Figure 1: The Dark Web The dark side of the internet is explored in a documentary produced...
Is Pay as You Go a Solution for SME’s Cybersecurity ?
“Cyber insecurity is no longer just a buzzword, it has
become a reality for Small and Medium Enterprises
(SMEs). While many SMEs, the newer ones especially,
have started undertaking regular digital risk
assessments, many of the more established SMEs have
to do some catching up.”
Entrepreneur.com — November 28, 2018
Cyber attacks are often considered a risk — mainly — to large corporations and conglomerates. This belief is changing as smaller businesses have begun to report data breach cases and system compromises.
With the global economy converging through technological advancement, SMEs become an integral and critical part of the value chain. Thus, more susceptible to cyber-attacks on themselves and their partners, vendors, and providers. As the digital landscape for SMEs evolves, these companies will be subject to increased cybersecurity risk. Today, cyber attackers target SMEs on the assumption that many do not have the budget or resources to protect their IT systems and data. They represent an easy target. It is mainly true; even in cases where SMEs have invested in cybersecurity, the solutions are either not robust enough or covering only a small group of assets, focusing on a technical solution.
The flexible work environments have pushed SMEs to adopt digital solutions and, unwillingly, open them to further security risks. Remote employees working from home or public spaces and using personal devices for business transactions are exposing the company and exposing themselves to cyber-attacks and online scams.
An SME does not have the right resources to provide a corporate laptop for every team member eventually. Thus, here, in particular, the human pillar becomes even more critical. The company will need to create an organizational culture where every member understands the need for suitable cybersecurity measures. Those measures include the use of strong passwords and multi-factor authentication. The Verizon 2017 Data Breach Investigations Report (DBIR) indicates that 81% of data breaches resulted from stolen or weak passwords.
According to a cyber threats report by inc.com  an estimated 50% of SMEs experienced a cyber attack in 2017. More concerning is that 60% of those affected were put out of business in less than six months following the attacks.
Since a single data breach could wipe out a small or medium business, SMEs need to build up their cyber defense and adopt an ‘incident prevention’ instead of an ‘incident response’ mindset. The emerging cyber insurance paradigm offers SMEs opportunities to take an additional step in mitigating cyber risks by transferring some to a third party. Nonetheless, underwriters require fundamental controls in place to ensure the risk.
How vulnerable are SMEs?
Research by the National Cyber Security Alliance concluded that over 70% of cyber attacks targeted SMEs. A study by Symantec  concluded that cyber-attacks were evolving much faster than most businesses could protect themselves. In 2016, there were over 300 million unique malware variants reported, and 70% of tracked websites had security vulnerabilities. It resulted in data breaches where more than a billion identities were compromised.
SMEs underestimate cybersecurity vulnerabilities
Despite these reports’ findings, many SMEs still do not view
cyber attacks as threats. In a study by YouGov  in 2019 almost half of the surveyed medium-size businesses did not believe they were vulnerable to cyber-attacks. Instead, they were more concerned about their employees breaching data guidelines. Many SME owners remain unperturbed by the risk of such attacks on their business. A Ponemon Institute study  in 2018 revealed that only 12% of SME business leaders understood that cyberattacks could affect any company irrespective of its size, leading to a business interruption or data breach. Consequently, it was found that 29% of surveyed SMEs in 2019 budgeted less than $1,000 annually for cybersecurity.
Figure 1: Source: Small Business Trends
When considering threats to their business, a possible cyberattack ranked lower than reputational damage, business disruption, and recession, even though both reputational damage and business disruption could result from a cyber attack. 70% of surveyed companies that had an operating history of more than 10 years didn’t think they were at risk of cyber-attacks, while 20% believed that cybersecurity was not as critical as core business functions like marketing, sales, and recruitment.
Cyber attacks result in costly business consequences
A survey by Bank of America  revealed that about 25% of SMEs
reported at least one data breach between 2018 and 2019, an increase of
17% from the previous two years, and 40% of these SMEs revealed that cyber attacks have cost them at least $50,000 in incident response, which is quite a substantial sum for a small business.
Symantec’s 2018 Internet Security Threat Report, estimated that 58% of malware attacks targeted SMEs. Majority of these malware attacks were perpetrated through phishing emails disguised as invoices, email delivery failures, law enforcement emails, scanned documents and package delivery emails. Some attacks were executed in the form of ransomware, where a hacker gains unauthorized access to a digital asset and encrypts it until a ransom is paid. In many cases, even after the ransom is paid, the malicious hacker continues to maintain control of the asset in a bid to demand for more money.
Download Marsh Ransomware Guide for Free
These attacks could cost SMEs substantial IT downtime, disrupting their modus operandi and negatively affecting their sales and revenue.
According to a Fundera study, cyberattacks caused 40% of SMEs a minimum of eight hours of IT downtime in 2018. A single attack could bring down half of an SME’s IT infrastructure due to their systems’ interconnectivity, leading to devastating consequences.
In many cases the losses from business disruption and the cost of incidence response resulting from a cyberattack are unbearable costs for a smaller company to recover from.
The Better Business Bureau (BBB) estimated that in 2017 only 35% of SMEs would be able to pull through from loss of data after a cyberattack and would still be in operation after three months. A 2012 study by the U.S National Cyber Security Alliance which assessed that 60% of SMEs go out of business following a cyber attack.
Even when a small business can recover from a cyberattack, the company will suffer irreparable damages in the aftermath, which can be detrimental to its future. The 2018 Ponemon Institute’s Cost of Data Study estimated that a data breach’s annual cost could average $4 million, with a single stolen data valued at $148.
A cybercriminal with access to such data poses a significant risk to the business, far beyond mere financial losses. Stolen information from a business can be used to commit identity fraud or other cyber crimes. In the worst case, this could even lead to long-drawn and expensive litigations if the company has not taken the necessary measures to secure its information system and proven its due diligence.
Investing in cybersecurity is very complex and expensive?
A robust cybersecurity strategy require balance between people, process and technology. It requires identification, protection, constant monitoring, detection, and recovery.
Due to the constantly evolving security climate, it remains expensive for an SME to start a resiliency roadmap, however, some tips can help. For many SMEs with few IT staff and limited technical skills, detecting gaps and ensuring a mature approach isn’t easy. As per the previous reports, it takes an estimated 146 days before an average cyber-attack is detected. Cybercriminals have a long lead-time to wreak havoc and cause damage to the business.
The Alternative for SMEs: Pay-as-you-go
The emergence of cloud computing has enabled robust solutions to address today’s SMEs’ cybersecurity needs. Cloud technology has created the avenue for businesses to deploy cybersecurity faster, cheaper, and more efficiently than before. It has enabled the cybersecurity revolutionization, providing enterprise-level security delivered to SMEs seamlessly through affordable monthly or annual subscriptions.
Today, many cloud-based cybersecurity providers are now adopting the “pay-as-you-go” or “pay-as-you-grow” model, which allows SMEs the flexibility to upgrade or downgrade their cybersecurity level as needed without having to incur the high cost of setting up and maintaining their own IT security department. The ease of upgrading cybersecurity services gives room for providers to offer additional security features to encourage businesses to upgrade. SMEs can choose to have access to higher levels of cybersecurity that they would otherwise not be able to access outside of the cloud environment. Depending on the cloud provider, additional security features could include access to pro cybersecurity management environments such as Security Operations Center (SOC), where remote cybersecurity managers can monitor and respond to the company’s overall cybersecurity concerns.
Statistics have proven that keeping sensitive data offsite is more secure and easier to recover in the event of a breach. The RapidScale Cloud Computing Stats on security and recovery estimated that 94% of businesses that switched to a cloud-based platform experienced an improvement in their cybersecurity. During emergencies, 20% of cloud users claimed to have completed incidence recovery in four hours or less, whilst only 9% of non-cloud users could say the same.
While SMEs remain targets for cyber attacks, there is an urgent need for these businesses to adopt measures to protect themselves. Cloud-based technology offers SMEs a cybersecurity solution that is affordable, reliable, up-to-date, which can be scaled to grow with the business’s needs. However, it remains a shared-responsibility model.
This article has been co-authored with Tom Philippe, Junior Cyber Security Consultant.