The future of GRC: How small businesses are fighting the rise of cyber-crime

ScalePad is a Business Reporter client

Another day passes, and news of another large-scale cyber-attack makes headlines. It’s almost routine at this point. As data breaches of massive corporations steal the spotlight, the reality is small businesses are at higher risk and are targeted more regularly than big-name organisations.

When it comes to the current state of cybersecurity, the biggest risk areas are small and midsize business (SMB) markets. More than 90 per cent of breaches impacted SMBs and 46 per cent of ransomware attacks in 2023 led to losses of between $1 million and $10 million, a crushing blow for small companies.

Despite news of attacks on large corporations with big-budget IT to help protect them, many SMBs have an “it’ll never happen to me” mindset. Unfortunately, that way of thinking is a trap.

Small business cyber-threats don’t often get news coverage because they’re less notable. In 2021, 61 per cent of SMBs were targeted by a cyber-attack. A UK study showed that 60 per cent of small businesses will close within six months of an attack.

In reaction to the growing threat to SMBs, governing bodies in the USA, UK, EU, Canada, Australia and other countries, alongside industry regulators, are implementing stronger cyber-crime protection standards.

These increased standards drive the need for SMBs to incorporate governance, risk management and compliance (GRC) into their business.

Enterprise organisations have used strong GRC structures for decades to maintain security and operations. GRC helps companies meet the cyber-security requirements of governments and industries worldwide.

These industry frameworks are more than just a list of best practices but concrete steps towards cyber-crime protection that reduce the risk of breach and data loss and which implement standards to recover from incidents.

It hasn’t been common for smaller organisations to adopt GRC. That is, until recently.

Whether it’s a small five-person company servicing a highly regulated business, a local water or port authority managing infrastructure, or a school with a single IT person, large enterprises and governments both see the same need to secure their vendors through increased compliance requirements.

With compliance regulations moving downstream, cyber-security for SMBs is becoming a requirement, and the adoption of GRC is needed to meet new security standards when working with industries such as healthcare and finance.

When big organisations such as Boeing are attacked, it’s splashed across headlines everywhere. But the people behind cyber-attacks have shifted their focus to the smaller vendors that make up a large part of supply chains. Now, it’s the five-man shop that works with Boeing on a government defence contract who’s at risk.

Boeing and more than 200,000 other organisations of all sizes work with the US Department of Defense (DoD) and comply with the country’s Cybersecurity Maturity Model Certification (CMMC). Now, CMMC has been expanded and updated to improve the requirements and process so SMBs and subcontractors working with the DoD can meet the standard.

This is just one example of how SMBs, downstream or not, benefit substantially from adopting GRC. This will help them achieve and maintain compliance with frameworks including NIST, CIS, ISO, SOC 2 and more.

Complying with security frameworks will help organisations implement backup and recovery policies, information security controls and incident response. These best practices help improve security posture, reducing risk and liability.

Cyber-security and IT services are in high demand in the mid-market, but that space is high risk and low in resources, making it hard to hire people for the job. CyberSeek reports approximately 500,000 job openings for cyber-security-related roles – and filling these roles is taking 21 per cent longer than comparable IT positions.

That’s why businesses are turning to their existing IT support, internal or contracted IT managed service provider (MSP) to help them establish GRC.

At ScalePad, we’ve seen this push take place in real time. The MSP industry is stepping up to answer the call to secure industries in need, secure their clients and implement GRC.

ScalePad’s 2024 MSP Trends Report showed that MSPs have invested in compliance as a service to better protect their clients and earn new business. Cyber-security is the second-biggest worry for MSPs, and cyber-security services ranked as the second most important services in 2023 and 2024.

MSPs providing compliance as a service helps many small businesses improve their security and stay viable while meeting new and evolving government and industry requirements.

Governments have recognised this need, and are stepping in to provide support for small businesses to improve security.

The White House’s 2024 Report on the Cybersecurity Posture of the United States finds that ransomware groups are now targeting schools, hospitals and other organisations less capable of defending themselves. The good news is that they’ve been making resources and funding available to help.

One of these funding opportunities is the recent Federal Communications Commission (FCC) program for schools. The FCC recently adopted a three-year pilot program to provide $200 million for cyber-security services and equipment for schools and libraries.

The MSP industry has rapidly matured, but we believe we’re still in the early days of the push for cyber-security for SMBs. More regulations from governments and industries are coming, and businesses meeting those standards are doing it through compliance as a service and GRC tools.

This is the beginning of a push that will develop dramatically over the next 10 years, and ScalePad is ramping up to serve the needs of the IT professionals who protect their businesses through our security and compliance platform, ControlMap.

From large corporations having to meet dozens of security frameworks to small operations just starting their security journey, the opportunities to get proactive on security are now a priority for everyone.You can download the The Future of GRC Infographic here.

By Dan Fox, Cybersecurty Lead, ScalePad and Evan Pappas, Content Writer, ScalePad