Data breaches make the news all the time, but only when they affect major companies like Equifax or Marriott. Focusing on the highest-profile attacks makes sense because they also have the most victims. However, this selective coverage paints a distorted portrait of our current cybersecurity landscape. You will want to know how to upgrade your cyber defenses to protect growth.

We hear about the worst or most newsworthy cyberattacks, but attacks actually happen thousands of times every day. These instances don’t make the news in part because the scale is smaller, but mostly because to report on them all would take an endless amount of coverage. As a result, we often underestimate how much of a problem cybersecurity has become.

We also misunderstand who the true targets are. Research from 2016 shows that 55% of all small businesses experienced a cyberattack. The next year, the figure climbed to 61%. Another report from 2018 showed that more than half of all the companies targeted by malware were small businesses. These attacks rarely make the news, but they affect the victims in profound ways.

Tracking a Cyberattack Through a Small Business

Hackers, like all criminals, are looking for the easiest, lowest-risk targets they can find, which often means small businesses. Companies with limited resources can only afford to invest so much time, money, and energy on cybersecurity; the cyber defenses at a lot of small businesses are fairly basic.

Sophisticated and motivated hackers don’t have much trouble bypassing these defenses, meaning the hacker can attack small businesses almost at will or snare them in massive randomized attacks.

Minimizing the damage is difficult without strong tools already in place, and some small businesses may not even realize when they have infections in their networks.

Scarce resources make responding to the attack a problem, as well. Locating and eliminating the attack takes technical expertise that many small businesses lack. During that time, it may be impossible to serve customers, causing both revenue and reputation to take lasting hits.

Cleaning up after the attack isn’t any easier. Expensive IT may be destroyed, proprietary data could be lost, and large sums might be missing from accounts. Small businesses could face lawsuits, lost customers, regulatory fines, and a host of other expensive penalties.

Total up all these effects and it’s clear why the majority of small businesses shutter their doors after a cyberattack. Instead of treating cybersecurity like an isolated IT issue, it should be seen as an existential threat.

The Extra Risk at Small Tech Companies

Limited cyber defenses represent half the reason hackers target small businesses; the other half is that these businesses make lucrative targets despite their size.

All businesses, regardless of their size or industry, now run on data. It’s their most crucial asset, even more so than the physical storefront or home office. Having data lost or destroyed could be catastrophic, and having it fall into the wrong hands could be just as bad. Because data is so valuable to small business (and all others), it’s valuable to hackers as well.

Any company could potentially be exploited, but some targets are more valuable than others.

Small tech companies, for instance, often collect and manage megatons of data. That data may include customer account information, proprietary algorithms, valuable intellectual property, or insights on other companies — all things with tremendous value, particularly in the wrong hands.

Tech companies are aware of this risk to a certain extent. One survey showed that 58% of executives at small businesses consider a cyberattack to be a major security threat. Broken down by industry, 62% of tech executives ranked this risk highly. That is an improvement, but tech companies need to assume a greater sense of urgency.

Compounding the issue is the fact that, paradoxically, small tech companies may have fewer cyber defenses than companies in other industries. The tech ethos is to work lean and fast, focusing only on maximizing progress toward the most immediate milestones. In that kind of environment, it’s easy to neglect cybersecurity. And when cybersecurity is the focus, it’s often about securing the tech product or the customer’s data rather than securing the company itself.

For all these reasons, tech companies are more likely to be attacked — and more deeply damaged — as a result. Going out of business is a real risk, but even when the situation is not that severe, cyberattacks can create formidable obstacles to growth.

Seeing the Links Between Trust, Security, and Growth

We need to acknowledge that cyberattacks will only get worse in terms of frequency and severity.

Companies across the spectrum are embracing digital initiatives as crucial parts of their growth strategies. But the same technologies that allow companies to seamlessly connect with consumers — AI, machine learning, big data — also represent new targets for hackers to attack and new tools for hackers to use. As the digital landscape grows, the threat landscape inevitably follows suit.

This is alarming for all companies because consumers have grown weary of being victimized over and over again. Most people have had their personal data compromised by now, even if they have not suffered direct consequences as a result. Disgruntled consumers are rightfully tired of having the companies they patronize put them at risk, which is why they will increasingly flock to companies they can trust to keep them secure.

Keeping data consistently safe will prove to be an asset for the companies that do it well. 

For those that don’t, however, any breach of data creates a breach of trust that bleeds away existing customers and scares away potential new ones. Companies that fail to protect data may be able to survive the immediate aftermath, but they face an uphill battle to reignite growth. Instead of a quick death, they face a slow slide into insolvency. Neither option is desirable.

Safeguarding Growth With Cybersecurity

We have already established that smaller companies in tech and other industries have limited means to invest in cybersecurity. That means every investment must be impactful. Focus on these three pillars to effectively and affordably upgrade your cyber defenses:

1. Proactively Plan for Cloud Transferability

Small businesses often have a single-minded focus on maximizing value or driving revenue. Because you already understand what your company’s greatest asset is, take some time to plan security around it. Too often, small companies try to tackle “cybersecurity” in a very general way without focusing on the assets and threats that matter most. Figure out what those are, then hone your efforts there.

Operating in the cloud is a better option for small businesses because it provides a higher level of security at a lower cost. Patches, updates, and maintenance are handled by the cloud provider, ensuring that security risks get addressed immediately. The cloud is also flexible and scalable by nature, helping businesses to adapt to new threats or changing regulations. Trying to engineer these same capabilities on-premises would be cost-prohibitive (if it were even possible at all).

The only risk of the cloud is when companies get locked into a single cloud ecosystem. The pricing structure may change or the service or security quality may decline, yet because of contractual agreements, data can’t be transferred elsewhere. When business moves to the cloud, be sure your assets can be moved between clouds at any point.

2. Lean On Cybersecurity Expertise (Either Internally or Externally)

Cybersecurity is a confusing and complex subject that is always evolving. Companies can keep themselves safe only if they’re constantly on guard, much like an animal in the wild. Realistically, that means having a cybersecurity expert on your side who understands the threat landscape as well as they understand your existing defenses.

Ideally, that person is on staff, but recruiting a full-time cybersecurity expert isn’t easy or cheap. As an alternative, many companies are turning to managed security providers, third parties that manage your cybersecurity for you. These firms are equipped to evaluate your current security, make any necessary improvements, and keep your defenses strong in the face of new and emerging threats. In the best cases, MSPs provide world-class cybersecurity at a fraction of the cost of new hires, making them an obvious choice for cautious small businesses.

3. Align Your Security Budget With Your Threat Level

No company is eager to spend more on cybersecurity, but isn’t the investment worthwhile if it keeps the doors open? All companies need to periodically review how much they budget for security within the context of the current threat landscape. Best practices suggest spending at least a few hundred dollars per year for each employee. That money pays for things like email security, MSP services, and possibly also remediation technologies.

It’s up to the small business’s decision makers to open up the purse strings but to remember that more investment doesn’t automatically translate into stronger security. 

As discussed earlier, the most important and imperiled assets are those that require the most attention. If you decide to spend more, focus it on the front lines of your defense.

One of the many misconceptions about cybersecurity is that attacks are an all-or-nothing proposition — you either survive or you don’t. But surviving isn’t the same as getting back to full strength. And at a small business, particularly a tech startup with big ambitions, even a minor setback can have long-term consequences. Instead of planning to recover, put all your effort into avoiding cyberattacks entirely.

David Wagner

President and Chief Executive Officer of Zix

David Wagner is president and CEO of Zix, a leader in email security. He offers a business perspective that helps company leaders better understand evolving cyberattacks and prepare for threats.