April 20, 2021

Volume XI, Number 110


April 19, 2021

Subscribe to Latest Legal News and Analysis

Small Business, Big Risk: Cybersecurity Threats Facing Small and Medium-Sized Businesses

When it comes to cybersecurity and data breaches, smaller businesses do not necessarily make less likely targets. According to a recent report on the state of cybersecurity in small and medium-sized businesses by the Ponemon Institute, 61% of small and medium-sized businesses experienced a cyberattack in 2017, a 6% increase from 2016. Similarly, the report said 54% of small and medium-sized businesses experienced data breaches (up from 50% in 2016). In a recent article in Entrepreneur, CEO of Simple SEO Group Brendan Egan discusses some of the biggest cybersecurity threats facing small businesses today.

The Risk of Leaks in the Internet of Things

As we have previously discussed on this blog, the security of internet of things (IoT) devices has been a growing concern for both government and industry, due in part to a number of high profile attempted cyberattacks using IoT devices. The connected nature of IoT devices and real-time data collection that makes IoT a powerful tool for organizations also creates multiple potential backdoors into the organization. To prevent IoT devices from being targeted by hackers, it is important to observe security best practices such as changing default passwords and, for manufacturers, providing unique default usernames and passwords that are difficult to crack. As we have previously discussed, among other organizations, the US Department of Homeland Security has issued guidance to help stakeholders account for security in the development, manufacturing, implementation, and use of IoT devices.

Algorithmic Exposure

Organizations that increasingly rely on algorithms with operational and business decisions for critical systems run the risk of losing visibility into the functioning and interaction of those systems. The Threat Horizon 2018 report from the nonprofit Information Security Forum advises organizations to examine the risks that come with systems controlled by algorithms and determine when a human should monitor execution or decisions.

Awareness of Known Vulnerabilities

Security researchers frequently uncover critical vulnerabilities in systems as part of efforts to examine and improve security, but the response of manufacturers and providers to these actions are not consistent and may range from implementing public bug bounty programs to taking legal action against researchers. Depending on a provider’s approach, the result could mean exposure to vulnerabilities potentially known to bad actors but not the customers. As part of the procurement process, technology buyers should therefore consider how vendors handle the identification of vulnerabilities and the relationship between the vendor and the security research community.

Copyright © 2021 by Morgan, Lewis & Bockius LLP. All Rights Reserved.National Law Review, Volume VIII, Number 33



About this Author

Emily Lowe, Corporate finance Attorney, Morgan Lewis
Of Counsel

Emily R. Lowe represents clients in commercial transactions, with a focus on the acquisition, use, protection, development, and commercialization of technology and biotechnology. Emily helps domestic and international companies commercialize their products through various commercial vehicles, including manufacturing and supply agreements and distribution strategies, and development and licensing agreements.

Glen Rectenwald, Morgan Lewis, Technology Attorney

Glen W. Rectenwald focuses his practice on technology, outsourcing, and commercial transactions. He regularly assists a broad range of clients with development, licensing, and distribution agreements; strategic alliances and joint ventures; manufacturing and supply agreements; complex outsourcing and strategic commercial transactions; and general commercial matters. Glen’s experience also includes mergers and acquisitions, private equity, venture capital, and general corporate matters.