A lot can change in five years. Think of where we are today—now flash back five years to 2014. What was happening? The Winter Olympics in Sochi, the Ice Bucket Challenge, and we were only on iPhone 6. The world looked a bit differently then, and business concerns and priorities were different too—especially for small-to-medium-sized businesses (SMBs).
According to a Capterra survey of 700 SMBs on their 2019 and 2020 purchasing plans, 48 percent of SMBs noted the cloud as priority #2 of ten, which was a bit further down the list (at #4) 5 years ago. It is crucial now for small businesses to have access to the same power offered to Fortune 500 companies—by way of platforms from Amazon Web Services, Microsoft Azure, and Google Cloud. Mobile business has dropped from #2 to #9, reflecting how the proliferation of the Internet of Things (IoT) has undoubtedly led to a much stronger need for data protection, especially since this was a top challenge just five years ago. 47 percent of SMBs named data and information security as priority #3 for this year. These companies, at a leadership level, understand that today, business growth cannot be achieved before a firmer emphasis is placed on cyber security.
So where does that start? Where did it start? The threat landscape is completely different today and there are a number of realities of this world that did not exist even five years ago. Here is a look at the top five.
The evident state of IT security can be summed up in one word: consumerization. Consumerization around security has heightened not only SMBs’ awareness, but also end user security concerns. This has led to some businesses adopting a basic, disparate approach because they know they need security. All the news and headlines in recent years has spawned this fear of cyber attacks, causing businesses to put up firewalls and install antivirus software because they think that’s enough—when in fact, security should be thought of more strategically.
Security decisions are now largely consumer-driven, and with this heightened awareness comes increased importance—which is why decisions about security are now being made on the board level and C-level.
…security should be thought of more strategically.
Broader Attack Surface
Businesses and consumers alike are hyper aware of the need for cyber security in 2019, and they’re increasingly understanding why it’s needed. Companies of all sizes are being attacked today because there are now more sophisticated attackers, and the attacks are broad-based and less targeted. Five years ago, hacks were thought to be focused and elaborate—but now with new, smarter forms of malware and the seemingly endless IoT to manage, the attack surface has expanded exponentially.
Advanced forms of malware, like ransomware cryptoworms, are major threats to businesses of all sizes because the malware is self-propagating—meaning it is much more difficult to find and can propagate at network speeds. Some malware has even gotten smart enough to evade basic detection tools. Growing techniques deployed by hackers include hiding the threat in encrypted traffic, and cryptojacking—which secretly exploits your computing device to mine cryptocurrency. Threat actors are also using popular cloud services for command and control, making malware very difficult to find with traditional security tools because it looks like normal traffic. These types of attacks are being carried out by teams that have the resources and training equivalent to an entire government at their disposal. Even attacks from private sources have become more sophisticated, like social engineering attacks during elections.
The fact that many IoT devices are unmonitored and patching for these devices is often done poorly further validates cloud as a top priority today. IoT devices create "back doors" to other systems, and IoT endpoints really have no inherent security capabilities. If an organization moved just one n-tier application from a traditional on-premise infrastructure deployment to a cloud-hosted container service, it would reduce its potential attack entry points by dozens and dozens of possibilities. With advanced threats like ransomware in the cloud lurking, companies simply can’t afford that level of vulnerability.
Ian Moore a Managed IT and Cybersecurity Consultant with Ray Morgan Companies explains it this way.
“The current state of cybersecurity leads me to think a lot about the introduction of the motorized car. The motorized car absolutely changed the landscape of travel, allowing individuals to travel faster and further than ever before. It was not long, however until we realize that accidents at such speeds were fatal. SMBs are having an experience much like that…
We have been driving a very very fast car, aka the digital business, but without seatbelts, airbags, working mirrors and other safety features. The high-speed crashes of organizations like Target, Marriott, City of Atlanta and other have reminded us of the importance of security. I believe in the next 5 years SMBs will take drastic steps towards making their digital infrastructure safe. Those that do not are adopting a huge amount of risk. IT services will no longer be focused only on the health of the network, but also on risk mitigation via proactive security monitoring, attack remediation services and end user security training.”
The broader attack surface and SMBs’ risk level today illustrates that need for a ‘protector,’ a leader in tech and security that ensures business continuity and scalability amidst the turbulent climate.
Different End Values
There are now different ways to monetize cybercrime than just stealing data and selling it. Hackers’ main goal today is the destruction of systems and data, which results in stolen computing cycles and halted business. From social media spoofing to malicious fake news, the prevalence of social attacks has increased in recent years. Even in the example of NotPetya, a strain of malware that posed as tax software but was actually something called "wiper malware" with the intent to kill organizations' supply chain systems, it illustrates the wider set of values cybercriminals now have.
The main takeaway here is that hackers have gone pro. Five years ago, security was a secondary concern for organizations; it was more reactive to the onset of incidents. And prior to that, IT professionals didn’t comprehend the facet of opportunities in the cyber security space. Moreover, they didn’t approach security proactively. Couple that with high speed internet devices causing technology to nearly hit its cap, it’s no wonder hackers have had the space to advance their techniques. Five years ago, breaches involved a virus and a disabled computer; now cybercriminals are making money hacking people. It’s a whole different game.
Wider Acceptance of Attacks
Companies now understand that there is a reality associated with cyber attacks. This means that since they anticipate experiencing an attack, they can focus more on how they’ll respond. The issue is, however, that having everything 100 percent managed takes more resources and tech than most companies have, especially small businesses. Yet with the right tools and support, managed IT service providers can help SMBs minimize damage by maintaining a proactive approach to risk.
“SMBs who rely on their MSPs to be forward-thinking need to know that they’re protected against today’s cyber threats. This requires such rapidly evolving expertise that some MSPs can’t keep up with the evolution. It’s critical that your clients do not miss out on the benefits of advanced security and that you’re fully meeting expectations,” says David Eichkorn, Managed IT Services Manager at GFConsulting Group. “It takes proactive technology management and access to expert, scalable resources to incorporate new security tools and mitigate current and future cyber threats.”
Lack of Security Experts
While the skills gap still existed five years ago, the security skills gap is a new and problematic development. The demand for advanced security has grown so quickly, making the workload heavier and more difficult—thus the need for greater security expertise. Too much time is being spent on crisis remediation rather than training—and for security to be at the forefront of business plans today, ongoing training and adaptability is required. With the right resources to combat the morphing problem, businesses will be able to stop being reactive and remain one step ahead of threats.
In an effort to continuously evolve with the shifting landscape, it’s in small business’ best interest to work with a managed IT provider like Ray Morgan Company. Ray Morgan Company is prepared for the new and emerging realities of cyber security and business as we know it. We help SMB clients apply more prescribed layers of security to their strategy.
The threat landscape looks different than it did five years ago, yet businesses must shift with it if they are to avoid falling victim—and keep their doors open. Those working to remain in business five years from now and beyond will continue to learn and evolve, and these five areas are important focal points for security-driven businesses.