Every penny matters: Why SMBs should prioritise investing in cybersecurity measure

While large organisations usually have a planned SOP when it comes to their digital presence and its security, SMBs tend to de-prioritise this aspect of their business. It is no longer a question of “should they invest in cybersecurity?” but “how much is enough?”

According to the National Cyber Security Alliance, about 60 percent of small and medium businesses (SMBs) that are hacked, go out of business within six months. Yet, there is a disconnect between the reality and requirements for SMBs when it comes to cybersecurity. 


In many of my conversations with executives leading SMBs, I’ve realised that they feel investing in cybersecurity is like pouring money into a deep precipice.


Let me draw a parallel to one of the stories I’ve narrated to my daughter a few weeks back. A man's favourite horse had once fallen into a deep precipice, and he wasn’t able to pull the horse out, despite trying as hard as possible. Devastated, he decided to bury the horse out of compassion. As he started filling the precipice with soil, the horse simply shook it off and stepped on it. Gradually, the man kept filling the precipice with soil, and the horse kept climbing higher, and finally escaped onto the green pasture. 


In other words, for any company board, cybersecurity seems like a deep precipice into which they are pouring in resources. But, what they seem to ignore (perhaps, because of the lack of a consistent metric), is that the resources they’re allocating are what is getting their racehorse (their yet-to-be-breached enterprise) to greener pastures. 

While large organisations usually have a planned SOP when it comes to their digital presence and its security, micro, small, and medium businesses tend to de-prioritise this aspect of their business. It is no longer a question of “should they invest in cybersecurity?” but “how much is enough?” 


Based on an AIG report, SMBs are targets of business email compromise, followed by ransomware attacks — both of which are a direct hit on their business. In fact, according to Reuters, ransomware attacks are causing an increase of 25 percent in premiums on cyber insurance rates for SMBs. 

The rushed and incomplete nature of the transition to remote working sphere brought about by the COVID-19 pandemic has further exposed gaping holes in the cyber risk postures of these organisations — both large and small. However, the ability to absorb the effects of a data breach on an SMB is far lower. 

Even before the current public health crisis, they were increasingly the target of cyber-attacks due to the lack of resources to implement comprehensive cybersecurity solutions. A Verizon Data Breach Investigations report suggests about 40 percent of cyber-attacks are targeted at SMBs that amount to over $188,000 in loss per attack, on average. 


With many SMBs already feeling a loss of income, owing to the pandemic, a further approximate $200,000 setback could be too much to bear. Close to 88 percent of North American businesses state they have seen an increase in overall cyber-attacks as a result of employees working from home. 

One in five SMBs don’t use any end-point security protections, and 46 percent of SMBs, with less than 1000 employees had five to 16 hours of breach-related downtime in 2019. 


In this scenario, SMBs know that they have to ramp up cybersecurity investments and bolster their risk posture lest it is too late. However, the biggest roadblock is the ability to convey the reality of cyber threats and risks to the company’s board. 

If a company hasn’t been breached yet, why should the board be worried?  


For micro, small, and medium enterprises, “business is revenue.” Anything that doesn’t generate revenue is an expense incurred, which may be postponed. 

To ‘pass’ the cybersecurity test, SMBs often choose to merely adhere to the basic and necessary policy and compliances. The leadership in these enterprises scrutinise every investment and need proper justification for any cybersecurity service that is deemed necessary. 

The board (and the security team) need a method to streamline their investments and efforts to where they are best utilised with the help of an objective and consistent metric. Despite the small size of an organisation or the compactness of their IT infrastructure, they should be able to evaluate:


  1. What is their likelihood of breach?
  2. What are the best cybersecurity investments that they can make its RoI?

This is why there is a need for global standardisation of the likelihood of an organisation being breached. The quantification of cyber risks converts the intangible threats a business faces into real and actionable items. 


If a business knows that the chances of them being breached — with their current cybersecurity strategy — is on the higher side, it would be simpler to convert cybersecurity investments into business decisions. 


Subscribing to the relevant cybersecurity services, or increasing their cyber insurance, or both would streamline crunched budgets. With a continuously measured breach-likelihood, the conversation around cybersecurity changes from bits and bytes, to dollars, and cents, with the missing ‘common language’ being the objectively measured cyber risk posture. 

While lapses in digital security will grab headlines for notorious reasons, it is no surprise that it will also continue to hold a prime spot when you allocate your annual budget for the coming financial year. 


As Albert Einstein has famously said, “Intelligence is not the ability to store information but to know where to find it.” Use the available technology to your business’ benefit, and you will begin to budget intelligently.

Edited by Suman Singh

(Disclaimer: The views and opinions expressed in this article are those of the author and do not necessarily reflect the views of YourStory.)


Updates from around the world