After many months of debate, the United States Congress passed legislation forming a cyber-incident response team to assist both the government and private sector in the event of a data breach and is currently slated for the President’s signature. Admittedly, the response team, who will be overseen by the Department of Homeland Security (DHS), is encouraging for businesses across industries that are being plagued by an increasing number of cyberattacks causing both financial and reputational harm. Yet, despite the honourable intentions by the U.S. Congress to combat the rise in cybercrime, a thought comes to mind when reviewing this bill – at a time when cyberattacks are expected to cost businesses $11.5 billion, who receives priority attention from this response team, small businesses or Fortune 1000s? The answer is simple - it’s the Fortune 1000s.
This is ironic when considering that large enterprises can often afford the cybersecurity tools and security analysts necessary for threat prevention and attack response, yet these companies are all but certain to receive the bulk of attention from DHS’ incident response team.
On the other hand, Small and mid-sized businesses, the majority in which often lack the funds, workforce and other resources to combat cyberattacks, are not likely to get the support they need from the government. This is also ironic, and unfortunate especially when in 2018, small businesses were the target of 70 per cent of all ransomware attacks and according to Cisco, 53 per cent of SMBs have experienced a data breach costing as much as $500,000.
The cost of ransomware attacks for smaller businesses
Small businesses have now become the prime target for adversaries looking to make a quick buck. That’s because it’s not only faster and easier to target small businesses, but attackers speculated correctly that successfully breaching multiple SMBs can sometimes equate to the same win as hacking into a large enterprise, but at half the risk, with even less effort and with the same reward.
To the benefit of attackers, small businesses are often forced into following the questionable advice of untrustworthy security vendors and consultants to pay cyber-attackers the ransom in the event of a data breach. Facilitating payment is considered a risky move since attackers may or may not hold up their end of the deal and actually release the data. And now new information is also pointing to the possibility that ransomware payments could be funding terrorism and potentially organised crime, creating an ethical and moral dilemma businesses should consider.
Even if a business refuses to bend to the will of cyber-attackers, ransomware is still, without a doubt, very costly, for small businesses. Even large municipalities that are expected to have the means for cybersecurity protocols struggle against ransomware. For example, it took Baltimore many months and countless headlines to get its city back online after being attacked by the National Security Administration’s EternalBlue in conjunction with other techniques to spread ransomware. It ultimately cost taxpayers an estimated $18 million.
For small businesses, the financial and reputational harm of ransomware goes even further. Reports have shown that the average small business loses over $100,000 per ransomware attack due to lost productivity and the Better Business Bureau estimated the cost to the economy for 2019 to be more than $2 trillion. Unfortunately, many small businesses don’t have $100,000 to lose.
However which way you put it, small businesses need to prepare for not the “if,” but the “when;” but are too often constrained by time, money and resources. And if they shouldn’t expect DHS to help, where can they turn to. The answer – managed service providers (MSPs).
The real incident response teams are the MSPs
The relationship between SMBs and MSPs has generally been beneficial, with services and tools provided to SMBs at a lower cost while MSPs tap into a market that needs every bit of support. And now, more than ever, MSPs represent the first line of defence for small businesses, ultimately acting as a business’ very own incident response team. In fact, MSPs offer something the government’s team doesn’t have access to – visibility into potential cyberattacks. Since MSPs have access to multiple customers throughout different verticals, the service provider is able to identify the first signs of an epidemic, giving them the advantage to proactively warn and protect their uninfected customers. MSPs are intelligence troves, saving time and money that are needed to fight against cybercrimes.
However, these aren’t the only factors into why MSPs are the next incident response team. MSPs also provide the discipline and structure needed to carry out a cyber-hygiene strategy and incident response plan, in addition to developing a trusting relationship. Just like a plumber’s job is to fix the leak with his tools, an MSP’s job is to utilise the tools and vendors they have at their disposal to secure and protect their clients from attacks, ultimately establishing trust. SMBs can therefore focus on their business and let MSPs do their job.
Bottomline, MSPs are in a position to help SMBs face the unprecedented risk of data breaches in ways that the DHS initiative cannot. And SMBs are willing to pay 25 per cent more for an MSP that offers the right security.
Cybersecurity issues continue to plague small businesses and yet despite the DHS’s best intentions, the newly created incident response team won’t provide the necessary defence and response small businesses desperately need. Instead, DHS will focus its efforts on large enterprises even with reports underscoring cyber-attackers' new focus on small businesses. Fortunately, there is hope for SMBs with their own “incident response team”. MSPs are prepared with the time, tools and resources needed to protect SMBs from costly data breaches. In reality, they’re more than DHS’ response team, they are SMBs’ response and preventive team.
Dror Liwer, founder and CISO, Coronet