The definition of businesses into small, medium, or large may differ across regions, but a common approach is to categorize businesses based on the number of employees or annual revenue. For example, a business with fewer than 500 employees in the United States is often considered an SMB. In Canada, a common definition for small businesses is those with fewer than 100 employees, while medium-sized businesses typically have between 100 and 499 employees. Small businesses are major contributors to the North American economy. In 2022, small businesses accounted for 98.0% of all employer businesses in Canada and employed 10.7 million individuals which is almost two-thirds (63.0%) of all employees. By comparison, medium sized businesses employed 3.6 million individuals (21.0% of employees) while large businesses employed 2.7 million individuals (16.0% of employees) in Canada 1. In the US, the numbers are similar. As such, smaller businesses play an important role in employing Canadians and are a significant driver in shaping the economy.
Cybersecurity is typically considered a cost center rather than a profit center. Cost centers are areas within a business that do not directly generate revenue but incur costs necessary for the organization's overall functioning and well-being. We engage in daily discussions with our clients and prospects, addressing concerns about objections to allocating budgets for cybersecurity, often perceived as cost centers within the IT budget. While the industry increasingly touts cybersecurity as a "business enabler," the reality is that cybersecurity primarily functions as a "revenue protector." We aim to convey to our clients that, akin to how IT and digital technologies enhance business efficiency despite being cost centers, cybersecurity controls are indispensable for "safeguarding the revenue generated from the business." This ensures protection against threat actors seeking to ransom or steal valuable financial assets.
While the threat landscape has remained relatively stable in recent years, our experience underscores that the impact on SMBs is disproportionately more significant compared to enterprises with ample budgets and resources to counter these threats. Statistics indicate that "60 percent of small companies cease operations within six months of experiencing a data breach or cyber attack." 2 We aim to avoid unnecessary Fear, Uncertainty, and Doubt (FUD) tactics, and we firmly believe in promoting cybersecurity without relying on fear. However, the stark reality is reflected in these numbers. Most small and medium businesses do not prioritize cybersecurity and subsequently face significant repercussions. This does not need to the be the industry norm, nor does it need to be complex to prioritize cybersecurity. Your active engagement, demonstrated by reading this article, signifies your concern and commitment to cybersecurity.
In our investigation of cyber attacks last year, we observed various impacts, predominantly financial, reputational, and operational. These consequences were exacerbated by the fact that the affected teams lacked the knowledge to effectively contain, recover, and fortify themselves against future attacks. It's understandable, as most small and medium businesses may not employ a trained security engineer due to cost considerations. While these disruptions may not always lead to business closures, they create overhead that prompts a reconsideration of their risk management strategy. In simpler terms for the SMB market, this involves exploring preventive measures and, in the worst case, establishing early detection and recovery strategies against potential cyber attacks.
Apart from being driven from cyber attacks (or news of attacks of their peer organizations in the industry), we are also seeing the following areas of demand driving our cybersecurity sales:
Compliance And Supplier Risk Assessment: In the SMB sector, we've witnessed a notable surge in such requests over the past few years. Picture receiving a comprehensive 30-page security risk questionnaire for a 50-employee organization managed by a single IT professional. Complicating matters, many of these questionnaires lack customization for SMBs and are laden with technical jargon, leaving IT managers perplexed. Our experience indicates that supplier risk teams often oversimplify controls, adopting a binary perspective—either you have a firewall, or you don't. However, this perspective may not align with companies operating entirely remotely, with all assets stored in the cloud, eliminating the need for a traditional data center firewall.
Furthermore, the expectation for enterprises to compel small businesses into costly compliance exercises often results in more administrative burden than actual security enhancement. While we routinely assist clients in preparing for compliance audits such as SOC2, we make a point to educate them on the distinction between compliance and security—a topic widely debated in the industry (reserved for discussion on another occasion). Our approach is centered on establishing a foundational level of security to protect the infrastructure genuinely, not merely to fulfill a compliance checkbox requirement. We take pride in being trusted advisors rather than mere "certified checkbox tickers."
Cyber Insurance: "Targeting smaller businesses are now a norm with over 56% of claims rising from SMBs under 25 million dollars in revenue. The average insurance claim cost for an SMB is $ 345,000." as per a cyber insurance study in December 2023 3.
Much like life, medical, car, or house insurance, cyber insurance underwriters require a "minimum" level of security controls in place at SMBs before approving policies. We've previously covered cyber insurance in a post you can refer to here. The definition of this "minimum" standard constantly evolves with the changing threat landscape, leaving SMBs uncertain about the necessary requirements for insurance eligibility. Consequently, many SMBs find themselves paying higher premiums due to the absence of adequate security controls. To address this, we collaborate with various insurance brokers to assist clients in managing costs and attaining insurability. Surprisingly, the implementation of basic security controls does not necessarily involve "advanced/AI-enabled" tools. Even straightforward measures like Multi-Factor Authentication (MFA) play a crucial role in this journey. Notably, even highly sophisticated threat actors from countries like Russia and China exploit vulnerabilities dating back several years. As highlighted by CISA, one of the most exploited vulnerabilities in 2023 originated in 2018—a vulnerability easily mitigated by consistently patching devices upon vendor releases 4.
Ensuring cybersecurity doesn't have to be a complex or expensive endeavor. It should be tailored to the specific needs of your business assets, including technology assets, personnel, and emails. The fundamental practices of cybersecurity, often referred to as basic hygiene, hold immense significance and cannot be substituted by even the most sophisticated security products.