We have just come off the back of the 2020 National Budget where Finance Minister Tito Mboweni stressed the important role that small, medium and micro-sized enterprises (SMMEs) have when it comes to the economic development of the country.

The majority of these companies are tech enabled companies that are participating in the gig economy. This is welcoming news; however, the number of SMMEs that do not have adequate cyber security is concerning.

Frightening news.

I recently read an article that sang the praises of small businesses and the ease at which they can be started and run. There is also a concerning side to this. The article is based on the experiences of UK companies, but the trends are becoming truly global in nature.

The article pointed out that the reality is that small and medium businesses face a minefield of potential risks and cyberattacks. In fact, the number of attacks increased as much as 21% in regions including the US last year, according to the Ponemon Institute’s 2019 Global State of Cybersecurity in Small and Medium-Sized Businesses Report (via CPO Magazine). Equally important, most small and medium businesses are simply not as prepared to deal with the fallout of a cyberattack as larger enterprises are.

A research study commissioned by my company in January of more than 3 000 small business owners in the US and UK revealed that 23% of SMBs use no endpoint security, and 32% rely only on free solutions. This leaves many SMBs at significant risk.

Top priority.

The article added that cybersecurity must become a front-line business priority for small and medium businesses as much of a priority as it is for large enterprises. That goes for all small businesses. Cybersecurity is as important for a plumber as it is for a dentist’s office or professional services company. Not taking the right preventative steps compromises your finances, business plans, employees and customers.

The Forbes article indicated that 57% of small and medium businesses believe they won’t be targeted by online criminals; however, nearly 20% reported an attack in the past year. Research from a 2019 Verizon report (via Security Boulevard) on the risk of data breaches showed that almost half of reported security breaches occurred at SMBs.

A Bigger Threat Than You Think.

The article points out that while some small and medium businesses consider other threats (a robbery or damage to their property), the reality is they now face perhaps their greatest security threats online.

  • It takes longer for small businesses to recover. Enterprises and big businesses spend time preparing for cyberattacks and almost expect them. Small businesses don’t. As a result, it takes them much longer to get their operations running again. Our survey showed that 50% of businesses said it took 24 hours or longer to recover from a cyberattack;
  • Lost Data. Nearly 40% of small and medium businesses (38% US + UK) lost crucial data during a cyberattack, according to our survey. That data includes customers’ names, addresses and emails — and quite possibly their stored credit card numbers. It also includes confidential business plans that took months to create. Your business “brain” is now embedded in your data and should be safeguarded.
  • Expensive Ransoms. Do you have a lot of cash on hand? According to a report from Coveware (via Forbes) average cost to recover from a ransomware attack in 2019 was over $84 000. That's a figure that many small businesses would be unable to contend with.

A sharp decrease.

The decrease in traditional crime in favor of cyber crime that was pointed out in the article above was a trend that has been seen in the Netherlands where law enforcement officials are trying to adapt to this change.

The article points out that between 2012 and 2019, the victimization rate in traditional crime fell from almost 20% to less than 14%. The sharpest decrease was recorded in property crime and in vandalism. The share of property crime victims fell from 13% in 2012 to 9% in 2019. Vandalism victimization fell from 8% to 5% over the same period. Violent crime victimization did not decline at the same pace.

This type of crime is much less prevalent than property crime and vandalism. The victimization rate in violent crime fell from 2.6% (2012) to 2.0% (2019).

Police registered less traditional crime as well.

The article adds that the drop in traditional crime is also evident from police records. Relative to 2017, there were fewer registered cases of theft, violence and vandalism in 2019. This decline in registered crime corresponds to the falling number of victims. The number of reported incidents of stalking and threats (violent crimes) did increase slightly in 2019.

Theft and burglary cases have declined for several years, while domestic burglaries have even more than halved since 2012. Not all types of theft declined: last year, 1,800 more cases of shoplifting were registered than in the previous year. Furthermore, a rise is seen in reported incidents of vandalism and damage for the first time since 2012.

More cybercrime victims.

The article pointed out that, last year, 13% of people aged 15 and over indicated they had been victims of one or more types of cybercrime. This was 12% in 2012 and 11 percent in 2017.

Cybercrime is crime involving digital forms of identity fraud, purchase and selling fraud, hacking and cyber bullying (defamation, stalking, blackmail and threats of violence committed online).

In registered crime rates, cybercrime is included among offences against property. Since 2017, police crime records have shown a rise in hacking incidents (doubled), identity fraud (+17%) and online fraud (+39%).

We need to start teaching young children about cybersecurity.

Adults are traditionally the targets when one reads news about cyber security.

Yet, SMMEs are increasingly being run from home over computers and PCs that children have access to. This means that they also run the risk of being a target. The World Economic Forum pointed out that children need to be warned about the risks that accompany smartphone and computer applications. All too often, that isn’t happening.

The article points out that primary school teachers should include cybersecurity basics in their everyday curricula. At a minimum, every young child should know how to keep their information private, to refrain from responding to strangers and to report anything unusual to an adult. Today, many don’t.

Cyberattacks are nothing new, of course. But what is less understood is the extent to which children increasingly are being targeted. About one in four youth in the US will experience identity theft or fraud before they reach the age of 18, according to a 2019 estimate by the consumer credit reporting company Experian. Fraudsters are targeting their clean credit histories and, increasingly, their virtual wallets.

The article adds that about one in five American young people experience unwanted online exposure to sexually explicit material, while one in nine experience online sexual solicitation, according to a recent study published in the Journal of Adolescent Health.

Minimal knowledge.

The article points out that the main reason hackers and online fraudsters focus on youth is because children have easy access to the internet and smartphone apps and only minimal knowledge of the risks. Nearly half of American children aged between three and four use the internet from their home, according to the National Center of Education Statistics.

Voluntary programmes in the US and elsewhere teach cyber literacy in greater depth than most national standards require. They range from cyber summer camps and national competitions to education modules for teachers to use in the classroom. But many are designed primarily for middle school and high school students. In Israel, for example, the Cyber Education Center’s Magshimim programme teaches high school students computer programming skills and how to mitigate different types of cyberattacks.

The article adds that a handful of voluntary programmes provide online safety resources for elementary school students, beginning in kindergarten. Through its National Integrated Cyber Education Research Center (NICERC), the Department of Homeland Security offers free full-year K-12 STEM and cybersecurity courses to teachers and school districts. The Air Force Association’s national CyberPatriot education programme offers free teaching modules like “security showdown” to teach kindergarteners what information is safe to share with strangers online and publishes children’s books like “Sarah the Cyber Hero.”

Sponge like absorption.

We all know that kids can absorb this information like sponges. In just one day, through its CyberFirst initiative, the UK's National Cyber Security Centre teaches children as young as 11 how to avoid the most common passwords, what information is collected every time they use social media, and how to track down “patient zero” when a cyberattack hits.

The article points out that cyberattacks are no longer just concerns for companies and governments. Over the summer, a series of attacks on school district systems prompted Louisiana governor John Bel Edwards to declare a statewide emergency.

It doesn’t have to be this way. As teachers incorporate more online educational tools into their curricula and parents permit children to play with online apps, they can simultaneously teach students of all ages basic cybersecurity skills and encourage them to become cybersecurity experts themselves. Children can be equipped to protect themselves from cyberthreats automatically, just like they look both ways before crossing the street.

Kids can soak up basic cybersecurity skills as rapidly as they pick up new technologies. We owe it to them to make that possible.

Cybersecurity turning point.

The World Economic Forum has come out and said that this year will be a turning point when it comes to cyber security.

The article points out that new technologies and new users will reshape cyber-risks in 2020. The emergence of 5G networks in 2020 will result in substantially broader access for both devices and people. Greater and more convenient broadband at higher speeds will encourage the development and deployment of everything from connected devices and ubiquitous computing to virtual and augmented reality and artificial intelligence.

Meanwhile, emerging economies will see an increase in users. Those previously excluded from the internet by the high price of equipment and networks will be able to get online with low-cost devices and access plans. This will bring education to remote communities, provide the previously unbanked and underbanked population with access to financial services for the first time, and provide small-plot farmers with access to weather information and crop prices. At the same time, it will bring the same disinformation and manipulation, cybercrime and fraud witnessed in more cyber-advanced countries.

The article adds that with these network developments, more data will be created and collected than ever before, making policy attempts to protect this data more urgent. Data borders will continue to be drawn. Obliging companies will need to be more responsible with the data they collect from and about customers. At the same time, it may have a chilling effect on the capacity for commercial, academic and even government initiatives to collaborate as the sharing of information becomes increasingly difficult.

In this context, the crypto wars will likely reignite and come to a head as tech companies will increasingly find it difficult to resist government calls for back doors to their systems. Depending on where you sit, this will either grant law enforcement much-needed capabilities to investigate crimes or weaken protection for everyone – or both.

The article points out that, in this fundamental reorganization of society and practices, 2020 will also see breakthroughs in quantum computing. Although viable commercial implementation will not emerge this year, these breakthroughs will hasten their creation, forcing technology to devise entirely new ways to encrypt and protect data, which puts legacy data stores at risk.

Business strategy.

The article points out that, considering the importance of these technologies, the adage cyber strategy is business strategy will resonate strongly from 2020 onward. Coming into the new decade, 68% of business leaders believe that the cybersecurity risks confronting their organizations are increasing.

To address this challenge and deal with the risks, leaders should avail themselves of new knowledge, processes and tools to ensure responsible use of data and organizational resilience. From new leadership profiles on boards and in the C-suite, improved risk assessment and risk mitigation options to a new logic of cooperation, leaders can look to partnerships and tools to help them meet their cybersecurity responsibilities.

The article added that risks related to cybersecurity and data governance are now the top concerns of chief audit executives and corporate boards. This new normal will likely reach an inflection point in 2020: either uncertainty around cybersecurity will begin to impact business performance or CEOs and business leaders will develop ways of managing this risk. Those who can achieve growth will view cybersecurity as necessary and (potentially) equal to other fundamental business concerns, such as finance and HR.

Be prepared.

“The Forbes article was a real eye opener. SMMEs are actually a bigger risk when it comes to cybercrime because criminals intentionally target them. The simple fact of the matter is that SMMEs cannot spend as much as major corporations on cybersecurity; cybercriminals know this and intentionally target these companies,” said Bradley Geldenhuys, Co-Founder and CEO of GTconsult.

He added that there are some things that SMMEs can do to increase their cybersecurity:

  • While the problem seems large and multifaceted, there is a simple solution for all SMBs: Embrace cybersecurity before a problem ever occurs. Here are the most commonsense measures for SMBs looking to protect all their digital assets;
  • Back up and protect your files. If a file is important, you need to make sure there is a copy. This includes everything from spreadsheets to human resources files. Back up data to the cloud, and make sure that data is backed up elsewhere. Backing your data up only takes a few minutes and quickly becomes habitual;
  • Establish a cybersecurity plan. We've noted how SMBs don’t think they are at risk and, hence, don’t plan. A cybersecurity plan can be just a couple simple steps: verifying bank transactions with a verbal confirmation and training employees not to open suspicious emails. It's also important that owners of small businesses are up to speed on good cybersecurity practices;
  • Consider moving past in-house security solutions. According to Juniper Research, most SMBs spend less than $500 annually on cybersecurity, and it’s putting them at risk. If you don’t think you can handle the extra work, look for expert help;
  • Change your passwords. Your employees may think changing their passwords is annoying, but it's also essential. Many cyberattacks can take place because the passwords are easy to crack. Passwords should incorporate some combination of numbers, letters (both uppercase and lowercase) and symbols. Employees should update them every 60 to 90 days;
  • Install anti-malware software. This is a basic tool, but it's important to have in order to ward off cyberattacks. Also, know what to do in the event of a malware attack: An infected device should be quarantined immediately before it infects other devices.