Let's Be Honest About SMB Cybersecurity Risks
Robert Siciliano
#1 Best Selling Author Cyber Security Speaker Architect of CSI Protection Cert Cyber Social Identity Personal Protection
There is a disconnect between the reality of small- and mid-sized business (SMB) cybersecurity risks, the way SMBs think about them and the services that cyber security companies offer. This disconnect is most obvious for law firms and real estate agencies that may have office WiFi, or even a cloud-based server, but that lack central IT and cybersecurity support.
Everyone at the firm or agency has their own laptop. They likely use their own devices for work at home. They use their own phones at all hours of the day to conduct business. If this describes your SMB, then this cybersecurity guidance is for you.
Let's start by dispelling the biggest SMB cybersecurity myth:
SMBs Face Lower Cybersecurity Risks
You run a small firm or agency. You have no custom code or central client database loaded with credit cards or passwords for criminals to steal. No one would bother to target you.
This is at once true and untrue, and this is the largest source of the disconnect between SMBs and cybersecurity firms. The attacks that make headlines involve the theft of tens of thousands of customer records, or disrupt operations that impact thousands of customers. It is true that the cyber criminals and state-sponsored attackers who commit these crimes are very unlikely to target a single-office law firm or a Main Street real estate agency.
But those crimes are just the tip of the iceberg. The most recent report from the Anti-Phishing Working Group (APWG) documented 1,270,883 phishing attacks in the third quarter of 2022, the third quarter in a row to see a record number of these attacks. The report also revealed that U.S. businesses are the most frequently targeted by ransomware attacks and are nearly five times more likely to report one, accounting for 39% of all attacks reported. England and France tied for the second-most targeted, with 5% of ransomware attacks each.
Legal services accounted for 5% of ransomware attacks in the third quarter of 2022. These attacks happen because the majority of criminals are simply trolling for easy targets. If you have a website, if you have a Linkedin presence, if you have a social media profile that identifies what you do, you are a target.
IT Providers Protect Online Systems
A firewall is not sufficient cyber security, and even the best protection can fall to a basic phishing attack. Law firms, real estate appraisers, small insurance agencies and real estate professionals are uniquely vulnerable to phishing because employees deal directly with a large number of clients on an irregular schedule. Opening attachments, handling sensitive information and responding to emails are all part of the job. Amid a flood of emails, it is easy to click the wrong link or respond to the wrong address. Criminals know this, and low-level cyber criminals target small firms and agencies looking for vulnerabilities.
Your IT provider may do a good job of keeping your systems running, protected and patched, but they likely do not provide ongoing anti-phishing training and simulated attacks that improve awareness. Without regular training and reinforcement, you are vulnerable to an attack.
领英推荐
Cyber security also does little to prevent Business Email Compromise (BEC) attacks, where criminals impersonate your employees or clients in an attempt to steal money. Vigilance is the only way to thwart these criminals.
Law Enforcement/Our Insurance Company Will Protect Us
Anyone who has been a victim of a low-level cyber attack will tell you that there is little to nothing that law enforcement can do. Local police, even state police and the FBI have little authority to prosecute extrajudicial crimes launched from overseas. In most cases, they lack the ability or resources to properly investigate low-level cyber crimes. You will be told to pay the ransom or write off the monetary loss. They will collect details on the crime, and some day years from now you may get a tiny fraction of restitution. None of that will get your systems running again or repair the reputational damage a cyber attack can cause.
Insurance may cover your losses, but only if you are in full compliance with the terms of your cyber liability insurance policy . You may be required to have a CISO overseeing your systems, or to provide regular cyber security training to file a claim.
SMBs Have Limited Liability for Cyber Attacks
This situation is changing. Between the expansion of the FTC Safeguards Rule , which mandates SMB cybersecurity for any business defined as a "financial institution" by the Federal government, to the suspension of a municipal IT director to government sanctions against the CEO of Drizly . regulators are placing a far greater burden for strong cyber security on employees and business owners. This situation is similar to the fallout from the Enron scandal, which led Federal regulators to require executives and CPAs to sign off on all financial reports under the penalty of fines or prison time if they knowingly misrepresented results.
A similar trend is taking shape around cyber security. Faced with growing complaints from cyber crime victims, the U.S. government is placing the burden of developing and following best practices on the shoulders of business owners, with no exception for SMBs.
Existing Cyber Security Solutions Are Unaffordable
This is the last major disconnect in SMB cybersecurity. The online conversation is driven by big firms that serve big clients, leaving a gap for SMBs that lack full-time CISOs or centralized systems. In some cases, the services offered are incompatible with the way small firms operate. You may not have the ability or employee support to restrict the use of devices, manage all communications through a central source or send the staff off for a week of training.
A cursory search of the options available can be disheartening, especially for SMBs that know they need help but have no idea where to begin. Protect Now exists to fill this gap. We built our business around the cyber security needs of real estate agencies and financial services providers, helping small and mid-sized firms get the training and support they need to conduct business efficiently and safely.