
“For small businesses, preventive cybersecurity measures like making periodic backups, using a network-wide firewall, managing network access privileges, or simply providing basic cybersecurity training for personnel should be a no-brainer,” commented Mr. Sakys. “Regrettably, too many companies underestimate existing cyberthreats and pay a steep price for it. Sure, cyber insurance might soften the blow but counting on that while putting their entire businesses in jeopardy is not a sustainable long-term strategy.”
According to the expert, SMBs overestimate the money-saving benefits of cyber insurance. Those wishing to save money by ignoring cybersecurity and opting in for an insurance policy will not get what they bargain for.
“Don’t get me wrong – having a cyber insurance policy is better than not having it,” added the NordVPN Teams expert. “But companies hoping to save by underinvesting in cybersecurity only to hedge it with insurance won’t get what they desire. In reality, the weaker the cybersecurity framework is, the costlier the insurance. There is no way around the fact that every company needs robust cybersecurity protocols in place.”
The SMB cyberthreat landscape
According to ENISA, the European Union Agency for Cybersecurity, the five most common cyber incidents suffered by SMBs are phishing, web-based attacks, general malware, malicious insiders, and denial of service.
Small businesses have become more vulnerable to the mentioned threats in the face of the pandemic-related remote work reality.
“The rush in which SMBs had to adapt to remote work certainly left many cybersecurity blindspots unchecked,” the cybersecurity specialist continued. “Now, we see a steady upsurge in small businesses investing in the protection of their digital assets, but too many organizations remain in the red zone when it comes to cybersecurity.”
For SMBs to mitigate the risks posed by cyberthreats, adds Mr. Sakys, they need to be aware of three main cybersecurity verticals: people, process, and technology.
There is an extensive list of components to each of the fundamental areas, but addressing at least the core items in each category would substantially minimize the risk of a successful cyberattack:
- People. Management needs to get their staff aware of possible threats and safe online practices.
- Process. A basic incident response plan and the mechanism ensuring critical security patches are timely deployed should be in place.
- Technology. A company must protect its network by using firewalls, anti-viruses, traffic encryption software like VPN, and making regular critical data backups.