More than half of small and medium-sized businesses have experienced a data breach and 1 in 5 said it cost them between $1 and $2.5 million, according to a new study by Cisco Systems that surveyed 1,816 SMBs across 26 countries.
Cisco’s “SMB Cybersecurity Report” is based on an SMB-focused analysis of the data collected for the company’s Annual Cybersecurity Report. That study included responses from 3,600 businesses across various industries and found that more than half of all attacks cost companies of all sizes more than $500,000. Over a third of attacks result in financial damages of more than $1 million.
These numbers are worrying considering that for many small organizations, financial losses of more than $500,000 or $1 million can very well mean going out of business.
“These data breaches often times have lasting financial impact on a company, including lost revenue, customers, and opportunities, as well as the expenses to clean up after the breach,” Cisco’s Paul Barbosa said in a blog post.
Failing to comply with data breach notification laws can also result in additional penalties. For example, Uber just settled a lawsuit this week with all 50 U.S. states in which it agreed to pay $148 million for hiding a massive data breach of personal information for almost a year.
Smaller companies also face challenges in responding to threats due to limited security budgets and a shortage of skilled employees.
Budget constraints was the top most frequently cited obstacle to improve a company’s cybersecurity posture, according to Cisco’s Annual Cybersecurity Report. This was followed by compatibility issues with legacy systems and lack of trained personnel.
Out of these three obstacles, the skilled talent gap is the only one that actually increased in frequency in responses over the past three years. At the same time, the median number of security professionals working inside organizations has actually increased to 40 in 2017 from 25 in 2015, suggesting that companies are trying to hire more security talent, but have a hard time finding it.
This shortage in security personnel also leaves significant gaps in incident response. According to the annual study, organizations that receive daily security alerts from their products fail to investigate 44 percent of them. For SMBs it’s even worse: 55.6 percent go without being investigated.
Even of those that are investigated and deemed legitimate, nearly 50 percent are not remediated due to lack of resources among companies of all sizes.
Another worrying trend is the growing number of cyberattacks that affect more than half of an organization’s systems. The ratio of such attacks more than doubled, to 32 percent in 2017 from 15 percent in 2016.
In SMBs the number of such attacks is even higher, at 39 percent. That might be because small businesses are more likely to have most of their systems grouped together in a small number of locations that are interconnected, so infections can spread more rapidly.
The study also found that 40 percent of companies with between 250 and 500 employees experienced a severe security breach in the past year that resulted in downtime of over for hours. The business functions most commonly affected by breaches are operations, finance, intellectual property and brand reputation.
Kernel Privilege Escalation Flaw Affects Red Hat, CentOS and Debian
Security researchers from Qualys have found a vulnerability in the Linux kernel that could allow local attackers to obtain root privileges through SUID-root binaries.
What’s interesting is that this flaw, which researchers from Qualys have dubbed Mutagen Astronomy, is mitigated by a bug fix in the Linux kernel that was introduced in July 2017. That fix has been backported to older kernel versions by many Linux distributions since then, but not by all of them.
The Linux distributions that have not yet backported the patch and are affected by Mutagen Astronomy include Red Hat Enterprise Linux (RHEL) 6, 7 and Red Hat Enterprise MRG 2; CentOS, which is based on RHEL; and Debian 8 Jessie.
“This issue does not affect 32-bit systems as they do not have a large enough address space to exploit this flaw,” Red Hat said in an advisory. “Systems with less than 32GB of memory are very unlikely to be affected by this issue due to memory demands during exploitation.”
Red Hat rates this vulnerability, which is tracked as CVE-2018-14634, as important and assigned a CVSS score to it of 7.8 out of 10.