Cybersecurity threats and risks are constant, pervasive, and always evolving. Mitigating risk, protecting key IT infrastructure, and securing company and customer data are top priorities at massive, multi-national companies like Apple and Amazon as well as at large federal government agencies. And for very good reason.
However, small businesses, schools, and other midsized organizations with smaller public profiles have increasingly become the targets of hackers and bad actors.
In fact, small and midsized businesses (SMBs) with fewer than 1,000 employees account for 46% of all cyber breaches. And 61% of SMBs experienced a cyber-attack in 2021, according to Verizon’s 2021 Data Breach Investigation Report. While these numbers might be surprising to SMB leaders and school administrators, the fact that only 14% of SMBs are prepared for cyber-attacks, according to a recent Accenture study, might be an even more shocking data point.
Whether an organization has 40,000 or 50 employees, a cyber breach that disrupts operations, even for just 24 hours, can have devastating financial consequences and cause great damage to customer and stakeholder trust.
So, what can SMBs, schools, and emerging companies do to be better prepared for the constantly evolving cybersecurity threat environment?
Mac Del Rosario, Systems Administrator at MELE Associates, Inc., a leading federal contractor with deep IT expertise, believes that smaller organizations can thwart cyber threats more effectively through increased vigilance and a more consistent approach. He and MELE would know—the company manages a wide array of IT and cybersecurity contracts with some of the largest U.S. federal agencies, in addition to collaborating on IT matters with private schools and commercial clients like emerging biotech companies.
“With our federal IT contracts, cybersecurity threat awareness is always top-of-mind, but with some commercial and education customers, the most frequent thing we see is that people let their guard down. They say ‘This won’t happen to us. We’re too small’ and the next thing you know passwords don’t get changed, software isn’t updated, and all your personnel’s data is out there,” he shared.
“We also see very small commercial IT departments or single person IT ‘departments’ that simply struggle to keep up. In both cases, MELE can come in, lend a hand, and set an organization on a stronger cybersecurity path. It’s not just the huge, big-name businesses that need to be vigilant. Small businesses need to be vigilant with cybersecurity measures or Pandora’s Box can be opened for them, too,” stated Del Rosario.
Del Rosario advised that smaller businesses with fewer resources need to focus on the basics. While this seems like common sense, small businesses without the budget and required human capital can often lose sight or struggle to execute the basics like:
- Changing passwords regularly
- Using stronger passwords
- Adding two-factor (multifactor) authentication processes
- Updating anti-virus software and software in general
- Fortifying firewalls for stronger wi-fi security
- Educating and training staff on IT and cybersecurity best practices
A study conducted by security firm Tessian and Stanford University Professor Jeff Hancock found that an employee mistake causes 88% of all security breaches. And according to research conducted by IBM, security breaches cost small and midsized businesses with less than 500 employees approximately $3.31M per incident on average.
“Many businesses overlook the single biggest threat to cybersecurity and that’s human error. The human factor in managing IT risk can’t be underestimated. The most important tip is educating your team and creating greater cybersecurity risk awareness through consistent training,” Del Rosario stated. “This is something that a business of any size can do if there’s awareness and the will among its decision-makers.”
Del Rosario went on to say that a business or school can have all the virus and cyber technology in the world, but if one staff member engages with a Phishing email, for example, the whole house can come down.
The most effective small business or smaller educational institution cybersecurity approach is combining tech and effective IT standard operating procedures with consistent IT and security staff training.
“There are so many threats out there like Phishing emails, social engineering attacks, Ransomware, and Malware, it’s a real challenge for under-resourced or very small IT teams to keep up. But it can be done with a consistent approach and perhaps some outside assistance to augment what a company already does well,” shared Del Rosario.
“A good first step is to get some outside help to conduct an IT/cybersecurity audit, which will help you identify your strengths and weaknesses and let you know where to start. In many cases, there will be easy fixes that can help you improve your cybersecurity right away like regular password updates, as I mentioned,” he shared.
“An audit will help focus your energy and investment, but the best advice I can share is this: build and execute a cybersecurity education and training program for your team. Stay vigilant and be consistent. Cybersecurity needs to be an ongoing time and investment priority even at smaller organizations,” stated Del Rosario.
“A cybersecurity breach can certainly damage an organization financially, but even more importantly, it creates a breach in trust among your customers and stakeholders that can be very difficult to close and repair,” he concluded.