Digital transformation projects, such as the adoption of new technology (IoT or SaaS), increase the security risks for your business. They provide more opportunities for hackers to exploit. To protect your business, you must enforce strong security and risk management measures for your digital transformation projects.
In June 2020, GetApp surveyed over 500 small and midsize business (SMB) owners and C-level executives to understand their digital transformation and IT security priorities in the current business environment. We specifically looked at the business model changes SMBs made as a response to COVID-19 during the reference period—i.e., the three months (April-June) previous to our survey.
Business model innovations (e.g., moving to online sales and delivery), remote work practices, and cybersecurity posture were some of the key focus areas for our survey. Here’s a quick glimpse of the results.
92% of SMBs changed their business models in response to COVID-19, and a majority (58%) of them started new online delivery channels.
95% of SMBs that changed their business models needed new software to support these changes.
44% of SMBs that started online delivery channels faced cyberattacks, majorly malware attacks.
30% of SMBs that offered customers a virtual service and 25% that had an eCommerce website experienced ransomware attacks.
41% of small businesses faced a cyberattack, while 60% of midsize businesses reported the same.
Malware infection (51%) and ransomware (51%) were the most common attacks on midsize businesses, and for small businesses, it was data breaches (47%).
We’ve used the findings of our survey, along with other data sources, to highlight which cybersecurity challenges SMBs are most concerned about, which IT security technologies and practices they are building into their digital transformation efforts, and what you can learn from them to improve the security posture of your business.
Digital transformation refers to the use of digital technologies, such as cloud, mobility, social media, virtual reality, or analytics, to radically change business processes, products and services, or the customer experience.
Businesses embrace digital transformation to keep pace with technology advancements, customer expectations, and regulatory changes, among others. However, C-suite executives and IT departments often disagree on key business objectives when implementing digital transformation projects.
For instance, IT teams vouch for strict security measures, such as data access control, that can lead to restrictions in the free flow of information and prevent an open business model. However, C-suite executives—though aware of the need for strong security—are more in favor of a collaborative business model and usually don’t support implementing security measures that can disrupt the free flow of information.
Businesses are often more focused on immediate productivity or financial gains from digital transformation initiatives. In this quest, they push cybersecurity concerns to the background, forgetting that even a single cyberattack can bring down the curtain on their operations.
Implementing remote work policies is one of the biggest transformations businesses have undertaken in recent months. Thousands of employees in the U.S. are currently working from home, relying on private Wi-Fi or home networks that aren’t as secure as enterprise networks.
That said, our survey found that security is not one of the main concerns for a large number of SMBs that have employees working remotely. 59% of SMBs are more concerned about either reduced productivity or limited collaboration, while only 31% are worried about security threats.
Security is also overlooked when investing in new software or technology. According to our survey findings, 12% of small business software buyers don’t ask any questions about security alerts, access control, data policies, encryption, or compliance during vendor discussions.
This can be a cause of worry, given a whopping 92% of C-suite executives think the customer data stored in cloud environments (SaaS applications) is vulnerable to cyberattacks. Cloud-based applications are more susceptible to attacks owing to multitenancy—i.e., multiple customers sharing the same cloud data center infrastructure.
A large number of small businesses also tend to ignore regulatory aspects, such as GDPR compliance, when selecting software. Only 19% of small business software buyers ask vendors questions about regulatory compliance. Ignoring regulatory obligations can hinder digital transformation initiatives and even lead to heavy penalties from regulatory bodies.
Businesses have faced massive disruptions in the past few months due to COVID-19. Our survey revealed that 74% of SMBs have started online delivery channels and/or virtual services, and 92% have implemented remote work practices.
As firms had very little time to make these business model pivots—most of which involved the adoption of digital tools—chances are cybersecurity was overlooked. During the survey’s reference period, 45% of SMBs reported being victims of at least one type of cyberattack, while 25% faced more than one type of cyberattack.
Data breaches, ransomware attacks, and malware infection were the most common cyberattack types reported by SMBs. 36% of SMBs also experienced phishing and/or business email compromise (BEC) attacks, which use fraudulent emails to trick employees into clicking on malicious links or sharing confidential information.
The financial, reputational, and legal damages of cyberattacks are heavy, especially for small businesses due to limited resources. SMBs, on average, lost $200,000 to cyberattacks in 2019. Such attacks hurt customer trust and brand reputation, not to mention the many lawsuits businesses have to deal with owing to the compromise of confidential client information.
Our survey found that of the different types of attacks, SMBs are most concerned about malware (89%). This could be because malware attacks are common and often disguised as email attachments, application updates, software downloads, etc.
Compared with small businesses, a higher percentage of midsize businesses are “very” concerned about malware (54% vs. 42%) and BEC attacks (47% vs. 34%). This is likely because midsize businesses have larger revenues, scale of operations, and customer base than small businesses, but their IT security measures haven’t grown proportionately, making them juicier targets for hackers.
Managing security during digital transformation projects requires collaboration between your C-suite and IT security team. C-suite executives, as well as other teams, should realize that it’s crucial to include cybersecurity controls in the business model changes being implemented. If cybersecurity isn’t considered from the very beginning, you could find yourself in a fix, trying to retrospectively fit security into the systems. This could result in gaps and vulnerabilities in the IT architecture.
Companies need to make sure that their cybersecurity programs keep pace with their digital transformation effort. Cybersecurity should not be an afterthought. It needs to be integrated into the fabric of an organization’s growth strategy.
—Lou Celi, CEO of ESI ThoughtLab
Chief information officers (CIOs) and IT security teams must shed their traditional outlook on IT management practices and take on a more agile approach. They must evolve from their legacy role of providing project clearances to becoming partners supporting the digital transformation process by providing inputs on how to keep business networks, devices, applications, and sensitive data safe.
CIOs must ensure that their cybersecurity programs become digital business enablers, rather than obstacles to innovation. The conventional objectives of the cybersecurity program (confidentiality, integrity and availability) must be expanded to include privacy, safety and reliability.
—Tom Scholtz, Research Vice President, Gartner
When Ping An Technology, a technology delivery and operations company, supported parent firm Ping An Group, a financial services company, in digitizing its traditional banking process, it had three key objectives:
Dominate a market early: Identify the right business model that’ll help rapidly acquire and multiply the customer base.
Build a long-term cybersecurity plan: Understand that digitization inevitably leads to bigger cyberthreats, and invest in and innovate how to continuously protect the business.
Have a technology-focused mindset: Believe in the digital strategy and business model that the organization is building.
Ping An Technology’s digital transformation strategy helped Ping An Group launch multiple new digital services and add more customers while simultaneously keeping a strong focus on security initiatives. Ping An Technology provides a good example of how digitization and security must go hand in hand without obstructing key business goals.
Source: Gartner’s 2019 CIO Agenda: Securing a New Foundation for Digital Business report (full report available to paid clients only)
Untrained staff members are one of the biggest threats to business security. Accidental employee errors cause up to 95% of cybersecurity breaches. Invest in your employees to make them advocates of security. Train them on safe internet browsing practices and how to identify phishing emails. Classify business data based on confidentiality, and educate employees in handling sensitive files. Vigilant employees can even help identify security loopholes in the IT infrastructure.
Our survey respondents mentioned that they’ve issued several guidelines to ensure safe remote work practices among employees. Avoiding the use of public Wi-Fi networks and changing passwords regularly are the basic security guidelines issued by most businesses.
Despite the multitude of security threats involved with working remotely, 3% of SMBs didn’t issue any remote work security guidelines—ignoring an important aspect of employee cybersecurity awareness training—while 31% of SMBs issued only one out of the many guidelines mentioned above.
Not establishing relevant security protocols can result in your employees being ignorant of or careless about the importance of remote work security. Thus, you should continually provide guidelines and training updates around the various aspects of secure remote working practices.
You can’t guarantee IT security by investing in only one type of security technology, such as antivirus or virtual private network (VPN). You’ll require a stack of cybersecurity solutions that can regularly monitor applications, data, devices, and networks. Our survey found that SMBs seem to be realizing this need.
89% of SMBs we surveyed invested in at least one type of security software during the reference period, whereas 63% invested in more than one type of security software.
We also found that IT security software adoption was higher among businesses that had recently started online services. All SMBs that added virtual services or started online delivery channels implemented at least one new security software, while 70% of them added more than one type of security software during the reference period. Firewall, VPN, password manager, antivirus, and data backup solutions were some of the most commonly adopted security software.
Most midsize businesses adopted password management (48%) and endpoint protection (41%) tools. Small businesses, on the other hand, invested in firewalls (38%) and VPN (34%) tools. Compared with small businesses, a higher number of midsize businesses implemented multiple security tools. Also, 12% of small businesses and 5% of midsize businesses didn’t add any new security software.
Besides traditional security tools, here are some emerging technologies that can help your business fight cybersecurity breaches.
|Technology||How it helps improve cybersecurity|
|Artificial intelligence (AI) and machine learning (ML)||AI and ML techniques are used in spam filters, malware analysis, user authentication, and incident forecasting to improve the accuracy of threat detection.|
|Security analytics||Security analytics is a proactive method to fight cyberthreats. It analyzes network data to provide real-time risk assessment and predict the possibility of an attack.|
|Security information and event management (SIEM)||SIEM software aggregates and analyzes data from multiple resources across your IT infrastructure to provide real-time analysis of security alerts.|
|Endpoint detection and response (EDR)||EDR technologies continually monitor network endpoints and evaluate how to respond to and mitigate cyberthreats.|
|Mobile application security||Mobile application security provides measures and means of defending mobile apps from digital frauds, data breach, malware, hacking, etc.|
|Blockchain||Blockchain technology offers a secure database that helps ensure data security and privacy.|
Your cybersecurity strategy must feature a fine mix of employee awareness and security technology investments. Adding security software without training your employees on safe work practices or without assessing system vulnerabilities will still result in glaring gaps in the security architecture that hackers can exploit.
Likewise, if you adopt a security solution without a clear cybersecurity strategy, you won’t get the desired results. The fact that 45% of SMBs became victims of cybersecurity breaches during the reference period despite nearly 90% of them implementing new security technology is an indicator that you’ll need much more than simply an antivirus, a firewall, or a password manager solution to keep your business safe.
Think about cybersecurity as the safety measures you’d put in place at the different entry points to your house. The safety mechanism for the door (security alarm or video surveillance) will be different from what you have for the garage (smart locks or motion sensors).
Your business, similarly, needs different types of security systems for different elements: data, applications, endpoints, networks, perimeters, and humans. Use vulnerability assessment and risk management tools to understand your security posture and build a cybersecurity roadmap that can help plug current IT gaps as well as lay the foundation for your future digital transformation plans.
Check out GetApp’s IT security directory to identify the different types of IT security solutions that can help make your business’s digital transformation resilient to the evolving cyberthreat landscape.
As digital initiatives increase, the risks to your business operations increase proportionally, due to continuous changes in the business and technology ecosystems. Having resilience built into your business model is necessary if you want to be prepared for digital disruptions.
Strong risk management strategies and capabilities form a key component of cybersecurity resilience. Here are some ways in which you can incorporate resilience into your digital business model.
Have a clear, strategic cybersecurity vision: Gartner’s Develop a Pragmatic Vision and Strategy for Digital Business Security report (full report available to paid clients only) suggests that the only effective way to deal with digital business security risk is to have a clear vision for a new digital security strategy. The new strategy must align with your business drivers (e.g., market growth strategies) and digital technology drivers (e.g., cloud service adoption).
Build a risk-based security program: Design a strong cybersecurity program based on security goals, business processes, and external factors. The security program must take a balanced approach by including all aspects of risk mitigation—prevention, detection, response, and prediction. It must not rely solely on technology but also involve employees in information security efforts.
Revisit and revise your enterprise security programs: Regularly assess and revise your security program to match the changing threat landscape. Security assessments help evaluate existing capabilities as well as identify gaps. Provision enough IT security budget to continually improve your systems. Also, hire qualified security staff, or partner with a managed security service provider (MSSP).
Devise business continuity and crisis management plans: Business continuity and cybersecurity crisis management plans are essential for every business, more so for businesses undertaking digital initiatives. Develop business continuity and crisis management plans, do mock runs, and revisit these plans annually to keep them up to date with changes within as well as outside of your business.
A cyber-resilient business model will go a long way in supporting your digital transformation journey. A strong cybersecurity foundation and mature security programs will ensure you can safely proceed with your digital transformation project without worrying about data breaches. Visit our IT security software catalog to check out security tools rated the best by real buyers.
The Business Model Survey referenced in this article was conducted by GetApp between 18-23 June 2020 among 577 respondents who reported executive leadership roles at small businesses with 500 or fewer employees. Of the total respondents, 465 were small businesses with less than 250 employees and 112 were midsize businesses with more than 250 employees.
This document, while intended to inform our clients about the impact of technology on business, is in no way intended to provide legal advice or to endorse a specific course of action.