Let’s be honest: SMBs haven’t made the big breach headlines over the past few years. However, when we look at the statistics, the numbers tell a different story. SMBs make a critical portion of these breaches.  With their valuable position in the economy and growing risk of attacks on their ecosystems, we put SMBs under the spotlight and examine the driving factors for why a security automation such as an SRS is worth for SMBs.

Accounting for 90% of companies worldwide and more than 50% of the global workforce, small and mid-sized businesses (SMBs) play an integral role in the economy.  Yet despite their valuable position, SMBs are rarely equipped to handle cyber attacks. The consequences are dire.

According to the Verizon 2020 Breach Report[1], 30% of breaches targeted small businesses. Of those attacked, a staggering 60% of small businesses were forced to shut down[2].

What makes SMBs such lucrative targets for hackers? How does automation, specifically security rating services (SRS), fit into the enterprise ecosystem? Let’s take a look at some of the security challenges SMBs face and how automation can reduce the burden.

I. Hackers do not discriminate against smaller businesses.

Risk continues to evolve and the complexities for today’s SMBs are not any different from what we see within major organizations. SMBs and their ecosystems have been under attack from malware, ransomware, external threats, and data breaches for the past decade—a trend that is not disappearing anytime soon.

As witnessed during the attack on SolarWinds, “weaker links” are sought-after targets for cybercriminals because of their connection to larger enterprises. Due to a lack of security maturity, the chances of getting hit are even higher than large enterprises for SMBs. It’s even more unfortunate that the consequences of a cyber breach are oftentimes detrimental for these organizations.

As a whole, security awareness is unfortunately not a priority as it is in larger organizations, leading us to another pain point for smaller organizations.

By assigning a cyber grade and a financial impact rating, Black Kite transforms the cyber findings on external assets into meaningful grades an SMB can take action on.

II. An ongoing talent crisis limits SMB security staff.

Nearly half of cybersecurity professionals agree that the cybersecurity skills shortage and its associated impacts have worsened over the past few years. For SMBs in particular, budgetary concerns and limited internal staffing capabilities adds to the pressure.

With fewer IT security practitioners on board to handle the increasing amount of cyber attacks, SMBs are burdened with greater attack areas and vulnerable infrastructures.

Black Kite monitors entities against 20 different categories including credential management, email security, application security, patch management  and fraudulent domains to signal for potential attack vectors. The signals in these categories can prevent a vendor or SMB itself from becoming the next target in a cyber attack.

III. More outsourcing leads to more risk exposure.

SMBs outsource a lot more than just their IT departments, which inherently increases their vulnerability to supply chain attacks.

As a result of the pandemic, SMBs have also been quick to adopt new technology to gain new capabilities, improve efficiency and/or reduce costs. This means more collaboration tools, more remote accesses granted, and, in some cases, outsourced IT departments. These shared platforms become an insertion point for different attack vectors.

Another issue in technology is cloud usage without considering the liabilities. Questions and concerns such as “where is the data stored”, “what is the security responsibility model” and “what are the liabilities of the provider” get lost. Most SMBs do not question the security and compliance liabilities of the cloud & hosting providers or take that as a continuous parameter into their due diligence steps.

At the end of the day, each new business partner presents the need to secure operations on both ends.

Black Kite offers the capacity to continuously monitor an entire ecosystem of business partners including outsourced entities.

IV. Regulations increase the burden on SMB risk management programs.

Although SMBs recognize that compliance is critical, many don’t have the capacity and tools that larger organizations do to properly address it. While compliance with these regulations also requires extra expenditure and time, the costs are also much higher and its effects greater.

Industry standards, such as the Health Insurance Portability and Accountability Act (HIPAA), Sarbanes-Oxley (SOX),  GDPR, and  CCPA dictate what a company as well as its vendors and third parties can and cannot do with personal data.

Apart from the PII, PHI and financial data concepts, every business should be moving toward privacy by design, where protecting consumer privacy is built into the processes from the ground up rather than being added later as a patch. That’s a global trend that’s not going away.

Black Kite correlates cyber risk findings of a vendor to industry standards and best practice including NIST 800-53, ISO27001, PCI-DSS, HIPAA, GDPR, CCPA, Shared Assessments, and others.  Black Kite’s advanced AI algorithm also estimates the compliance level for the above regulations/frameworks based on the evidence documents of a vendor. This enables SMBs to monitor the compliance level of its entire vendor ecosystem according to industry standards.

V. Quality over Quantity

Budgets are limited within SMBs. Nevertheless, today SMBs have big enterprise needs; the same technologies, processes and customer requirements that have been exclusive to the enterprise camp for years. It’s even more critical for SMBs to get it right for the first time.

This holds true for each and every process, including the security and risk management and the products they are investing in. Security rating tools (SRS) are often overlooked within the SMB vendor ecosystem. However, an SRS can be a cost-optimised solution to save SMBs from costly on site audits and lengthy due diligence efforts.

How Black Kite Helps SMBs

Black Kite’s Third-Party Risk Assessment assesses entities throughout an SMB’s vendor ecosystem on an ongoing basis. The platform captures critical information and  provides detailed, drill-down summaries to fully understand and mitigate the risk. Through this, an SMB can get a detailed assessment of a business partner or outsourced in real-time.

Black Kite utilizes 450 controls, of which 250+ are unique to a company’s cyber hygiene. The controls are broken down into 20 categories that correspond to an organization’s security posture, providing a holistic view of the SMB itself as well as its entire vendor ecosystem.


[1] https://enterprise.verizon.com/resources/reports/dbir

[2] https://www.netatwork.com/5-step-it-security-compliance-for-smbs

Cover photo by Kelly Sikkema on Unsplash