Budget Cyber for Small Companies

The average cost of a ransomware attack has trended downward in recent years, but that is not good news. The drop in the average is largely due to a larger volume of attacks against smaller companies.

Smaller companies have become attractive targets, even though the individual payout may be less, because the cost of executing an attack has become more economical for the hackers. In other words, it's worth the effort for a $40-50,000 ransom payment.

Small and mid-size companies present softer targets because they spend less on cyber security, tend to lack security controls, and engage in riskier technology practices. To make matters worse, a small company's ownership is more concentrated and may represent a significant portion of family wealth, making for a highly motivated payer.

What can a small to mid-size business do right now to improve their cyber defenses without spending a lot of money?

First, stop engaging in risky behaviors:

1. Stop sharing user accounts. Sharing user accounts involves communicating passwords and often foregoing multi-factor authentication. Using legitimate credentials to launch attacks is one of the most common points of entry.
   

2. Stop using desktop remote access software. Legitimate remote access tools are often exploited by hackers. If remote access is a critical business need, it is time to pursue more secure remote access solutions.
   

3. Educate employees about cyber risks and add controls on money transfers.
   

   Utilize various free education resources to minimize risks from phishing and social engineering. Deploy controls on wire or other payment transfers that are in addition to email or basic electronic means.
   

4. Enable the security you already have.
   

   Many small businesses have tools in place, but do not have security features enabled. Often, security features are added in updated versions, but are inacitve by default.
   

5. Stop ignoring warning signs. Frequent malware infections, account lockouts, repetitive phishing attempts - these are all signs that your cyber security practices are deficient, and a cyber incident may be imminent.
   

The next step is to prioritize spending and invest in initiatives that provide the greatest cyber and resiliency returns.

High impact investments include:

1. Cloud based secure backups. Backups that are protected from ransomware are invaluable in addressing cyber and other technology failures. Backups enable organizations to have an alternative plan for recovery should their systems become compromised.
   

2. Cloud based email/file sharing solutions. Solutions like Microsoft O365 provide turnkey controls against phishing and email compromise. For any business, email is the most common entry point for bad actors and is highly correlated with financial loss.
   

3. Outsource technology support to reputable provider. Partner with a vendor that will provide a secure framework for computing that is standardized across their client base. A capable partner will employ a standard computer configuration that will include endpoint protections, a secure email and file sharing solution, identity management, and a framework for detecting and responding to security threats.
   

Spending can be minimized while still achieving material improvements. Doing nothing will be actually more expensive.