Takeaways and Tips for Your SMB Clients —
USTelecom recently examined the cybersecurity risks, readiness, and realities, of SMBs that own, operate or support US critical infrastructure, including energy, financial, water, and communications, networks. The survey, USTelecom’s 2021 Cybersecurity Survey: Critical Infrastructure Small and Medium-Sized Businesses (SMBs), found that these enterprises are especially vulnerable to cyberbreaches that can take longer to detect and recover from, and pose a real and present threat to national security.
The US’s critical infrastructure, and thus its national security, is dependent on the cybersecurity defensive posture of individual, yet highly interconnected, organizations. Because a SMB cybersecurity failure can impact the broader digital ecosystem, leading to financial and reputational loss and service disruption, understanding the organizational behavior of companies of various sizes is imperative.
Specifically, the survey analyzed critical infrastructure SMBs whose cybersecurity programs struggle to deliver strong security protocols at comparable levels to better-resourced and larger sector enterprises. This leaves these companies especially vulnerable to cyberattacks.
Key findings in the USTelecom survey are shown in Figure 1, and include:
- 75% of critical infrastructure SMBs experienced a breach at least once.
- On average, it took companies 5 months to fully recover from a breach.
- 59% of SMBs reported breaches that stopped daily productivity.
- Companies spent $170,000 on average to resolve a cyber breach; 46 of SMBs reported lost customers.
The survey found heightened vulnerabilities for SMBs across social media, electronically held customer information, online bank accounts, VPNs, social engineering, and industrial control systems.
The Need for Improving Awareness, Defense, and Risk Management
Key findings of the survey suggest that breaches, and their impact, demonstrate the need for improving awareness, defense, and risk management.
- After a breach, Critical Infrastructure SMBs tend to provide staff with extra training, implement new policies and procedures, change configurations, and communicate breaches to customers, thereby building trust.
- A Critical Infrastructure SMB’s use of risk assessments and cybersecurity best practices, policies, and procedures typically results in the increased use of outsourced cybersecurity providers, preparedness, confidence and consumer trust, and the use of government guidance.
- A Critical Infrastructure SMB’s use of cybersecurity best practices tends to be more robust as annual revenue increases and leads to increased levels of transparency and trust with customers, cyber prioritization at the board, executive, and director/manager level, use of cyber insurance, communications to customers about breaches, and confidence in an organization’s defense capabilities.
- Critical Infrastructure SMBs with $11-20M in annual revenue experienced the most diverse array of attack types and were the most willing to act post-breach.
While improvements made subsequent to an attack are important, the survey findings demonstrate the need for proactive cyber risk assessments calibrated to the uniqueness of individual enterprises so they can best protect against their unique cyber risks. (See Figure 2 and Figure 3.)
The report also outlines a series of 10 recommendations for SMBs to protect their small businesses from cyber breaches:
- Conduct Cybersecurity Training: Regularly train and test staff on best practices and controls.
- Review Policies and Procedures: Annually revisit and update to identify roles, responsibilities, and organizational accountability.
- Update System Configurations: Follow vendor and expert recommendations, including structured protocols to patch vulnerabilities.
- Direct Annual Risk Assessments: Risk assessments put cyber risks in economic terms so mitigation techniques can be calibrated and reviewed by executive management.
- Perform Post-Breach Assessments: Post-breach findings offer valuable insights and should be communicated to management and departments.
- Evaluate In-House Capabilities: Annually assess — and consider retaining outsourced, managed service providers — to augment existing cybersecurity staff as needed.
- Obtain Cyber Insurance: Annually review policies to ensure appropriate coverage and alignment with your risk tolerance.
- Identify Information Sharing Opportunities: Participate in formal and informal information sharing opportunities that support your specific needs.
- Establish Regular Briefings: Coordinate briefings for appropriate levels of management, and implement a process to ensure feedback.
- Dedicate Budget: Commit at least 10%-15% of IT budget to cybersecurity based on business needs and risk tolerance.
These practices will likely require organizations to make additional investments in cybersecurity in the context of their overall business plan.
Don’t be fooled. The companies we surveyed may be small or have fewer employees than their counterparts — but they play a big role in operating and safeguarding our country’s critical infrastructure, including energy, financial, water, and communications, assets. There is nothing small about the importance of bolstering their cybersecurity posture to improve our collective security.
This article is adapted from the report USTelecom’s 2021 Cybersecurity Survey: Critical Infrastructure Small and Medium-Sized Businesses (SMBs). USTelecom — The Broadband Association, an association of connectivity providers and technology innovators, conducted this survey of small and medium-sized businesses operating critical infrastructure in the US. For more information about, and to download the report, visit https://www.ustelecom.org/research/2021-cybersecurity-survey-critical-infrastructure-small-and-medium-sized-businesses/.