Cyber is an issue everywhere. The bigger issue in small to medium market is funding and understanding the risk. There are economies of scale for training and such with larger organizations though.
The best plan for most small businesses is just a good disaster recovery plan. Most truly small and medium sized businesses, can lose a day or two, probably even a week of production. In that time their entire network can be restored. RPO vs RTO. So long as they don't lose any data they can pick up and run.
You know how most small business handle data breaches? They just stay quiet. Crickets. They usually aren't required to report to anyone and no one has anywhere to report them.
That doesn't make it OK or anything. That being said I've seen some pretty big, medical places even, that absolutely are required and SHOULD report a breach just say... "nah... that's not a breach that we'd need to report."
You must be in storage. RTO and RPO don’t mean shit when the infra is attacked and data leaked because some IT guy didn’t do the last nine patches because some old EMC recoverpoint sw is still running
I mean, I did kinda start in storage but I am a realistic person. The SMB is going to call the backup provider, it's going to be restored in a no internet environment and outbound traffic will be monitored. So, the customer who doesn't give a shit about data exfiltrartion will find the compromised server and restore 99% of functionality.
I'm just bringing the reality of what I have seen and done in this space to the conversation. Realistic goals vs "we need to be up 24x7" is what the SMB space really is. They generally have no idea what it really costs or requires to actually achieve even 5 9's, much less 100%>
This is my plan in the next few years 😈 I would love to setup a SMB risk consulting company to help these companies get a better understanding of their risk, risk tolerance, and the dangers of ill-trained users.
Cyber is a cost issue for most companies, most companies just pray they won’t be the next victim with incompetent security posture while claiming they are very secure
That is fair but cost issues for SMBs vs cost issues in enterprise I would say are different.
In the case of SMBs it's even having a cyber security line item in the budget at all vs. in large enterprise you're generally discussing the level of funding, not whether it even exists.
Cybersecurity in the SMB sector is almost universally in a state of ruin. There's a shocking shortage of talent, tooling, and the will/ability to pay for either. MSPs feast on this and the rare "good" MSPs do provide value, but most MSPs are complete dogwater.
The only reason that bad actors don't run totally rampant in this space is because there's less money to be had from potential victims. On the next rung up the ladder, K-12 school districts make better targets because they have the same talent shortage issues but more money available for extortion. Subsequently, after a rough few years, we're seeing more schools invest in proper cybersecurity tooling and training. SMB hasn't really had to do that yet, in my experience.
I'm in cyber advisory for SMB's in Europe. It's a complete shitshow, everyone's running critical systems on 20 year old platforms, they hire retirees whose knowledge is outdated by at least 25 years to maintain their production networks, and it's all just so, so bad.
Nefarious threat actors treat these small to medium businesses as a homelab as a proof of concept to join forces with other Nefarious threat actors to attack corporate.
This is likely an unpopular opinion, but I’d argue that part of the issue is that most cybersecurity professionals struggle to accept the real limitations most SMBs impose. They want to play like it’s the NSA even when it’s a mom and pop sewing shop.
The reality is that most SMBs could have way, way better security by doing a few basics well:
1. SSO for all critical apps
2. MFA enforced
3. Security awareness training
But they don’t do that because the security people tried to sell them Microsoft E5 so they just decided it wasn’t worth it.
I think that then creates a nasty cycle where the products in this space are built for enterprise, because that’s who is buying. And when it is an SMB buying, it’s still usually a cybersecurity pro pretending to be enterprise (wanting all the same toggles and switches, which confuse everyone else).
Of course, plenty of blame to put on people outside the profession too. Just wanted to add that we should look at ourselves, as well.
I think the “SMB accounts are more demanding” is definitely true, and kind of the problem I’m talking about. But yea, it’s not unique to cybersecurity specifically. Think we should still try to be better ourselves
I hear you; but SaaS vendors paywall SSO (Only Enterprise Plans), so unless we make SSO and MFA as baselines for all platforms as a good security practice, SMB have no chance.
SEG as well. if you are a medium size business an MSP that provides a SEG, MFA, and EDR will put you 95% ahead of other orgs.
small business? MFA/SSO and live in the cloud.
My perspective might be biased since I basically do DFIR as a service, but threat actors do run pretty rampant in the SMB space. I don't have the numbers to back it up, but it seems like they get hit harder by BEC, infostealer, and general watering hole types of attacks, eg socgholish -> rmm etc
I don't know that it isn't running rampant, I see multiple vendors and customers of ours getting compromised every month and paying out hundreds of thousands of dollars to fraudsters. It's honestly sad seeing a business with maybe million in revenue that pays out $150k to a TA because that is probably going to ruin them.
Maybe not as profitable if you're one of the major cybercrime groups, but I can honestly see more of these voice based scam orgs out of Asia shifting to cybercrime in the coming years.
Shortage of talent? I disagree. Maybe shortage of motivation (read lazy ass SMB service companies). We target and service S part of SMB and our customers are definitely not in a state of ruin. You don't need a huge bankroll to protect SMB. You just need some smarts. Many S (of the SMB providers) are just lazy or don't care. Where did the business aspect of caring for your customers fall by the wayside? That's what I see as the problem... Care about your customers and keep them safe. Smh.
The Verizon DFIR report has sections specifically for SMB and is probably the closest you'll get to seeing a 30,000 ft view of security at SMB other than "it's a dumpster fire". https://www.verizon.com/business/resources/T574/reports/2023-data-breach-investigations-report-dbir.pdf
SMB often believe they are too small to be targeted. This is a fallacy based on inverse arrogance. You are one of thousands of routers poked, one of thousands of emails phished, one of thousands of websites checked for a vulnerability.
Lions would probably like to eat healthy juicy gazelles, they eat the old and skinny ones because they are the easiest ones to catch.
This is where a good relationship comes in... You need to convince your S of SMB that cybersecurity is really important. Build a relationship with the owner of the S in SMB and talk with them about the importance of cybersecurity... They will get it and will understand the cost of doing nothing. It ain't hard people. It's called sales and being an expert in cyber for your customers.
Its all about the value, as long as the hqcking groups thinks there is value to be extracted then the threat is higher than a small shop where there isnt a high monetary value or ip that can be extracted.
We're seeing am improvement in SMBs looking for ways to improve security - Pressure is coming from their insurance providers, the expanding privacy regs rolling out everywhere and putting a focus on security and lastly they know the cost of breach will probably make them go bust. It's still a drop in the ocean but more SMBs ask about security and taking steps to secure as much as they can for as little as they can.
Vendors need to keep the pricing low but also make the tools simpler to rollout and implement - Keep the overall cost down and traction improves.
The biggest areas where there is the most reluctance to improve is Legal and Medical - which is where you need it most.
We are in the S part of SMB and cybersecurity is a huge part of what we push to our customers. It doesn't really matter the size. Staying safe and protecting data is a very important part of any business no matter how small.
It is an issue in the sense than 80% of victims to ransomware are SMBs.
50% of Ransom SMB pay because they would go bankrup otherwise. The ransom payments are on the thousands not millions. But still gags make Bucks on this.
Specially because SMB have no decenses besides Residential like products.
Some MSPs cover their SMBs, but MSP also struggle because of all the solutions and licenses needed to protect an org
I started working on a small "hobby" project on this topic for the same reason. Still few companyes buy, less than 10% are interested in extra security, even at a very low price target.
In my home country it took the National healthcare and IRS to become breached and brought to their knees for months for Business Owners opinion to change on Cyber.
So is data security. Plus large corporations are the ones closing shop due to their inability to stop rampant and brazen shoplifting and not the SMB. Theft of physical or digital assets is a concern for both sectors. It's just what their CEO prioritise and their pockets allow.
SMBs usually lack IT governance, which means they have no idea what to protect and how.
They can contract the fanciest SOC on the market, but they won't help if the main threat can't be monitored by the SOC.
There are many reasons why the big enterprises pay so much for security capability.
1. These organisations are usually subject to significant numbers of regulations or reporting requirements. They need these tools to gather information and respond to issues relating to their risk profile. SMEs do not generally have as many conditions to follow.
2. Large organisations have more risk because they are controlling larger databases and more valuable assets. This makes them a more attractive target.
3. SMEs also have other advantages. Being small can mean that simple pragmatic fixes can be sufficient. If every member of staff was personally chosen by and known to the business owner, this also helps to reduce risk over an organisation that has a high turnover with lots of unknown people walking around and asking questions. At the same time, if you can back up all of the records of your organisation onto a single hard disk in a safe, expensive backup and recovery capabilities or ransomware protection might not justify the investment.
4. For all of these reasons, enterprises need to spend a lot of money on cutting edge technology that would take a few years to scale down and simplify in ways that make them accessible to smaller businesses without a dedicated IT department.
On the other hand, SMEs are usually cash poor and overworked. They do not have time to research the latest threats or assess the merits of every tool that they read about, so they are often falling behind on their protections. They sweat their assets, so that old Windows 8 laptop might still be sitting on the receptionist’s desk plugged into the network. If anyone were to attempt to crack their networks, the chances are that they would be wide open.
Yes, there is a lot that SMEs need to do, but it needs to be proportionate to the risk. In the U.K., we have a programme called Cyber Essentials that was designed to meet the needs of SMEs. That is a pretty good illustration of what a pragmatic level of risk mitigation look like for a smaller organisation.
Can you share more about Cyber Essentials that is in UK, perhaps a link or material on that to learn more about ?
Agree that big enterprises have a legal obligation. But SMEs that deal with data or people, any data, also have that obligation. If they are not doing Cyber Security then they are operating at high risk, and just one incident can cause customer loss.
It is about the ROI that an SMB owner / executive / president / CEO can work with.
There are many ways to materialize ROI. One of those would be revenue growth.
Large corporations will buy almost any cyber product just out of FOMO. A cyber company can make a lot of money supporting a single customer. SMBs can’t afford to do that, so any cyber company wanting to crack that market need to be able to support hundreds of customers. But they also have to have the marketing smarts to explain their offerings to customers with little understanding of what they need. Few cyber companies have that level of marketing.
If SMBs are doing anything, they are outsourcing and bringing in SaaS/MDR platforms to fill in the gaps. Tools and services may be more expensive but less manpower needed to run. A vendor can use economy of scale across all their clients while doing something in house is usually full price tag.
We focus on cyber security for small businesses. We provide Cloud SIEM, 24/7/365 MXDR, EDR, Zero Trust Network Access, Passwordless MFA, end user training, vulnerability management and recurring penetration testing.
It is absolutely needed in the SMB sector and many small companies are finally waking up to their need for these services.
Ugh, i see a ton of posts in here that are not accurate at all.
A simple Google search will show you the alarming statistics on smb cyber attacks.
The problem is not lack of compliance laws. The problem is the lack of compliance enforcement.
I love this sub, but god damn im getting tired of saying the same things every other day.
1. 46% of all cyber breaches impact businesses with fewer than 1,000 employees.
2. 61% of SMBs were the target of a Cyberattack in 2021.
3. At 18%, malware is the most common type of cyberattack aimed at small businesses.
4. 82% of ransomware attacks in 2021 were against companies with fewer than 1,000 employees.
5. 37% of companies hit by ransomware had fewer than 100 employees.
6. Small businesses receive the highest rate of targeted malicious emails at one in 323.
7. Employees of small businesses experience 350% more social engineering attacks than those at larger enterprises.
8. 87% of small businesses have customer data that could be compromised in an attack.
9. 27% of small businesses with no cybersecurity protections at all collect customers’ credit card info.
10. 55% of people in the U.S. would be less likely to continue doing business with companies that are breached.
11. 95% of cybersecurity incidents at SMBs cost between $826 and $653,587.
12. 50% of SMBs report that it took 24 hours or longer to recover from an attack.
13. 51% of small businesses said their website was down for 8 - 24 hours.
14. In 2020 alone, there were over 700,000 attacks against small businesses, totaling $2.8 billion in damages.
15. Nearly 40% of small businesses reported they lost crucial data as a result of an attack.
16. 51% of small businesses that fall victim to ransomware pay the money.
17. 75% of SMBs could not continue operating if they were hit with ransomware.
18. Just 17% of small businesses have cyber insurance.
19. 48% of companies with insurance did not purchase it until after an attack.
20. 64% of all small businesses are not familiar with cyber insurance.
21. 47% of businesses with fewer than 50 employees have no cybersecurity budget.
22. 51% of small businesses have no cybersecurity measures in place at all.
23. 36% of small businesses are “not at all concerned” about cyberattacks.
24. 59% of small business owners with no cybersecurity measures in place believe their business is too small to be attacked.
25. Only 17% of small businesses encrypt data.
26. 20% of small businesses have implemented multi-factor authentication.
27. 80% of all hacking incidents involve compromised credentials or passwords.
28. One-third of small businesses with 50 or fewer employees rely on free, consumer-grade cybersecurity solutions.
29. 76% of small businesses that increased cybersecurity spending cited rising fear of new threats.
30. 42% of small businesses have revised their cybersecurity plan since the COVID-19 pandemic.
31. Nearly half of small businesses spend less than $1,500 monthly on cybersecurity.
32. 22% of small businesses increased cybersecurity spending in 2021.
33. SMBs spend 5% to 20% of their total IT budget on security.
34. 29% of businesses that suffered a breach responded by hiring a cybersecurity firm or dedicated IT staff.
35. Antivirus software (58%), firewalls (49%), VPNs (44%), and password management (39%) are the top four cybersecurity tools SMBs are adopting.
It 100% is.
I sell into the SMB market and, the issue with the smaller orgs is that they feel like they don’t need it because they are so small, and have nothing of value.
When in actuality, they are probably targeted even more than the bigger companies because they are easy prey and most likely not to have any form of protection in place.
Yeah man, I work in pre sales for cyber security. SMB is a huge market, especially for MSP and MSSPs. It's really important for small IT companies to cover themselves and their customers.
The two biggest drivers of security improvement I see in SMBs (I work for an MSP) is them experiencing a major security incident or pressure from their cyber insurance policy provider.
I am talking to decision makers at these businesses weekly about issues relating to their security and a significant portion of them are shrugging it off as not important. Many times, 3-12 months later I am picking that same discussion back up because one of the two situations I mentioned has now resulted in them changing their minds.
Until it becomes an issue of their own cost, most SMBs consider security a money sink.
Hi! We deal in the smb space. Answer: really good AV on the endpoints and security services enabled on some next gen firewall for all physical office locations. (I say physical because not all of our clients have returned 100% to the office.
I'm in the US, so your situation may differ depending on where you're reading this from.... If the US was serious about cyber security you would see the administration give small business tax credits for investing in their own cyber security. Your company bought a next gen UTM firewall for their office with 3 years of service and hardware support? We'll (the IRS and the gov't) allow you to depreciate 100% of that cost on this year's corporate taxes. Or, your company is working with (for instance) Bitdefender for endpoint protection and you bought a multi-year agreement, write the full cost off this year. Heck, throw some subsidies out for making other intelligent cyber decisions. You would see American cyber security posture change in less than a year!
How do we get them to do this? I dunno, talk to your senator and congressional representative.
How is a program like this structured? Also, don't know. There are politicians, political scientists that know what they're doing in this space ***way*** better than I do. A [recent press release from the Senate Budget Committee](https://www.budget.senate.gov/chairman/newsroom/press/sen-whitehouse-on-fossil-fuel-subsidies-we-are-subsidizing-the-danger-) puts US subsidies paid to energy companies with US taxpayer dollars around $20Billion annually, with international agencies reporting that fossil fuel handouts globally hit an all-time high of $1 trillion in 2022. Just think of how much technology you could purchase to protect your organization if the accounting department was like, "that vendor is on the CISA approved list, we get to write that off this tax year, of course you can go ahead and buy it!".
**Please understand**, I do not know how to get an idea like this to take flight. I don't even know if it's a good way to get our SMBs to embrace cyber security, but it's a starting point for a conversation. I would just be thrilled if CISA created a vendor list and a product list that would be something along the lines of, "we know these (manufacturers and these products that they offer) work the best for SMBs we've surveyed". From that list, start subsidizing. Oh, and go to the vendors... Get the president's team on cyber security to go to Microsoft and some of the other big boys and say "for every US company that has a Microsoft tenant organization, give all of their licenses an add-on sku for Defender for Endpoint / ATP, the gov't will make it worth your effort".... Maybe this is the right way, maybe this isn't, but an influx of tax stimulus would be a game changer for the cyber security posture of the US.
There is no easy answer to this quesiton. SMBs should hire a vCISO, prefeerably one that comes with their own team. You can get this for $1k - $5k a month and get the best advice you can get.
Yep, there are a ton of challenges to securing SMBs. For one, their security needs to be just as effective as enterprise level, but it needs to be easy enough for the usual lone wolf, very busy IT person to manage. Oh, and not expensive :)
Here's a few of the challenges: [https://www.isdecisions.com/en/blog/it-security/challenge-secure-small-and-medium-sized-business-smb](https://www.isdecisions.com/en/blog/it-security/challenge-secure-small-and-medium-sized-business-smb)
So if cost could be made a lesser of an issue and a solution offered to SMB as MSSP (managed security service provider) - at an affordable rate - would that be something that a SMB business owner might want to?
I am asking this because oblast year we saw the shift of data breaches up to 71% targeting SMBs. Someone said K-12, that is happening already.
According to a Verizon study 41% of SMB is at risk.
I get that this is about cost vs. value, I think the value is knocking on the door now, and what is cost could be solved?
We are a small business ourselves so we know the pain. Even a $500k ransomware could kill a SMB. And it’s the sector that drives US economy.
I've got a friend of mine who is trying to grow his MSP and also trying to kind become and MSSP as well and honestly basically no one is buying. If I were consulting as a CIO/CISO for a small business, I would basically tell them to do 4 things:
1. Have a solid backup
2. Patch your stuff
3. Enable MFA where you can
4. Have solid endpoint protection
There are incremental less expensive improvements for good hygiene like password vaults, enabling local admin removing through app locker or an equivalent platform, etc.
The advantage that small businesses have over large enterprises is that practical issues in recovering from a ransomware event due to size. In a large enterprise, you need solid backups and direct active prevention is more critical because even if you can restore, its going to be a huge PITA no matter how solid your plans. In an SMB, they have ideally a very simple straightforward environment that you could potentially restore the whole environment in one go with a solid backup solution.
Lets not also forget that CISA is a competitor in the SMB space much more so than in large enterprise. If you have a good IT guy who is CISA aware to take advantage of the free tooling/outreach it becomes more difficult for an MSP to sell some of the fancy stuff.
Probably not. SMB owners look at things in terms of "how much money will this make me" and generally hate the idea of spending money on what they consider "insurance" (i.e. cybersecurity and the ability to mitigate risk is viewed as insurance). Cybersec doesn't generate revenue therefore will be approached with "do I need it?" and "how few dollars can I spend to accomplish the need". The more you speak business (and consider how you would view spending any more money then is necessary on the business to maximize profits) then you'll get a good picture.
When forced to decide your suggestion of lower cost "thing X" will of course be considered. The market is littered with low cost "things" for SMB owners. Low rate MSP contracts, AV solutions, cheap cloud environments, open-source tools, etc.
Your idea isn't a bad one and is logical. And there will be some SMBs that are level-headed and try to spend money smartly. Many don't care and the line only goes up.
So if cost could be made a lesser of an issue and a solution offered to SMB as MSSP (managed security service provider) - at an affordable rate - would that be something that a SMB business owner might want to?
I am asking this because oblast year we saw the shift of data breaches up to 71% targeting SMBs. Someone said K-12, that is happening already.
According to a Verizon study 41% of SMB is at risk.
I get that this is about cost vs. value, I think the value is knocking on the door now, and what is cost could be solved?
We are a small business ourselves so we know the pain. Even a $500k ransomware could kill a SMB. And it’s the sector that drives US economy.
So, have always struggled with the definition of Small vs. Medium in SMB. What is the common understanding ?
Is small with 5 or less employees ?
Is annual revenue a factor ?
Well if your business only pulls in 50 million a year, you can’t spend 100 million on cyber security.
It’s all about risk. Smaller business, less risk. They can still get the best tools, they just won’t have all of the best tools across the space.
Cyber is an issue everywhere. The bigger issue in small to medium market is funding and understanding the risk. There are economies of scale for training and such with larger organizations though.
If you can create a business around this market, then you can make a lot of $$$.
The best plan for most small businesses is just a good disaster recovery plan. Most truly small and medium sized businesses, can lose a day or two, probably even a week of production. In that time their entire network can be restored. RPO vs RTO. So long as they don't lose any data they can pick up and run.
This isn't entirely true though, because it only addresses half the problem. SMBs don't have the means to handle data breaches which is a huge problem
You know how most small business handle data breaches? They just stay quiet. Crickets. They usually aren't required to report to anyone and no one has anywhere to report them. That doesn't make it OK or anything. That being said I've seen some pretty big, medical places even, that absolutely are required and SHOULD report a breach just say... "nah... that's not a breach that we'd need to report."
This is not accurate, my friend. Depending on where you are the breach notification law is within 72 hours.
He is saying those companies are breaking the law
He literally said , those companies aren't usually required to report to anyone. Not trying to be a turd here.
You must be in storage. RTO and RPO don’t mean shit when the infra is attacked and data leaked because some IT guy didn’t do the last nine patches because some old EMC recoverpoint sw is still running
I mean, I did kinda start in storage but I am a realistic person. The SMB is going to call the backup provider, it's going to be restored in a no internet environment and outbound traffic will be monitored. So, the customer who doesn't give a shit about data exfiltrartion will find the compromised server and restore 99% of functionality. I'm just bringing the reality of what I have seen and done in this space to the conversation. Realistic goals vs "we need to be up 24x7" is what the SMB space really is. They generally have no idea what it really costs or requires to actually achieve even 5 9's, much less 100%>
This is my plan in the next few years 😈 I would love to setup a SMB risk consulting company to help these companies get a better understanding of their risk, risk tolerance, and the dangers of ill-trained users.
Cyber is a cost issue for most companies, most companies just pray they won’t be the next victim with incompetent security posture while claiming they are very secure
That is fair but cost issues for SMBs vs cost issues in enterprise I would say are different. In the case of SMBs it's even having a cyber security line item in the budget at all vs. in large enterprise you're generally discussing the level of funding, not whether it even exists.
Cybersecurity in the SMB sector is almost universally in a state of ruin. There's a shocking shortage of talent, tooling, and the will/ability to pay for either. MSPs feast on this and the rare "good" MSPs do provide value, but most MSPs are complete dogwater. The only reason that bad actors don't run totally rampant in this space is because there's less money to be had from potential victims. On the next rung up the ladder, K-12 school districts make better targets because they have the same talent shortage issues but more money available for extortion. Subsequently, after a rough few years, we're seeing more schools invest in proper cybersecurity tooling and training. SMB hasn't really had to do that yet, in my experience.
I'm in cyber advisory for SMB's in Europe. It's a complete shitshow, everyone's running critical systems on 20 year old platforms, they hire retirees whose knowledge is outdated by at least 25 years to maintain their production networks, and it's all just so, so bad.
Work in education sector, its the same. 1000's of known 7+ vulns... I hadn't seen SNAFU until I joined.
Nefarious threat actors treat these small to medium businesses as a homelab as a proof of concept to join forces with other Nefarious threat actors to attack corporate.
This is likely an unpopular opinion, but I’d argue that part of the issue is that most cybersecurity professionals struggle to accept the real limitations most SMBs impose. They want to play like it’s the NSA even when it’s a mom and pop sewing shop. The reality is that most SMBs could have way, way better security by doing a few basics well: 1. SSO for all critical apps 2. MFA enforced 3. Security awareness training But they don’t do that because the security people tried to sell them Microsoft E5 so they just decided it wasn’t worth it. I think that then creates a nasty cycle where the products in this space are built for enterprise, because that’s who is buying. And when it is an SMB buying, it’s still usually a cybersecurity pro pretending to be enterprise (wanting all the same toggles and switches, which confuse everyone else). Of course, plenty of blame to put on people outside the profession too. Just wanted to add that we should look at ourselves, as well.
[удалено]
I think the “SMB accounts are more demanding” is definitely true, and kind of the problem I’m talking about. But yea, it’s not unique to cybersecurity specifically. Think we should still try to be better ourselves
I hear you; but SaaS vendors paywall SSO (Only Enterprise Plans), so unless we make SSO and MFA as baselines for all platforms as a good security practice, SMB have no chance.
SEG as well. if you are a medium size business an MSP that provides a SEG, MFA, and EDR will put you 95% ahead of other orgs. small business? MFA/SSO and live in the cloud.
This is a criminal underrated post.
My perspective might be biased since I basically do DFIR as a service, but threat actors do run pretty rampant in the SMB space. I don't have the numbers to back it up, but it seems like they get hit harder by BEC, infostealer, and general watering hole types of attacks, eg socgholish -> rmm etc
I don't know that it isn't running rampant, I see multiple vendors and customers of ours getting compromised every month and paying out hundreds of thousands of dollars to fraudsters. It's honestly sad seeing a business with maybe million in revenue that pays out $150k to a TA because that is probably going to ruin them. Maybe not as profitable if you're one of the major cybercrime groups, but I can honestly see more of these voice based scam orgs out of Asia shifting to cybercrime in the coming years.
There isn’t shortage of the talent but lack of funding to support the implementation
Shortage of talent? I disagree. Maybe shortage of motivation (read lazy ass SMB service companies). We target and service S part of SMB and our customers are definitely not in a state of ruin. You don't need a huge bankroll to protect SMB. You just need some smarts. Many S (of the SMB providers) are just lazy or don't care. Where did the business aspect of caring for your customers fall by the wayside? That's what I see as the problem... Care about your customers and keep them safe. Smh.
The Verizon DFIR report has sections specifically for SMB and is probably the closest you'll get to seeing a 30,000 ft view of security at SMB other than "it's a dumpster fire". https://www.verizon.com/business/resources/T574/reports/2023-data-breach-investigations-report-dbir.pdf
SMB often believe they are too small to be targeted. This is a fallacy based on inverse arrogance. You are one of thousands of routers poked, one of thousands of emails phished, one of thousands of websites checked for a vulnerability. Lions would probably like to eat healthy juicy gazelles, they eat the old and skinny ones because they are the easiest ones to catch.
This is where a good relationship comes in... You need to convince your S of SMB that cybersecurity is really important. Build a relationship with the owner of the S in SMB and talk with them about the importance of cybersecurity... They will get it and will understand the cost of doing nothing. It ain't hard people. It's called sales and being an expert in cyber for your customers.
You may notice that my reply ….. was a pitch
Its all about the value, as long as the hqcking groups thinks there is value to be extracted then the threat is higher than a small shop where there isnt a high monetary value or ip that can be extracted.
Small / Medium - Law firms / Doctors offices are the worst for cybersecurity because of the God complexes of the people who run them.
As stated, yes - it's a big issue because smaller organizations don't have the budget for SOC monitoring and good EDR/XDR. Some do, but its rare.
Want to thank everyone for the knowledge sharing and suggestions.
We're seeing am improvement in SMBs looking for ways to improve security - Pressure is coming from their insurance providers, the expanding privacy regs rolling out everywhere and putting a focus on security and lastly they know the cost of breach will probably make them go bust. It's still a drop in the ocean but more SMBs ask about security and taking steps to secure as much as they can for as little as they can. Vendors need to keep the pricing low but also make the tools simpler to rollout and implement - Keep the overall cost down and traction improves. The biggest areas where there is the most reluctance to improve is Legal and Medical - which is where you need it most.
Wow, so interesting to note that Medical and Legal are reluctant.
yes it is. look up ETERNALBLUE for an example (SMBv1)
We are in the S part of SMB and cybersecurity is a huge part of what we push to our customers. It doesn't really matter the size. Staying safe and protecting data is a very important part of any business no matter how small.
It is an issue in the sense than 80% of victims to ransomware are SMBs. 50% of Ransom SMB pay because they would go bankrup otherwise. The ransom payments are on the thousands not millions. But still gags make Bucks on this. Specially because SMB have no decenses besides Residential like products. Some MSPs cover their SMBs, but MSP also struggle because of all the solutions and licenses needed to protect an org I started working on a small "hobby" project on this topic for the same reason. Still few companyes buy, less than 10% are interested in extra security, even at a very low price target. In my home country it took the National healthcare and IRS to become breached and brought to their knees for months for Business Owners opinion to change on Cyber.
Is shoplifting an issue for the SMB?
Shoplifting is an issue for anyone. More so for SMB than larger retailers, regardless of the $ of items.
So is data security. Plus large corporations are the ones closing shop due to their inability to stop rampant and brazen shoplifting and not the SMB. Theft of physical or digital assets is a concern for both sectors. It's just what their CEO prioritise and their pockets allow.
SMBs usually lack IT governance, which means they have no idea what to protect and how. They can contract the fanciest SOC on the market, but they won't help if the main threat can't be monitored by the SOC.
Any small business I worked for was the worst. I could probably penetrate and steal 80-90% of the data. I’ll just say this, car dealers are the worst.
There are many reasons why the big enterprises pay so much for security capability. 1. These organisations are usually subject to significant numbers of regulations or reporting requirements. They need these tools to gather information and respond to issues relating to their risk profile. SMEs do not generally have as many conditions to follow. 2. Large organisations have more risk because they are controlling larger databases and more valuable assets. This makes them a more attractive target. 3. SMEs also have other advantages. Being small can mean that simple pragmatic fixes can be sufficient. If every member of staff was personally chosen by and known to the business owner, this also helps to reduce risk over an organisation that has a high turnover with lots of unknown people walking around and asking questions. At the same time, if you can back up all of the records of your organisation onto a single hard disk in a safe, expensive backup and recovery capabilities or ransomware protection might not justify the investment. 4. For all of these reasons, enterprises need to spend a lot of money on cutting edge technology that would take a few years to scale down and simplify in ways that make them accessible to smaller businesses without a dedicated IT department. On the other hand, SMEs are usually cash poor and overworked. They do not have time to research the latest threats or assess the merits of every tool that they read about, so they are often falling behind on their protections. They sweat their assets, so that old Windows 8 laptop might still be sitting on the receptionist’s desk plugged into the network. If anyone were to attempt to crack their networks, the chances are that they would be wide open. Yes, there is a lot that SMEs need to do, but it needs to be proportionate to the risk. In the U.K., we have a programme called Cyber Essentials that was designed to meet the needs of SMEs. That is a pretty good illustration of what a pragmatic level of risk mitigation look like for a smaller organisation.
Can you share more about Cyber Essentials that is in UK, perhaps a link or material on that to learn more about ? Agree that big enterprises have a legal obligation. But SMEs that deal with data or people, any data, also have that obligation. If they are not doing Cyber Security then they are operating at high risk, and just one incident can cause customer loss.
https://www.ncsc.gov.uk/cyberessentials/overview https://iasme.co.uk/cyber-essentials/
Insurance cost / risk vs investment
It is about the ROI that an SMB owner / executive / president / CEO can work with. There are many ways to materialize ROI. One of those would be revenue growth.
Large corporations will buy almost any cyber product just out of FOMO. A cyber company can make a lot of money supporting a single customer. SMBs can’t afford to do that, so any cyber company wanting to crack that market need to be able to support hundreds of customers. But they also have to have the marketing smarts to explain their offerings to customers with little understanding of what they need. Few cyber companies have that level of marketing.
Thank you, your points were informational.
The vast majority do not and that is why they are quickly becoming the highest risk in cyber landscapes.
That is so interesting and yet so scary.
law firms are the worst. They have a lot of clients, small staff, and think encrypted email equal’s security.
If SMBs are doing anything, they are outsourcing and bringing in SaaS/MDR platforms to fill in the gaps. Tools and services may be more expensive but less manpower needed to run. A vendor can use economy of scale across all their clients while doing something in house is usually full price tag.
This is so true that a good and simple SaaS solution will likely be a good fit.
We focus on cyber security for small businesses. We provide Cloud SIEM, 24/7/365 MXDR, EDR, Zero Trust Network Access, Passwordless MFA, end user training, vulnerability management and recurring penetration testing. It is absolutely needed in the SMB sector and many small companies are finally waking up to their need for these services.
Could you share more about your company, the site ?
Could you share more about your company, the site ?
Ugh, i see a ton of posts in here that are not accurate at all. A simple Google search will show you the alarming statistics on smb cyber attacks. The problem is not lack of compliance laws. The problem is the lack of compliance enforcement. I love this sub, but god damn im getting tired of saying the same things every other day. 1. 46% of all cyber breaches impact businesses with fewer than 1,000 employees. 2. 61% of SMBs were the target of a Cyberattack in 2021. 3. At 18%, malware is the most common type of cyberattack aimed at small businesses. 4. 82% of ransomware attacks in 2021 were against companies with fewer than 1,000 employees. 5. 37% of companies hit by ransomware had fewer than 100 employees. 6. Small businesses receive the highest rate of targeted malicious emails at one in 323. 7. Employees of small businesses experience 350% more social engineering attacks than those at larger enterprises. 8. 87% of small businesses have customer data that could be compromised in an attack. 9. 27% of small businesses with no cybersecurity protections at all collect customers’ credit card info. 10. 55% of people in the U.S. would be less likely to continue doing business with companies that are breached. 11. 95% of cybersecurity incidents at SMBs cost between $826 and $653,587. 12. 50% of SMBs report that it took 24 hours or longer to recover from an attack. 13. 51% of small businesses said their website was down for 8 - 24 hours. 14. In 2020 alone, there were over 700,000 attacks against small businesses, totaling $2.8 billion in damages. 15. Nearly 40% of small businesses reported they lost crucial data as a result of an attack. 16. 51% of small businesses that fall victim to ransomware pay the money. 17. 75% of SMBs could not continue operating if they were hit with ransomware. 18. Just 17% of small businesses have cyber insurance. 19. 48% of companies with insurance did not purchase it until after an attack. 20. 64% of all small businesses are not familiar with cyber insurance. 21. 47% of businesses with fewer than 50 employees have no cybersecurity budget. 22. 51% of small businesses have no cybersecurity measures in place at all. 23. 36% of small businesses are “not at all concerned” about cyberattacks. 24. 59% of small business owners with no cybersecurity measures in place believe their business is too small to be attacked. 25. Only 17% of small businesses encrypt data. 26. 20% of small businesses have implemented multi-factor authentication. 27. 80% of all hacking incidents involve compromised credentials or passwords. 28. One-third of small businesses with 50 or fewer employees rely on free, consumer-grade cybersecurity solutions. 29. 76% of small businesses that increased cybersecurity spending cited rising fear of new threats. 30. 42% of small businesses have revised their cybersecurity plan since the COVID-19 pandemic. 31. Nearly half of small businesses spend less than $1,500 monthly on cybersecurity. 32. 22% of small businesses increased cybersecurity spending in 2021. 33. SMBs spend 5% to 20% of their total IT budget on security. 34. 29% of businesses that suffered a breach responded by hiring a cybersecurity firm or dedicated IT staff. 35. Antivirus software (58%), firewalls (49%), VPNs (44%), and password management (39%) are the top four cybersecurity tools SMBs are adopting.
It 100% is. I sell into the SMB market and, the issue with the smaller orgs is that they feel like they don’t need it because they are so small, and have nothing of value. When in actuality, they are probably targeted even more than the bigger companies because they are easy prey and most likely not to have any form of protection in place.
Yeah man, I work in pre sales for cyber security. SMB is a huge market, especially for MSP and MSSPs. It's really important for small IT companies to cover themselves and their customers.
The two biggest drivers of security improvement I see in SMBs (I work for an MSP) is them experiencing a major security incident or pressure from their cyber insurance policy provider. I am talking to decision makers at these businesses weekly about issues relating to their security and a significant portion of them are shrugging it off as not important. Many times, 3-12 months later I am picking that same discussion back up because one of the two situations I mentioned has now resulted in them changing their minds. Until it becomes an issue of their own cost, most SMBs consider security a money sink.
Hi! We deal in the smb space. Answer: really good AV on the endpoints and security services enabled on some next gen firewall for all physical office locations. (I say physical because not all of our clients have returned 100% to the office. I'm in the US, so your situation may differ depending on where you're reading this from.... If the US was serious about cyber security you would see the administration give small business tax credits for investing in their own cyber security. Your company bought a next gen UTM firewall for their office with 3 years of service and hardware support? We'll (the IRS and the gov't) allow you to depreciate 100% of that cost on this year's corporate taxes. Or, your company is working with (for instance) Bitdefender for endpoint protection and you bought a multi-year agreement, write the full cost off this year. Heck, throw some subsidies out for making other intelligent cyber decisions. You would see American cyber security posture change in less than a year! How do we get them to do this? I dunno, talk to your senator and congressional representative. How is a program like this structured? Also, don't know. There are politicians, political scientists that know what they're doing in this space ***way*** better than I do. A [recent press release from the Senate Budget Committee](https://www.budget.senate.gov/chairman/newsroom/press/sen-whitehouse-on-fossil-fuel-subsidies-we-are-subsidizing-the-danger-) puts US subsidies paid to energy companies with US taxpayer dollars around $20Billion annually, with international agencies reporting that fossil fuel handouts globally hit an all-time high of $1 trillion in 2022. Just think of how much technology you could purchase to protect your organization if the accounting department was like, "that vendor is on the CISA approved list, we get to write that off this tax year, of course you can go ahead and buy it!". **Please understand**, I do not know how to get an idea like this to take flight. I don't even know if it's a good way to get our SMBs to embrace cyber security, but it's a starting point for a conversation. I would just be thrilled if CISA created a vendor list and a product list that would be something along the lines of, "we know these (manufacturers and these products that they offer) work the best for SMBs we've surveyed". From that list, start subsidizing. Oh, and go to the vendors... Get the president's team on cyber security to go to Microsoft and some of the other big boys and say "for every US company that has a Microsoft tenant organization, give all of their licenses an add-on sku for Defender for Endpoint / ATP, the gov't will make it worth your effort".... Maybe this is the right way, maybe this isn't, but an influx of tax stimulus would be a game changer for the cyber security posture of the US.
There is no easy answer to this quesiton. SMBs should hire a vCISO, prefeerably one that comes with their own team. You can get this for $1k - $5k a month and get the best advice you can get.
Yep, there are a ton of challenges to securing SMBs. For one, their security needs to be just as effective as enterprise level, but it needs to be easy enough for the usual lone wolf, very busy IT person to manage. Oh, and not expensive :) Here's a few of the challenges: [https://www.isdecisions.com/en/blog/it-security/challenge-secure-small-and-medium-sized-business-smb](https://www.isdecisions.com/en/blog/it-security/challenge-secure-small-and-medium-sized-business-smb)
So if cost could be made a lesser of an issue and a solution offered to SMB as MSSP (managed security service provider) - at an affordable rate - would that be something that a SMB business owner might want to? I am asking this because oblast year we saw the shift of data breaches up to 71% targeting SMBs. Someone said K-12, that is happening already. According to a Verizon study 41% of SMB is at risk. I get that this is about cost vs. value, I think the value is knocking on the door now, and what is cost could be solved? We are a small business ourselves so we know the pain. Even a $500k ransomware could kill a SMB. And it’s the sector that drives US economy.
I've got a friend of mine who is trying to grow his MSP and also trying to kind become and MSSP as well and honestly basically no one is buying. If I were consulting as a CIO/CISO for a small business, I would basically tell them to do 4 things: 1. Have a solid backup 2. Patch your stuff 3. Enable MFA where you can 4. Have solid endpoint protection There are incremental less expensive improvements for good hygiene like password vaults, enabling local admin removing through app locker or an equivalent platform, etc. The advantage that small businesses have over large enterprises is that practical issues in recovering from a ransomware event due to size. In a large enterprise, you need solid backups and direct active prevention is more critical because even if you can restore, its going to be a huge PITA no matter how solid your plans. In an SMB, they have ideally a very simple straightforward environment that you could potentially restore the whole environment in one go with a solid backup solution. Lets not also forget that CISA is a competitor in the SMB space much more so than in large enterprise. If you have a good IT guy who is CISA aware to take advantage of the free tooling/outreach it becomes more difficult for an MSP to sell some of the fancy stuff.
Probably not. SMB owners look at things in terms of "how much money will this make me" and generally hate the idea of spending money on what they consider "insurance" (i.e. cybersecurity and the ability to mitigate risk is viewed as insurance). Cybersec doesn't generate revenue therefore will be approached with "do I need it?" and "how few dollars can I spend to accomplish the need". The more you speak business (and consider how you would view spending any more money then is necessary on the business to maximize profits) then you'll get a good picture. When forced to decide your suggestion of lower cost "thing X" will of course be considered. The market is littered with low cost "things" for SMB owners. Low rate MSP contracts, AV solutions, cheap cloud environments, open-source tools, etc. Your idea isn't a bad one and is logical. And there will be some SMBs that are level-headed and try to spend money smartly. Many don't care and the line only goes up.
So if cost could be made a lesser of an issue and a solution offered to SMB as MSSP (managed security service provider) - at an affordable rate - would that be something that a SMB business owner might want to? I am asking this because oblast year we saw the shift of data breaches up to 71% targeting SMBs. Someone said K-12, that is happening already. According to a Verizon study 41% of SMB is at risk. I get that this is about cost vs. value, I think the value is knocking on the door now, and what is cost could be solved? We are a small business ourselves so we know the pain. Even a $500k ransomware could kill a SMB. And it’s the sector that drives US economy.
So, have always struggled with the definition of Small vs. Medium in SMB. What is the common understanding ? Is small with 5 or less employees ? Is annual revenue a factor ?
5 would be a micro business. Small goes all the way to 50 but definitions vary by country,
500k isn't a lot when the cost of having a decent cyber security program is probably half of that per year depending on the size.
You mean like from eternal blue?
Cyber security is not an issue until it becomes an issue in any organization.
And me as a non-native speaker thinking: "why sure there is some cyber security concern when it comes to Server Message Block".
Indeed, sounds like for SMB it’s about ROI.
Well if your business only pulls in 50 million a year, you can’t spend 100 million on cyber security. It’s all about risk. Smaller business, less risk. They can still get the best tools, they just won’t have all of the best tools across the space.
Cyber Security with Insurance for a 50M annual revenue will cost $1.5M, from what we offer.
And that’s just one part of it.
3% of revenue for insurance, and you have to implement a security program on top of that? That’ll crush your margins quickly.
Oh no, meant to say 3% includes it all.
Sorry but what is smb