Small- to medium-sized businesses (SMBs) are considered easy targets for cyber crooks because they’re outgunned and lack the necessary resources to adequately defend themselves.
Sure, SMBs can hire MSPs or MSSPs (managed security services providers) to mitigate risk, monitor threats, and safeguard business assets. But many of those SMBs fail to take such proactive measures.
For example, a recent survey of 2,200 security pros at SMBs found that in 2018 a security breach cost their organization an average of $1.9 million, up 60 percent from 2017; response time to a breach rose; only 13 percent of their IT budget was devoted to security; and, 75 percent lacked the personnel to mitigate cyber risks.
One MSSP's Concept: Cyber Tax Credits
What would inspire small businesses to more effectively pursue proper cybersecurity safeguards?
John Leitch, who heads Winquest Cyber Services, a Baltimore, Maryland-area MSSP, has a potential solution: Cyber tax credits. In other words, paying SMBs, either at the state or federal level, to implement cybersecurity measures. Leitch recently proposed a national-level cybersecurity incentive for small businesses at the Congressional Roundup held by the Maryland Chamber of Commerce in Washington, D.C.
"We've had tax credits and incentives for solar power, wind power and electric cars because alternative energy is important to our economy,” he said. “It's time to provide similar cybersecurity incentives for the $5.9 trillion small businesses community."
Even though small businesses have the greatest risk of shutting down over a cyber incident, most avoid the issue because of fear or anxiety, a factor Leitch refers to as cybersecuriphobia. Many SMBs simply ignore the risk, despite warnings, studies and media coverage, he said in remarks at an Interop session earlier this year.
Indeed, smaller organizations wave off cybersecurity, believing that they’re too small or don’t have anything anybody would want. But a responsible business owner should protect their data as well as their customers' data and most don't, Leitch said. The "best motivator" to urge SMBs to discard their inertia and run toward cybersecurity? Money. And, tax credits can make it happen, Leitch figures.
Cybersecurity Tax Credits: The SMB Business Case
There’s some research to support Leitch’s cybersecuriphobia claim. A recent analysis of 1,000 risk assessments conducted by ConnectWise showed that most SMBs ignore cyber threats -- only 31 percent identify and document cyber threats. This despite 80 percent of SMBs pointing to cybersecurity as a top business priority, according to another study.
Leitch pointed to some real world examples already in place to support his proposed tax incentive. In 2018, the Maryland legislature passed the Buy Maryland Cybersecurity Tax Credit to provide a tax credit for 50 percent of the purchase price of cybersecurity technologies and services from qualified Maryland companies up to $50,000 in tax credits in a single tax year. And, the Maryland Defense Cybersecurity Assistance Program reimburses SMBs up to $10,000 for complying with National Institute of Standards and Technology (NIST) cybersecurity standards. (Note: Leitch had a hand in the early development of both programs.)
How should SMBs get started to better protect their organizations from hackers? Right there at the top of Leitch's list is basic cybersecurity awareness training. And, if an SMB elects to outsource their cybersecurity needs, it's a good idea to find a firm (MSSP) that will engage as an ally.