Three reasons why small and medium-sized businesses fail at cybersecurity — and what they can do about it
There have been a series of major cyberattacks taking advantage of IT vulnerabilities within businesses across the U.S. and abroad. The unfortunate truth is that there isn’t a place, industry, business, or organization that’s immune to attack. These attacks are not just limited to larger companies such as Equifax.
Small and medium-sized businesses (SMBs) remain a growing target of cyberattacks, such as data breaches, ransomware, and spear phishing. According to the Ponemon Institute, 50% of small businesses surveyed in 2016 reported that they had experienced a data breach. Additionally, Malwarebytes found in two studies conducted in 2017 and 2016 that ransomware attacks against businesses are on the rise and that nearly a quarter of SMBs that suffer these attacks don’t have the resiliency to recover and remain in business afterward. Finally, Symantec’s research shows that spear-phishing attacks, which seek to target specific company members with email scams that install viruses and other malware, have been increasing against small businesses dramatically every year since 2011.
Small and medium-sized businesses (SMBs) remain a growing target of cyberattacks, such as data breaches, ransomware, and spear phishing.
Based on years of supporting the IT and data needs of these types of companies, we’ve noted three major issues arise when it comes to protecting against these vulnerabilities:
1. Lack of accountability in the C-Suite
Small businesses commonly undervalue the risks they face because they either don’t think they’re targets or they are unaware of the potential impact an attack can bring to the company. But just because your company hasn’t yet suffered a significant cyberattack or data breach doesn’t mean you won’t eventually — and it’s going to cost you. That cost could be in operational impact, dollars, or reputation — or more likely all three.
Admittedly, IT teams need to do a better job educating the C-suite on what cybersecurity means and the business risk of vulnerabilities. However, you can engage them by asking some basic questions about your company risks. While CEOs don’t need to know all the ins and outs of how to reduce the risk of cyber threats to their businesses — that’s the job of whoever is responsible for IT — they do need to understand what’s at stake, what can reasonably be done to reduce risk, and how the company will respond to the most likely threat scenarios.
What businesses can do to reduce risk: Conversations the C-suite should be inquiring about.
An easy place to start is by using your knowledge of the company and discussing what digital assets you have. Treat your data like other valuable company assets. Organizations need to know what data they have and where it lives before they can keep it safe.
Appointing a person to be responsible for data security is an important first step. Once there is a clear owner, that individual can be tasked with identifying roles and access rights. Every employee should be as-signed a certain level of access to company data; data cannot be protected unless it is clearly documented who should have access to which assets.
Get your data under control, and you’ve gone a long way to being more secure.
2. Misconceptions about defense resources
In IT security, “vulnerability” means a weakness that allows an attacker to reduce a system’s information assurance. It’s the crossroads of three components:
- A system weakness or flaw
- An attacker’s awareness of and access to the weakness
- An attacker’s capability to exploit the weakness
Establishing a strong IT security program that utilizes investments in cybersecurity solutions is simply good business
The WannaCry ransomware attacks, which took advantage of Microsoft programs that had not applied a free patch update, highlights why so many SMBs struggle with cybersecurity. They believe that attacks are highly sophisticated, and they require equally sophisticated defense systems. However, the systems were ultimately breached from the internet via vulnerabilities that are easily identified and mitigated. Internet security doesn’t have to be a budget buster; it comes down to having the right solutions, processes, and resources.
Establishing a strong IT security program that utilizes investments in cybersecurity solutions is simply good business.
What businesses can do to reduce risk: Utilize internet security best practices.
For the following technologies the question should not be if you have them but rather which solutions you chose to implement and how they aligned with your business needs and culture.
Routine vulnerability scanning – Probably the most overlooked and underutilized tool, vulnerability scanning literally tells you where your systems are weak. Threat actors use this information all the time. Beat them to the punch.
Advanced email filtering – Assuming email protection is included with an email service provider such as Microsoft or Google is a bad idea. Microsoft’s Advanced Threat Protection is not included in most of its Office 365 subscription plans. Email is a primary attack vector for end users in your company. Be sure you are protected with the appropriate add-on services or third-party solution providers, such as Mimecast or Barracuda Networks.
Web filtering – If email is the primary attack vector for end users then the secondary is malicious websites. Despite what most SMBs believe, web filtering is not a company culture discussion. At a minimum, use a web filtering service to block end users from going to a known malicious website
3. Maturity of policies and procedures (throughout your organization)
It’s one thing to have strong cybersecurity policies, but those efforts need strong processes and procedures to support them.
How do you know security policies are being followed? Did you get a simple “yes” response when you asked the question? What data or information was provided to support the response? To maintain an effective IT security program, policies and procedures need to be developed enough such that they can create accountability. But make sure not to confuse maturity with complexity.
What businesses can do to reduce risk: Create a culture of trust, but verify around these key policies and procedures.
Accounts payable – Phishing techniques commonly rely on undeveloped processes for approving payments. A secondary sign off and validation of the payment request will interrupt most phishing scams.
Backup and recovery – If you haven’t tested backup plans, it’s almost certain they won’t work when you need them to. At a minimum, perform an annual test that includes end-user validation of key systems.
Cybersecurity is an ongoing practice with rapid change
User management and access – In our experience with SMBs, it is common to find former employees who still had access to company files because of undeveloped and inconsistent procedures between HR and IT resources. To avoid this problem, under-stand where IT resources have to work with other departments to drive accountability.
Endpoint management – Most threats are successful because endpoints are not current on updates. Utilize a third party to review the IT infrastructure and validate key items such as patches and anti-virus are fully functional in the environment.
Still need help?
Cybersecurity is an ongoing practice with rapid change. If you don’t have the resources in place to constantly manage the unique cybersecurity issues facing your business, consider outsourcing (or co-sourcing). Having access to an experienced, proactive knowledge base that has your back can help protect your company from a costly breach.