SMBs face substantial risk in today’s cybersecurity landscape. With hackers developing increasingly sophisticated attack methods, it’s challenging for smaller companies to keep up with the most robust cybersecurity solutions and best practices. Not only do they have smaller IT budgets compared to enterprises, but SMBs often lack awareness about their risks and vulnerabilities.
Unfortunately, SMBs are a prime target for hackers. In fact, according to the Ponemon Institute’s 2019 Global State of Cybersecurity in Small and Medium-Sized Businesses report, “76% of U.S. companies were attacked within the last 12 months, up from 55% in 2016. Globally, 66% of respondents reported attacks in the same timeframe.” Further, 82% of respondents in the U.S. reported having experienced a cyberattack at some point throughout their organization’s lifetime. According to the Verizon 2019 Data Breach Investigation Report,43% of all data breaches involve small businesses.
With cloud adoption and the use of IoT devices and wearables on the rise across businesses of all sizes, the security perimeter is in constant flux, making it even more challenging to protect the company’s sensitive data. Given that 60% of small businesses close for good within six months of a cyberattack, a proactive approach to security is imperative.
What should SMBs focus on when it comes to cybersecurity, and what risks should be of the greatest concern? To gain some insight, we reached out to a panel of cybersecurity experts and small business leaders and asked them to answer this question:
“What are the top cybersecurity considerations for small to midsize businesses (SMBs)?”
Read on to find out what our experts had to say about the most important cybersecurity considerations for SMBs.
Brandon is a smartphone security expert. Founder of Tiger Mobiles, he heads up the help and advice section; answering customer questions and queries to help them stay safe on their smartphones.
“My top 3 cybersecurity considerations for small to midsize businesses (SMBs) are…”
1. Uploading sensitive data to cloud storage providers like Dropbox, Google Drive, etc.
Any SMB who is using cloud storage for sensitive information should consider locally encrypting files and folders before uploading them. So, if you’re a Dropbox user keeping passport scans, customer details, passwords, commercially sensitive work files, etc. on there, then I would most certainly be encrypting locally first.
I know people reading will think: “Surely Dropbox uses their own encryption?” Dropbox does use an excellent encryption system for files, but because you’re not the one encrypting, you’re not the one that holds the decryption key. Since that decryption happens automatically when logged into the Dropbox system, anyone who accesses your account can also get your now non-encrypted data. If you further encrypt, it’s a second line of defense.
2. Allowing remote workers too much freedom in how and where they access the internet.
Technology is beneficial for businesses as they can operate with a flexible, mobile workforce to reduce overheads and boost productivity, but it isn’t without risk. Connecting to enterprise and client data over unsecured Wi-Fi networks and from poorly-secured devices can bring significant threats to the security of your business.
There’s also an increasing tendency to use your own devices like phones and laptops for both professional and private tasks. When you couple that with using public networks, it creates a gaping hole in your cybersecurity.
Just like most larger enterprises have security policies in place, SMBs should also have a set of security measures that everyone should follow to help create a culture of cybersecurity awareness and protection among remote workers.
3. Reusing identical passwords and not using two-factor authentication.
It might seem like a hassle to set up a password manager or two-factor authentication for employees (and train them on using it), but it’s far more hassle to have to clean up if someone’s details are compromised. At best, you’ll have to change multiple passwords and recover your account on whatever service was hacked. At worst, you’ll have to perform a full security audit and trace what other accounts might be compromised. Of course, using 2FA or a password manager doesn’t make you unhackable, but it does make you a tougher target to exploit.
Steven J.J. Weisman
Steven is a lawyer, an author, a professor at Bentley University where he teaches White Collar Crime, and one of the country’s leading authorities on cybersecurity. Among his books is Identity Theft Alert. He also writes the blog www.scamicide.com where he provides newly updated information about the latest scams, identity theft schemes, and cybersecurity developments.
“Cybersecurity should be a consideration for all businesses, whether they are large or small…”
In fact, many small businesses are often targeted by hackers as easy targets due to their failure to take proper cybersecurity steps. Here are some steps SMBs should take:
1. Training employees in proper security practices is critical. Most malware, whether it is ransomware or keystroke logging programs that steal personal information stored on the company’s computer for purposes of identity theft, is downloaded as a link or attachment in a phishing or more specifically targeted spear phishing email. While security software will recognize and block many spear phishing emails, it definitely will miss many others, which is why it is critical to train and remind employees about recognizing and avoiding spear phishing emails and never clicking on links or downloading attachments unless they have been confirmed to be legitimate.
2. Install security software and keep it constantly updated. There have been many data breaches, such as the major one at Equifax, that could have been avoided if the company had installed software updates in a timely manner.
3. Encrypt all sensitive data, particularly on laptops and portable devices that leave the office.
4. Maintain and regularly change complex passwords. Use dual factor authentication when possible.
5. Anything connected to the internet poses a threat to cybersecurity. Therefore, make sure that you have changed the default password on all your Internet of Things devices.
6. Shred all discarded documents that contain sensitive information.
7. The tremendous threat of ransomware is getting worse. Along with properly training employees to avoid the spear phishing emails that may contain ransomware and using proper security software, the best defense against ransomware is to make sure you back up all of your data daily on a couple of different platforms, such as in the cloud and on portable hard drives.
Steve Pritchard is the Founder of Checklate.
“People can still be the biggest component when it comes to safeguarding your company from cyber attacks, but…”
They can also be the biggest risk. If your staff are not aware of the dangers out there in the online world, you are potentially opening a serious can of worms for your business. To stand the best chance of not having any security issues, you need toeducate your staff on how to safely use your computers and systems. Cybersecurity is one area of your company where a little cynicism is okay for you and your employees.
Guy Novik is the CEO of Orlando Villa Holidays.
“Password protection is a major component in protecting a small business from malware and hackers…”
Anyone with business technology assets needs to give serious thought to having strong and complicated passwords to ensure all their devices are protected, whether it’s mobile phones, laptops, tablets, or desktop computers.
Never disclose your password to anyone and have different passwords for each system. Whenever an employee changes jobs, you should overhaul the whole password system and change them to ensure they can no longer access sensitive company information or collateral they could use to compete with you in their new company.
Shayne Sherman is the CEO of TechLoris, based in Brookline, Massachusetts. With over 11 years of experience in the tech industry, Shayne founded the company with the goal of providing unbiased reporting on the tech world.
“The top 3 cybersecurity considerations for SMBs are…”
Employees: Your biggest resource and your biggest risk. A good employee is going to take measures to keep your information safe by doing everything right. But a poorly trained or unconcerned employee could be putting your information at risk by going to the wrong site, not password protecting information, or being unconcerned about updating their computer.
Software isn’t negotiable. You can’t run a business without computers in some shape or form anymore. They have become a necessity, and that means it’s important to keep software up to date. The longer software goes without being updated or replaced, the more vulnerable it is to new methods of hacking or virus infection.
Be aware of mobility. Chances are your employees have mobile phones that are used for work only. Make sure they stay that way. Don’t let employees jailbreak phones to give them access to other apps or games, because this can compromise security. In fact, keep the phone as basic as possible to ensure a low-tech mobile option that has fewer opportunities to be hacked.
Bret Carmichael is the founder of LEAP WORKS, a company that helps businesses achieve growth through branding, web, and digital marketing. Before founding LEAP WORKS, he was a freelance designer and an IT professional at a Fortune 100 insurance company for 10+ years.
“Of my top 3 security considerations for SMBs, number 1 leads by a lot…”
1. Password management: Small businesses lack resources for security and compliance. They tend to manage credentials in the same way that many individual consumers do; they use the same username and password combination everywhere. Their passwords are often weak and listed among Have I Been Pwned’s records of exposed credentials – leaving all the SaaS products they use, including their Office 365 accounts, in a state of persistent threat.
2. WordPress: This isn’t a knock on WordPress. However, as the most popular CMS on the web, WordPress installations are an attractive attack surface for bots. The risk is two-fold:
- SMBs often leave the admin login URL at /wp-admin. Bots often gain access to installations through a combination of brute-force and weak user passwords. Then, they add malicious software and have access to anything in the CMS.
- WordPress is the favorite tool of many web designers. Once a designer completes a project, there’s infrequently any maintenance agreement with the customer. Without maintenance updates, the security position of given sites is made weaker and WordPress installations become easier targets.
3. Web forms: Many businesses collect customer data through web forms, sometimes including NPPI. Even though the site has an SSL certificate, some use their webhost’sphpmailer() function to send customer information to a business inbox. Mail sent via phpmailer() is unencrypted.
Peter Purcell is the co-founder of EVAN360, a problem-solving platform for businesses. He has 30+ years of experience in IT leadership and is a cybersecurity expert. He is also co-CEO and Managing Director at Trenegy Inc., where he helps companies solve strategic issues that hamper growth and change.
“Here’s what I recommend small to mid-sized businesses consider when it comes to cybersecurity…”
1. Learn why growing businesses are at risk of cyber attacks.
Though cyber attacks on large companies are more likely to make headlines, growing businesses are increasingly easy targets. That’s because they are notoriously under-resourced when it comes to cybersecurity. Growing companies faced with limited financial flexibility often consider IT support too costly. Cybersecurity is also a low priority among business owners who are primarily focused on growing their brand and turning a profit. With such an easy-in, hackers can extort thousands of dollars using seemingly inconsequential customer and employee data. While you may think your growing business isn’t at risk, one cyberattack could cost you everything.
2. Determine how you will make cybersecurity part of your company culture.
Cybersecurity is not just an IT issue. It’s a business issue on which your people have the most impact. You must remain proactive in securing information, and 90% of your efforts should center on training and education. The root cause of all security breaches is human error. So yes, utilize technology, but don’t forget people are the most important part. Here are some tips:
- Set the tone at the top. Business owners are responsible for setting the company culture. Owners who take cybersecurity seriously will influence their employees to do the same.
- Make cybersecurity part of the workplace conversation. Discuss cybersecurity measures regularly and make employees aware of the dangers. Create a best practices document with instructions for changing passwords every 90 days, updating antivirus software, downloading third-party apps, etc.
3. Take action to protect your business and stakeholders.
Consider the practical steps you will take to build a more secure environment. How will you back up data? How will you secure your network? What software is necessary? At a minimum, I recommend securing your network, protecting passwords, actively updating software, storing data in the cloud, and inventorying and protecting all networked devices. Such a list can seem overwhelming, but it’s always worth it.
Ray McKenzie is the Founder and Managing Director of Red Beach Advisors based in Los Angeles, CA. Red Beach Advisors is a technology management consultant group specializing in implementing solutions for startups, enterprise companies, and government entities through strategy, process, technology, and people.
“The top three cybersecurity considerations for small to midsize businesses are…”
Identity authentication, access management of resources, and malware protection and remediation. Small to midsize companies have difficulty with these three areas, as well as smaller budgets. Identity authentication is important. Passwords are a time of the past. While passwords can be placed with requirements to increase complexity, employees often opt for easy password options for their access. This causes a less secure IT environment and poses increased risks. Organizations should employ passwords with multi-factor authentication or biometric abilities to manage identities.
Access management is another complex cybersecurity concern. The assignment of roles, rights, and responsibilities is extremely important to protect internal and external data. The practice of implementing least-privilege access throughout an organization should be a standard operating procedure. Employees and executives should only have access to the information or systems required to perform their jobs. The more access, the more ability for a breach or release of information.
The last consideration or challenge is managing malware within an environment. Email is a primary form of communication and to ensure emails, files, and systems are protected, malware solutions are needed that can provide real-time environment protection and remediation when a breach or infection occurs. Malware is a significant cause of business disruption and productivity loss, while also being a primary cause of data breaches and vulnerabilities. Small to midsize companies should focus on implementing strategies to combat malware, strengthen identity authentication, and develop operating procedures and policies for access management.