A lot can change in five years. Think of where we are today—now flash back five years to 2014. What was happening? The Winter Olympics in Sochi, the Ice Bucket Challenge, and we were only on iPhone 6. The world looked a bit differently then, and business concerns and priorities were different too—especially for small-to-medium-sized businesses (SMBs).
In 2014, customer acquisition and retention and business growth were top goals for SMBs, top IT priorities were social media and mobility solutions, and within the top five challenges for SMBs was data protection, recovery and business continuity. It’s interesting to compare these areas to SMB budgeting priorities for 2019.
According to a Capterra survey of 700 SMBs on their 2019 and 2020 purchasing plans, 48 percent of SMBs noted the cloud as priority #2 of ten, which was a bit further down the list (at #4) in 2014. It is crucial now for small businesses to have access to the same power offered to Fortune 500 companies—by way of platforms from Amazon Web Services, Microsoft Azure, and Google Cloud. Mobile business has dropped from #2 to #9, reflecting how the proliferation of the Internet of Things (IoT) has undoubtedly led to a much stronger need for data protection, especially since this was a top challenge just five years ago. 47 percent of SMBs named data and information security as priority #3 for this year. These companies, at a leadership level, understand that today, business growth cannot be achieved before a firmer emphasis is placed on cyber security.
So where does that start? Where did it start? The threat landscape is completely different today than it was in 2014, and there are a number of realities of this world that did not exist five years ago. Here is a look at the top five.
1. Heightened Awareness
The evident state of IT security can be summed up in one word: consumerization. Consumerization around security has heightened not only SMBs’ awareness, but also their end users’ security concerns. This has led to some businesses adopting a basic, disparate approach because they know they need security. All the news and headlines in recent years has spawned this fear of cyber attacks, causing businesses to put up firewalls and install antivirus software because they think that’s enough—when in fact, security should be thought of more strategically.
Security decisions are now largely consumer-driven, and with this heightened awareness comes increased importance—which is why decisions about security are now being made on the board level and C-level.
To accurately convey evolutions of business and the scope of IT over the past five years, I spoke with three managed IT service providers about these changes—in regard to the SMBs they serve and essentially what it takes for business to prevail.
“We rebranded four years ago from PC Troubleshooters—which hinged on our break-fix services—to Secure Future Tech Solutions—a more security-focused name that communicated where we wanted, and needed, to take our company,” says Eric Shorr, President of Secure Future Tech Solutions.
“We saw things changing for our clients and wanted to ensure prospects that we could handle their sophisticated needs,” he adds. “The rebrand opened up new doors for us, as we were able to bring on bigger clients—not to mention lead with the conversation of how we can help secure their business. This conversation has become easier as they continue to see their peers getting hacked—not just a Target or Equifax, but on a local level. Our clients are more aware that they’re a target, and yet we’re educating them on a continuous basis.”
As the consumer mindset around security continues to mature, the business opportunity only grows for managed IT service providers offering cyber security education and support through tools and expertise.
2. Broader Attack Surface
Businesses and consumers alike are hyper aware of the need for cyber security in 2019, and they’re increasingly understanding why it’s needed. Companies of all sizes are being attacked today because there are now more sophisticated attackers, and the attacks are broad-based and less targeted. Five years ago, hacks were thought to be focused and elaborate—but now with new, smarter forms of malware and the seemingly endless IoT to manage, the attack surface has expanded exponentially.
Advanced forms of malware, like ransomware cryptoworms, are major threats to businesses of all sizes because the malware is self-propagating—meaning it is much more difficult to find and can propagate at network speeds. Some malware has even gotten smart enough to evade basic detection tools. Growing techniques deployed by hackers include hiding the threat in encrypted traffic, and cryptojacking—which secretly exploits your computing device to mine cryptocurrency. Threat actors are also using popular cloud services for command and control, making malware very difficult to find with traditional security tools because it looks like normal traffic. These types of attacks are being carried out by teams that have the resources and training equivalent to an entire government at their disposal. Even attacks from private sources have become more sophisticated, like social engineering attacks during elections.
The fact that many IoT devices are unmonitored and patching for these devices is often done poorly further validates cloud as a top priority today. IoT devices create "back doors" to other systems, and IoT endpoints really have no inherent security capabilities. If an organization moved just one n-tier application from a traditional on-premise infrastructure deployment to a cloud-hosted container service, it would reduce its potential attack entry points by dozens and dozens of possibilities. With advanced threats like ransomware in the cloud lurking, companies simply can’t afford that level of vulnerability.
Juan Fernandez, VP of Managed IT Services at ImageNet Consulting, discusses why it’s imperative for business leaders to surpass “good enough” when it comes to their security.
“We entered into the information super highway with a junk car. Companies lacking adequate security protections will fail to protect against threats and, figuratively, crash the car. Over the past few years, we weren’t ready; our clients weren’t educated. So what do you do to avoid crashing the car? MSPs need to fix all of the security vulnerabilities their clients could possibly have before they even knew to ask about them. It’s like putting bumper guards and the best insurance on a Ferrari. When it comes to protecting SMBs, ‘good enough’ is gone. MSPs must do everything they can to make sure their clients are set to get out there, be exposed to all of the possibilities, and be protected enough to continue doing business. Saying you ‘monitor technology’ is one thing, but that’s just being a fixer, not a protector—which is the real value add.”
The broader attack surface and SMBs’ risk level today illustrates that need for a ‘protector,’ a leader in tech and security that ensures business continuity and scalability amidst the turbulent climate.
3. Different End Values
There are now different ways to monetize cybercrime than just stealing data and selling it. Hackers’ main goal today is the destruction of systems and data, which results in stolen computing cycles and halted business. From social media spoofing to malicious fake news, the prevalence of social attacks has increased in recent years. Even in the example of NotPetya, a strain of malware that posed as tax software but was actually something called "wiper malware" with the intent to kill organizations' supply chain systems, it illustrates the wider set of values cybercriminals now have.
The main takeaway here is that hackers have gone pro. Five years ago, security was a secondary concern for organizations; it was more reactive to the onset of incidents. And prior to that, IT professionals didn’t comprehend the facet of opportunities in the cyber security space. Moreover, they didn’t approach security proactively. Couple that with high speed internet devices causing technology to nearly hit its cap, it’s no wonder hackers have had the space to advance their techniques. Five years ago, breaches involved a virus and a disabled computer; now cybercriminals are making money hacking people. It’s a whole different game.