Recently, new reports include mentions of cyber security for SMBs (small and midsized Business) have been released from Gartner, Verizon, Thales, Accenture, and others for the current year (2019). Included in these is a plethora of knowledge directly relative to small to midsized businesses. One statement from the Gartner report caught our attention, “Through 2022, 80% of organizations (up from 30% in 2018) will undergo some change in their security organization structure as a direct result of digitalization (Gartner, 2019).” Let that sink in for a moment and you realize your organization already is performing some form of digitalization or will be doing this sooner than imagined in not.
The time is now to do your research, SMBs have options for protection but a vCISO (virtual Chief Information Security Officer) Program is the safest option for organizations new to this concept. It has many benefits, such as they’re Independence from current organizational politics, more cost effective than staffing an IT team, they provide expert guidance, and offer stable option for role continuity.
We all know that the “perfect” security program doesn’t exist because every organization has different aspects required to make a certain model appealing to them. Not to mention, there is currently a shortage of employees capable of successfully filling a security role of this magnitude and if they are capable, its hard to keep them around (other companies will offer them jobs). More and more organizations are opting for a vCISO strategy that is flexible enough to meet their budget and strong enough to cover their security needs.
Why Are SMBs More Vulnerable Than Before?
Most SMBs assume that they are unlikely to be targeted by an attack, but the statistics and trends show otherwise. According to the Verizon DBIR, 761 data security breaches were analyzed, and 556/761 attacks were on SMBs with fewer than 1,000 employees. Additionally, 436 incidents targeted companies with 11 to 100 employees. One-Half of the breaches examined in the DBIR utilized some form of hacking, and the other half incorporated malware (2019). SMBs are now the newly established prime target for attack instead of defense contractors and Large enterprises.
The reason for this is the sheer lack of defense many SMB have implemented in their network structure. The best rule of thumb is to do what other companies like yours are doing, if not more or else you will become the weakest link. An article from TechTarget, said it best…
“In the current threat landscape, attackers simply jiggle a lot of cyber doorknobs, find out who’s left their “house” unlocked, and set about helping themselves to whatever they want: financial data, private emails, customer account information and other goodies (TechTarget, 2019).”
Just like a home is vulnerable to a burglary if there are no cameras, flood light, or security system. A SMB without the proper security is an easy target for attack and the costs can be high if your data is not recovered. Which some organizations do get lucky, “around When the IC3 Recovery Asset Team acts upon BECs, and works with the destination bank, half of all US-based business email compromises had 99% of the money recovered or frozen; and only 9% had nothing recovered (Verizon, 2019).” If you are vulnerable as a SMB what can you do now to change that? The answer is simple, just make a few improvements to your organization’s security program, if done correctly it will save time, reduce risk, and out weight the cost of a breach significantly.
Most SMB only have one or two team members with security roles trying to service 30 – 100 employees. This can cause issues when they get caught up in day-to-day support concerns, they will have no time to focus on proper security. Such as logging and monitoring, conducting annual security assessments, implementing affecting backup solution, develop policies, and perform other functions of security. That is where a vCISO fits in, to fill the gaps in your current security program while allowing your operations to remain lightweight.
According to Verizon DBIR, 94% of detected malware is discovered with a delivery method of email and 48% of cyber-attacks target small business (2019). Which means you as an organization must implement at a minimum email security, network & endpoint security, and security awareness training. This can all be done affordable with a vCISO. Another good report from Infocyte stated, “Some 72% of inspected SMB networks found riskware and unwanted applications in their environment that took longer than 90 days to remove.” Also, “Average attack dwell time—the time between an attack penetrating a network’s defenses and being discovered—ranged from 43 to 895 days for SMBs, the report found (TechRepublic, 2019).” This is another glaring reason why SMBs need to start taking a smarter approach to security.
How Do SMBs Gain Peace Of Mind When Dealing With Cyber Risk?
SMBs can protect themselves by enlisting a vCISO from a cyber security consulting company to help come up with a solution to deter and block these advanced threats. Your organizations selection of security structure with depend on multiple factors such as your risk appetite, industry, maturity of existing program, corporate culture, desired level of segmentation, and the list goes on, but you get the idea. All of this can be hard to manage with a small staff and let’s be honest most SMBs do not have the financial ability to in-house a full cyber security team. That’s why you can supplement the gaps with a vCISO and if you’re not convinced yet here are some additional benefits our vCISO Program at Praetorian Secure™ offers and a list of what is included* in the program.
Benefits Of vCISO Program
- Scalability of security operations
- Financially appealing compared to in-housing
- maintain operations without any hiccups (no employee turn-over)
- Get expertise without paying high salary of CISO
- Independent from existing structure (not easily influenced whereas internal CISO could be)
- Clear & strategic security planning
- Proven methodologies
- Cyber Expert on-demand
Services Included – vCISO Program – Standard Package
- End-point Protection
- Log Management
- Network Device Review Configuration
- Physical & Environmental Security Assessment
- Security Awareness Training
- Vulnerability management
- Bronze Level Support
Support Package Levels
- Bronze – Response time within 24 hours (basic package included with vCISO Bundle)
- Silver – Response time = 12 hours or less
- Gold – Response time = 6 hours or less
- Platinum – We Respond within 1 hours or less
Amy Rogers Nazarov, A. (2011, October). Cybersecurity threats target lack of SMB security – Information Security Magazine. Retrieved from
Rayome, A. D. (2019, July 11). Cybersecurity: Malware lingers in SMBs for an average of 800 days before discovery. Retrieved from
Verizon. (2019). 2019 Data Breach Investigations Report [PDF file]. Retrieved from
Gartner/Fireeye. (2019, May 7). Security Organization Dynamics. Retrieved from