The question isn’t big or small business. It’s valuable or not valuable data.
There is a common misconception among both businesses and service providers and it goes something like this: Small and medium businesses are not the focus of hackers these days, this is a large enterprise problem. The myth goes on that hackers must be focused on large enterprises because that is where all the news stories are.
If you remember nothing else from this piece, the idea that hacking is exclusively targeting large enterprises, and that small and medium business have not been breached, is completely FALSE.
Hackers are equal opportunity criminals that are indifferent to the size of businesses. They are focused on who has the valuable IP and how do they obtain it. In fact, according to the Verizon 2017 Data Breach report, 61% of victims last year were small and medium businesses. So not only are hackers not exclusively targeting large businesses, the opposite is true. More often than not, victims today are small and medium businesses.
What hackers understand is that in our information-based economy, the amount of valuable data a business holds is independent of the number of employees. Data centers may have terabytes of valuable records but only dozens of employees to maintain the servers. Auto dealers are another good example of a business with few employees but many valuable records.
Think about the last time you went to purchase a car. You handed over your driver’s license and auto insurance information, and if you were financing the car, which you probably were, you also gave financial information like annual wages, social security number, credit history, and bank account information. Plus, if you’ve been servicing your cars at the dealership, they also know the repair records and values of all your vehicles.
About a year ago, I went to speak with a group of dealers about IT security and here is what I learned: The average dealership in the U.S. is typically a family business worth $4M USD. It typically has a first- or second-generation owner and about 12-14 employees, including not more than one IT person. So all of these sensitive records are swimming around inside this dealership and there is literally often only one person securing them. After I spoke about security, one of the dealer owners came up to me to tell me he didn’t get it. As he put it, “I care about three things: selling cars, making money and selling cars.” He said he couldn’t even tell me the name of this IT person and questioned why he should care. I asked him who founded the dealership that bore his family name. “My father,” he said. What did he ultimately want to achieve with the business? “Give it to my son,” he said. So I asked him what would happen if the people of the town where he lived found that all their financial and bank account information had been stolen from the servers in his dealership. “My dealership reputation would be mud, I’d be ruined.” he said. I explained, “that’s why you need to care.”
Multiple articles have been written about how cyber criminals see auto dealers as great targets, information-rich businesses that are lightly defended.
In fact, major breaches in auto dealerships have already occurred. Last year, a shared database containing social security numbers and dealership employees’ information from 128 dealerships was found unsecured online.
In all of this, there is a solution. Nearly every dealership is connected to the internet via a service provider and consumes information services via cloud providers. These businesses are in a fortunate position to already be trusted by the auto dealership and many other small businesses with much greater resources to secure sensitive information. In fact, based on our recent survey of global enterprises, 30+% said that they want to purchase security services from their service provider, and the number was even higher, almost 40% for Europe.
Recently, Radware worked with industry analysts at Heavy Reading to demonstrate the business case associated with service providers offering DDoS managed security services. Based on conservative assumptions over a 5-year period, we found that a DDoS managed security service could generate $460M in revenue and $317M in net cash with 74% margins in the outer years. You can download the paper here.
Evidence is growing daily that hackers are primarily focusing on small and medium businesses that have valuable records and are typically lightly defended, if at all. Service providers are well-positioned to provide this service, as 30% of businesses are currently asking their service or cloud provider to offer a managed security service. Lastly, independent analysis by analyst firm Heavy Reading demonstrates that this is a $400+M million-dollar opportunity with impressive margins and cash flow.
It’s time for the service providers to give small and medium businesses the security services they desperately need, and enable them to focus on their core business. Protect the auto dealerships’ customers and let the dealer owner focus on what he does best: Selling cars, making money and selling cars.