Categorizing businesses into small, medium or large entities varies across regions, typically based on factors such as employee count or annual revenue. For instance, in the United States, small and medium-sized businesses (SMBs) often comprise establishments with fewer than 500 employees, while in Canada, small businesses typically have fewer than 100 employees, with medium-sized businesses ranging between 100 and 499 employees. SMBs collectively constitute a significant portion of the North American economy, contributing substantially to employment and economic growth.
According to 2022 statistics, small businesses accounted for 98.0% of all employer businesses in Canada and employed 10.7 million individuals, representing almost two-thirds (63%) of all employees. Comparatively, medium-sized businesses employed 3.6 million individuals (21% of employees), while large businesses employed 2.7 million individuals (16% of employees) in Canada.1 This underscores the pivotal role SMBs play in driving economic activity and employment across the continent.
Navigating Cybersecurity as a Cost Center
Cybersecurity is commonly viewed as a cost center within businesses, incurring expenses vital for overall organizational functioning and well-being, albeit without directly generating revenue. Clients and prospects often objection to allocating budgets for cybersecurity, frequently perceived as cost centers within IT budgets. While the industry increasingly positions cybersecurity as a “business enabler”, its primary function remains that of a “revenue protector”. Like IT and digital technologies, cybersecurity controls are indispensable for safeguarding the revenue generated by the business, protecting against threat actors aiming to ransom or steal valuable financial assets.
Disproportionate Impact on SMBs
The impact on SMBs is disproportionately significant compared to larger enterprises with ample budgets and resources. Statistics indicating that “60 percent of small companies cease operations within six months of experiencing a data breach or cyber-attack”2 underscore this disparity. We strive to avoid unnecessary Fear, Uncertainty and Doubt (FUD) tactics, instead promoting cybersecurity without relying on fearmongering. However, these statistics reflect a stark reality: most SMBs do not prioritize cybersecurity, facing significant repercussions as a result.
Impacts and Responses
Observations over the past year were that cyber-attacks primarily affected finances, reputation and operations. These outcomes were worsened by the affected teams’ lack of expertise in adequately containing, recovering from and strengthening defenses against future attacks. While such disruptions may not invariably result in business closures, they underscore the need for reassessing risk management approaches, encouraging SMBs to delve into preventative measures and establish early detection and recovery plans to mitigate potential cyber threats.
Emerging Demands and Solutions
Our cybersecurity sales are being propelled by the following factors:
There has been a noticeable increase in requests for compliance and supplier risk assessment in the SMB sector over the past few years. Extensive 30-page security risk questionnaires are often sent to 50-employee organizations managed by a single IT professional. These questionnaires, lacking customization for SMBs and filled with technical jargon, can bewilder IT managers. Many supplier risk teams oversimplify controls, adopting a binary perspective that may not align with companies operating entirely remotely.
Our approach focuses on establishing a foundational level of security rather than merely fulfilling compliance checkboxes, emphasizing our role as trusted advisors.
“Targeting smaller businesses is now a norm with over 56% of claims arising from SMBs under 25 million dollars in revenue. The average insurance claim cost for an SMB is $345,00” as per a cyber insurance study in December 2023.3
To obtain insurance approval, cyber insurance underwriters require a “minimum” level of security controls at SMBs. However, defining this “minimum” standard evolves with the changing threat landscape, leaving SMBs uncertain about eligibility requirements and often resulting in higher premiums.
We help clients manage costs and attain insurability. Implementing basic security controls, such as Multi-Factor Authentication (MFA), is crucial, even against sophisticated threat actors. One of the most exploited vulnerabilities in 2023 originated in 2018—a vulnerability easily mitigated by consistently patching devices upon vendor releases, as highlighted by CISA.4
Ensuring cybersecurity need not be complex or expensive; rather, it should be tailored to the specific needs of SMBs, encompassing technology assets, personnel and emails. Basic cybersecurity practices, often termed as basic hygiene, are paramount and cannot be substituted by sophisticated security products alone. By adopting a proactive approach and leveraging available resources effectively, SMBs can fortify their defenses, safeguard their assets, and thrive in an ever-evolving cyber threat landscape.
Information for this post was provided by Arani Adhikari, Chief Strategy Officer, Armour Cybersecurity
Sources:
