How small businesses can see past the misinformation of enterprise security companies
Cyberattacks against small businesses are on the rise, and many are falling victim to data theft, phishing, malware and ransomware attacks at an alarming rate.
According to a special report by Cisco, 53 percent of SMBs have experienced a data breach with more than half of those attacks resulting in more than $500,000 worth of damages – more than enough to put many SMBs out of business within a year. Additionally, only 33 percent of small businesses believe that they could remain profitable for more than three months if they permanently lost access to their essential data.
The primary constraints to cybersecurity adoption among small businesses, as we’ve written about before, are time, money and resources. But as threats and attacks continue to garner more mainstream awareness, many in the SMB community are recognizing the need to invest in cybersecurity. The problem for them now is just where to begin.
Because comprehensive cybersecurity can be expensive and complex, small businesses are often left to rely on firewalls, antivirus, and other point solutions that don’t offer the seamless, all-in-one protection, detection and response that they actually need. In other situations, the lack of cybersecurity education puts business leaders in the precarious position of having to make a choice among multiple vendors all claiming to offer small business specific solutions, without truly knowing which company, if any, actually offers a solution for small business.
The unfortunate reality is that many cybersecurity companies don’t actually have products or services built to address the needs of small and mid-sized businesses, yet they market their companies as if this were not the case. Business ethics be damned.
Enterprise security solutions create a false sense of security for small business
There’s no beating around the bush: many small and mid-sized businesses are lulled into a false sense of security by enterprise security vendors, as many companies position their solutions as more comprehensive than they actually are. What a vendor might claim as complete protection is commonly no more than a byproduct exclusive to an individual narrow niche of security such as anti-malware protection or phishing detection. While these solutions are critical components of any defense-in-depth strategy, they often don’t cover the full security spectrum, nor do they address the most urgent vulnerabilities and needs of SMBs.
Additionally, enterprise security vendors are often quick to make claims of ease-of-use and affordability. The reality, however, is that many such solutions are expensive and require integration of multiple software products. Others may even call for new hardware and a dedicated expert team to operate them. These complexities and additional resource requirements only increase the costs. And that’s a big problem considering the results of a recent survey by BAE Systems Applied Intelligence which found that half of IT professionals say budget is a bottle neck to developing and implementing comprehensive security plans.
The hard truth is that most vendors that claim to service small businesses actually design their solutions to meet the lucrative needs of large multinational corporations, and then haphazardly try and scale down that technology for small businesses as a means of supplementing revenue.
What can small businesses do to evaluate cybersecurity vendors?
Small businesses must challenge cybersecurity vendors to learn if their solutions offer the right mix of processes, people and technology to deter attacks. If the vendor does not explicitly say they support SMBs, don’t even bother. You are not on their radar, and as such – the product was never designed or optimized to work for your sized company.
Below are the questions that SMBs need to ask when evaluating vendors:
- What is the true Total Cost of Ownership (TCO)? Using a TCO approach can help identify the full cost of a vendor’s solution and flag vulnerabilities or shortcomings in the process. While the TCO for cloud-based solutions is typically lower than that of traditional systems, there can be several hidden costs. One consideration is how many full-time employees (FTEs) will be required to operate the platform effectively. While some automated solutions can run with little input after setup, others may require burdensome training, interaction and oversight.
- How many FTEs will I need to operate the solution effectively? The SANS Institute surveyed SMBs with a median employee count of 80 and found that half had only one dedicated cybersecurity employee, less than what they consider to be “ideal.” In reality, security for small business should not require any full-time resources. Instead, the technology, once implemented, should support a ‘set it and forget it’ methodology.
- Against which threats am I going to be protected? Small businesses must clearly identify what types of protection the solution provides, and whether or not it offers automatic responses. Will it protect the organization from phishing, malware, ransomware, commjacking, data leakage, and other attacks? If the product is a point solution that does not cover most threats – skip it. You don’t have time, staff, and money to create a complex web of security products
- What kind of training will my team need? Small businesses don’t have time to spend training their staff on a regular basis or on technology that is foreign to their work responsibilities. So, if the vendor publishes elaborate training programs that you need to send your people to, the product is probably way too complex for your business.
Security-as-a-Service for SMBs
Coronet’s all-in-one data breach protection service provides small and mid-sized businesses with a simple, affordable and instant-on solution offering real-time protection against cyber risks. With Coronet, small and mid-size businesses can accomplish the following:
- 24/7 monitoring of their business for cyber security threats
- Automatically block suspicious and abnormal user behavior
- Identify and prevent sensitive data leakage (such as PII, PHI and PCI)
- Prevent malware and ransomware spread in cloud applications and email
- Ensure that employee and company devices are secured, and connect to safe networks