Take Proactive Steps Against Cyberattacks

While mass outages, like 2024's CrowdStrike event, can bring small businesses and major corporations alike to their knees, small technical issues or IT events are far more common and can shut down business functions with equally devastating effects. Cybersecurity threats raise the stakes, especially for small and mid-sized businesses that rarely have strong protections in place to stave off potentially business-ending attacks.

Surging security and cybersecurity threats don't discriminate by company size, industry, or geographic footprint. In today's high-risk security environment, an attack is all but inevitable, which is why every businessperson needs to evaluate their network and security status to identify and address areas of weakness.

A threatening environment

According to a recent survey by New Relic, the median number of annual outages among respondents was 232 with more than half experiencing weekly low-impact disruptions. IT teams spend 30% of their time—the equivalent of 12 hours per 40-hour workweek—addressing interruptions ranging from network failures and third-party service issues to human error.

Cyberattacks are also surging, and small businesses are a favorite target. Attacks against small businesses increased by 150% over a two-year period at an average cost per incident ranging from more than $825 to nearly $654,000. More than 73% of U.S. small business owners reported a cyberattack in 2023, most of which compromised user credentials. Further:

• Financial motives are behind 98% of cyberattacks on small businesses.
• System intrusion, social engineering, and basic web application attacks represent 92% of all small business breaches.
• An average small business with less than 100 employees will receive 350% more social engineering attacks than larger enterprises.

Despite the risk, the typical small business spends less than $500 a year on cybersecurity, and most don't have a dedicated cybersecurity budget. It's an oversight that can have significant repercussions as 60% of the small businesses that fall victim to cyberattacks close their doors within six months because they are unable to recover from the resulting downtime, reduced productivity, and remediation costs."

According to Nationwide claims data, it takes an average of 279 days for a small business to recover from a cyberattack, and the average associated costs are between $15,000 and $25,000. Further, 32% of small business owners who experienced an attack said it led to losing customer trust.

A proactive stance

When it comes to IT events and cybersecurity attacks, it is a matter of when, not if, for businesses of all sizes. However, there are several steps companies can take to mitigate their risk, starting with a self-assessment to determine areas of vulnerability. This doesn't require an IT expert; just answer a handful of questions in the following five areas:

• Staff training: is your team trained in cybersecurity best practices, including recognizing phishing attempts and the need for strong passwords, and is this training updated regularly?
• Security safeguards: Are security measures in place that minimize human errors (e.g., email filters, browsing restrictions, multi-factor authentication, etc.), particularly around personally identifiable information (PII) access? Are they kept current?
• Software patches and updates: Are procedures in place for installing the latest patches and updates to software and systems to protect against emerging threats and harden existing vulnerabilities? Are they followed?
• Vendor security profiles: Do vendors, partners, and any other entity that may access the company's systems have proper cybersecurity and security protocols to prevent a breach on their end from impacting your operations?
• Business continuity: Is a business recovery and continuity plan in place to get operations back up and running after a breach? Is it regularly reviewed and updated as needed? Are staff aware of the plan and trained in its deployment?

Responses will help determine if broader protections are required and if engaging with an IT service provider is warranted. If it is, look for a provider with cybersecurity experience that offers, at minimum, proactive monitoring, regular security assessments, and staff training. Prospective partners should also have a deep understanding of industry-specific compliance requirements.

Erik Eisen is CEO of CTI Technical Services, a leading IT support and cybersecurity services provider with a diverse clientele including hospitality, legal, manufacturing, dental specialties, small medical practices, and other industries.