The odds that your business will survive a cyber security event are not in your favor.
According to The Business Journals’ 2017 Predictions Report, more than half of SMB companies will have to shutter their business within six months of a cyber security event. With the average recovery cost for companies of this size totaling to $36,000, it’s not surprising that recovery is an uphill battle. And as the numbers show, cyber criminals know an easy mark when they see one: 43 percent of cyber attacks are targeted at companies in the SMB range.
The “It Won’t Happen to Me” Approach
It’s easy to understand why cyber criminals would disproportionally target SMBs. A recent Gartner survey suggested that businesses large and small are spending an average of just 5 percent of their overall IT budget on preventing hacks and security breaches, and most of that 5 percent is wasted on initiatives or products that don’t do much to improve security.
If you take a look at the Business Journals report’s numbers, far fewer business leaders are concerned about the threat than should be—just 28 percent of owners now are very concerned about the safety and security of their technology, email, and documents. That’s actually a two percent decrease since 2009.
If you’re the owner of an SMB, you would probably wonder why anyone would bother to attack your business. You might not think you have anything worth stealing in the first place—but take heed that cyber criminals aren’t necessarily after bank account numbers. They’re after information that’s far easier to obtain, like:
- Health record information (see why they want it here)
- Files that are important to you and you alone (this is ransomware—they know you’ll pay to have those files unlocked)
- Access points to use your computer/network to launch bigger attacks on large companies (it happens, and you can read more about it here)
Looking for Security in all the Wrong Places
The Gartner survey suggests that most companies will make the assumption that because they are spending money on IT security—even if it’s a fraction of their budget—then they are adequately protected. In truth, the budget is usually just a guess based on what their industry and geographic peers are doing. It’s a budget that isn’t based on facts or on the company’s actual security risks.
“You could be spending at the same level as your peer group,” Gartner’s research director Rob McMillan says of the survey results, “but you could be spending on the wrong things and be extremely vulnerable.”
In fact, in the Gartner survey, the two types of businesses spending the least amount of money on IT security were unsecure organizations that underspend and secure organizations that have carefully considered their security risks and worked to address the number of security vulnerabilities.
What’s the Right Budget for IT Security?
The right budget depends on your unique business. If you want to be sure you’re getting the most out of the dollars you’re spending on IT security, it could be worth the cost of bringing in a professional IT team to review what you have in place and where you could be saving money.
If you prefer to evaluate your systems before bringing in an IT professional, start by examining how much you’re spending in the following areas, and whether or not these areas are effective at increasing your IT security:
- Networking equipment (does it have embedded security functions?)
- Desktop protection (what are you protected from?)
- Security training (do employees know what to click on or how to handle social engineering risks?)
- Privacy programs (is customer/client data protected?)
- Data security (where—and who—can access critical data?)
- Business continuity (if you have an event, will your business be operational?)
- Data recovery (if your files are encrypted by Crypto virus, will you be able to restore from a backup, or will you have to pay a fine?)