Cybersecurity is a concern for small and large enterprises alike. Source: Shutterstock

Cybersecurity is a concern for small and large enterprises alike. Source: Shutterstock

Cyberattacks: Are small businesses as vulnerable as large enterprises?

SMALL BUSINESS owners are often under the illusion that they’re not as vulnerable as large enterprises when it comes to cyberattacks. As a result, the measures they take to secure themselves are often more relaxed.

However, as we move into the digital age and try to capture the value offered by Southeast Asia’s burgeoning digital economy — which Google, Bain, and Temasek Holdings believe has breached past the US$100 billion mark and is set to hit US$300 billion by 2025 — cybersecurity needs to be taken more seriously.

A new study by the Ponemon Institute that studies how the size of an organization affects vulnerability management found that “small or large, all organizations faced similar types of a data breach”.

In most cases, respondents said that the root cause, whether human error, criminal external attack, or system glitch, were not significantly impacted by the size of the organization.

Threats from malicious insiders, however, seemed to be the only root cause of cyberattacks that seemed to vary between large and small organizations — 24 percent of large organizations seemed to be impacted by malicious insiders, while that number totaled 31 percent for small organizations.

Further, the report inquired as to whether respondents could attribute a data breach directly to their inability to apply a security patch in time to prevent the breach and found that small and large organizations both seemed to struggle with patching vulnerabilities quickly.

Although larger organizations seemed more aware of the issue with patching, the Ponemon Institute found that the awareness did not translate into action for large organizations.

“Fifty percent of respondents in large organizations were aware of their vulnerability to a data breach. Only 30 percent of respondents in small organizations were aware that their organization was vulnerable.”

Finally, the study attempted to understand the factors that caused organizations from failing to apply patches in time and found that both small and large organizations said they lacked the resources to keep up with the volume of patches.

Other factors that caused organizations to fail to patch vulnerabilities in time, especially for smaller organizations, include the lack of a common view of applications and assets across security and IT teams, the inability to take critical applications and systems offline to apply patches quickly, and a difficulty in prioritizing what needs to be patched first.

The study — like many others — reinforces the point that small businesses are just as vulnerable to data breaches as larger enterprises are and hence, must take steps to protect themselves more actively.