According to the FBI’s Internet Crime Report, Cyber-attacks are a growing threat for small and medium-sized businesses.  The cost of cyber-crimes reached $2.7 billion in 2018 alone.  Small businesses can be attractive targets because they have information that cyber-criminals want and they often lack the sufficient security infrastructure.  According to a recent U.S. Small Business Administration survey, 88% of small business owners felt their business was vulnerable to a cyber-attack. Yet even with these concerns, businesses often can’t afford professional IT solutions, they have limited time to devote to cyber-security, or they don’t know where to begin.

A virtual CIO can help business leaders better understand this fast-changing area and can lead them through the critical decisions that must be made to protect their business and customers.  Some important data to consider includes the following:

  • 65% of attackers use spear phishing emails as the primary attack vector (Symantec Security Threat Report 2019)
  • 94% of malware was delivered via email (Verizon Data Breach Report 2019)
  • 90% of incidences and breaches included a phishing element (Verizon Data Breach Report 2017)

Cyber-attacks are constantly evolving and business owners must have effective strategies that protect against the most common types.  These types include:


Short for malicious software, Malware is a comprehensive term that refers to software intentionally designed to cause damage to a computer, server, client, or computer network. Malware can include viruses and ransomware.


Viruses are harmful programs intended to spread from computer to computer (and other connected devices). Viruses are intended to give cybercriminals access to your system.


Ransomware is a specific type of malware that infects and restricts access to a computer until a ransom is paid. Ransomware is usually delivered through phishing emails and exploits unpatched vulnerabilities in software.


Phishing is a type of cyber attack that uses email or a malicious website to infect your end user devices with malware or collect your sensitive information. Phishing emails appear as though they’ve been sent from a legitimate organization or known individual. These emails often entice users to click on a link or open an attachment containing malicious code.

Assess your Business Risk

The first step in improving your cyber-security is understanding the types of data and information stored, your risk of an attack, and then deciding the right cost-benefit level your business should implement.  A cyber-security risk assessment will identify where a business is most vulnerable and help inform a plan of action—which often includes end user training, securing email platforms, and a strategy for protecting the business’s information assets.

Best-Fit Cyber-Security Strategies

At ClearTone Consulting, it is understood that different businesses fit different risk profiles.  Additionally, every company is in a unique financial situation and it is possible that the security industry’s best practices may be too expensive or not currently realistic for every organization.  This is why a mature cost-benefit analysis is fundamental to determining the appropriate security strategy.  An overly burdensome or costly security strategy is meaningless if a business cannot afford it and therefore does not implement fully.  The fact is that no amount of spend can guarantee security protection.  This means that the detail of a cyber-security strategy is first and foremost a business strategy decision.

ClearTone Consulting’s cyber-security model balances a business’s risk profile against security costs to address the most likely security attack vectors to find the proper balance of maximizing protection while minimizing costs.

Has your organization defined its proper balance point between security costs and acceptable risks? Do you know where your highest risks are?