Why SMBs Face Greater Cyber Threats And What Leaders Can Do About It

The number of small and medium-sized businesses that reported experiencing cyber threats is on the rise. According to one study, as many as 63% of SMBs said they faced increased cyber threats in 2020.

Then there are other alarming facts about SMB cyber security, such as:

• An insider cyber incident can cost a business an average of $7.68 million
• 43% of organizations don’t have a proper cyber defence plan and 20% don’t have any endpoint security protection
• 70% of employee passwords were stolen or lost
• 22% switched to remote work without additional cybersecurity measures

The risks and impact of cyber threats on fast-growing companies

It’s evident that for most fast-scaling companies, cybersecurity is no more than a side project. Startups may have nominal cybersecurity defences in place, but by no means is it their primary concern.

As companies continue to grow, the risks and impact of cyber threats increase in the following ways:

• Startups can’t afford losses due to cyber threats, especially when their focus is on building market awareness and creating value.
• With growth comes intrinsic value, so companies have a lot more to lose. Yet, they’re still not big enough to absorb the brunt of a major cyber attack. 
• If a nascent startup experiences a cyber breach, only a few people are affected. That number increases considerably as the company grows and has more stakeholders. 
• As a company moves on from a close-knit startup where a few people wear multiple hats to having individual departments, those additional people add to the company’s cyber risk. 
• A growing company has access to more valuable data, such as employees’ personal data and proprietary information – and a high-impact security breach endangers everything. 
• A fast-growing company adds to its vendor portfolio, thus increasing the impact of a cybercrime. 
• Startups and small businesses often have a narrow line of products, which doesn’t allow much room to diversify or manage risk. 
• A fast-growing company may not only be inexperienced in managing cyber risks, they’re subjected to fewer regulations. And since compliance and regulations go hand-in-hand, they don’t develop “a culture of cybersecurity.”

Major cyber threats to fast-growing companies

Growing companies and small businesses face both external and internal cyber threats. The reason behind these threats can be anything from outside espionage to an employee grudge to a hacker looking to have a little fun. 

Top external cybersecurity threats include:

• Phishing 
• Hacking 
• Malware and ransomware
• Misuse 
• Misconfiguration 

A robust and multi-layered cyber defence plan against external threats should include:

• Firewalls, antivirus and endpoint security solutions
• Cyber security audits
• Access management and control policies and procedures
• Email security, such as anti-phishing solutions and spam filters
• Cyber security awareness training 
• Incident response and disaster recovery plans
• Current data backups

Fast-growing SMBs face internal cybersecurity threats

An internal threat to cybersecurity is as big a menace as external. The top two internal cyber threats are shadow IT and an organization's employees. 

• Shadow IT as a cyber threat

• In a fast-paced startup, not every device or app may have been vetted by the IT department. This causes shadow IT, which has grown exponentially with the rise of the “as-a-service” model. Shadow IT includes:
• Hardware: laptop, smartphones, tablets, servers
• Of-the-shelf software
• Cloud Services: Software-as-a-service (Saas), Platform-as-a-service (PaaS), Infrastructure-as-a-Service (IaaS)

While shadow IT applications can quickly provide employees with the tools they need, it also creates security gaps. Applications that include file and data sharing, storage and collaboration can prove especially risky. 

The solution is to let IT and cybersecurity departments approve whatever application any team member uses. And rely on existing cybersecurity credentials.

Employees as a cyber threat

Employees are a significant cyber threat to fast-growing companies. Growing startups not only have greater turnover rates, they often don’t have a well-defined onboarding and offboarding plan in place. This makes them more vulnerable to cyber threats related to human error and bad intent. 

According to a report from CyberSecurity Insider, 90% of organisations are vulnerable to insider cyber attacks, with the main risk factors being:

• Too many users with excessive access privileges (37%)
• An increasing number of devices with access to sensitive data (36%)
• The increasing complexity of information technology (35%)

Solving the risk of insider threats to fast-growing companies has to be a joint effort between the IT and HR departments. 

As a growing company’s HR apps move to robust systems, it’s critical to build security protocols around migration and usage. The same is true for remotely accessible HR apps.

A growing remote workforce requires thorough identity and access management as well as IT asset tracking. When there’s high turnover, it’s not unusual to have access rights open after an employee leaves.

Having structured onboarding and offboarding can be cumbersome in a fast-paced work environment. But IT and HR professionals need to work together to iron out the security of confidential information such as payroll details. As the company grows and employees need to access numerous apps and business systems, this process becomes much more complex.

An estimated one-third of cyber attacks happen due to human error. IT training as well as promoting a culture of security can play a big role in mitigating cyber risks. 

In addition to the above measures, global cyber security expert Prof. Sadie Creese highly recommends includingbackground checks in the hiring process. You can learn about the cyber implications of rapid growth in our Oxford Cyber Security for Business Leaders Programme.