Key Security Risks For Small Businesses

Uploaded on 2023-10-03 in TECHNOLOGY--Resilience, FREE TO VIEW

Small and medium-sized businesses are under attack from cyber criminals. There are five key risk areas to improve cyber resilience, among them, preventing human error and correcting weak governance. Whether it’s lack of resources, awareness or expertise, small businesses are as much at risk of cyberattacks as larger enterprises.

A report by Vodafone Business published in February found that over half of small and medium-sized businesses (SMBs) in the UK had experienced some form of cyberattack in 2022 – up from 39% in 2020. In addition, one third of SMBs had seen the number of attempted attacks against their business increase.

Another survey by Kaseya, the SMB Cybersecurity for MSPs Report, shows the extent to which small businesses were plagued by phishing (32%) and viruses (30%) in the past year. Worse still, around 60% of respondents feared they might be hit by a ransomware attack in the next 12 months.

Almost three quarters said that such an incident could be a death blow to their organisation due to the difficulty and cost of recovering. According to the report, the average cost of downtime following an attack on a UK-based company is as much as £53,000, while over a third of UK SMBs suffered downtime of three days or more. Worryingly, many SMBs don’t have much confidence in their ability to recover from a cyber security incident.

More than half of UK respondents admitted their organisation would find the recovery process difficult, while 8% even feared that they would not recover at all.

With cyberattacks steadily increasing, the risk of being hit is real, so businesses must ramp up their defences now to boost their cyber resilience. Here are some important measures that SMBs can take to mitigate the five most common security pitfalls.

Risk 1: Misconfigurations & Human Error

Around 90 per cent of intrusions come down to human error and misconfigurations. One example: Phishing is one of the most widely used, and successful, methods for intrusion. Malicious actors who have gained access to an employee’s user account through stolen credentials can then use misconfigurations to escalate their privileges across the business network and compromise further systems and data.

Misconfigurations in IT systems often arise over time due to the common practice of ‘set it and forget it,’ meaning new systems are configured when they are first introduced, and the settings are never updated. Or, for convenience, businesses are not following the principle of least privilege, and users and applications are granted more access rights than they need – creating security risks.

SMBs should therefore have security policies and standards that mandate regular reviews of their IT configurations and all egress areas within their digital environment. As a minimum, this process should happen annually. Look for misconfigurations in user access management, in firewall rules, in connected devices, for open ports and more. There should also be someone dedicated to keeping identity and access management rules up to date.

Risk 2: Insufficient, Or No, Security Measures

During my tenure as cybersecurity specialist with the FBI, I saw too many SMBs rely on antivirus software only. Some had no security measures at all – often because small enterprises failed to educate themselves on security, or because they had outgrown their cyber defences. The business had developed, but security had got left behind.
Any organisation, no matter how small, is a potential target for hackers. SMBs must make sure their security measures keep up with their requirements and maintain a ‘security first’ mindset. Just 15 minutes a day, or week, are enough to start educating yourself about fundamental security practices. The Center for Internet Security (CIS) Critical Security Controls and the NIST cybersecurity framework are good starting points and explain step by step the measures that organisations should take, while the SANS Institute offers training and resources.

Risk 3: Lack Of Security Awareness

Many security breaches start with employees unwittingly clicking on links in phishing emails. Security awareness training for staff is a must, but to make sure it’s effective, it’s important to pick the right training tools and the right partners.

Experience is the best teacher: Look for tools that simulate live phishing attacks, testing employees’ defences and empowering behaviour change. On top of this, SMBs should set out clear expectations for security-aware behaviour, with the end goal of educating users on being the first line of defence and empowering them to recognise phishing attempts – including consequences if best practices are not followed.

Risk 4: Unpatched IT systems, Or systems Not Regularly Updated

Unpatched security vulnerabilities in software and hardware, or outdated systems, can leave the door wide open to cybercriminals. SMBs need repeatable and sustainable processes to keep all their IT systems up to date. This includes not only staying on top of their patch management, but also regularly upgrading components and software to the latest supported versions.

When a new threat is found, it’s important to act immediately, so SMBs also need to make sure they receive critical security updates from their vendors - such as Microsoft’s Patch Tuesday bulletins, or the Android security bulletins issued by Google.

Risk 5: Weak Governance & Policies

Security problems also arise when organisations don’t manage and enforce their security policies – for instance, on strong passwords or two-factor authentication. When I was in the FBI, too many times, I saw SMBs that didn’t have policies or governance around securing their IT systems, or the policies were written once many years ago and never revisited.

SMBs should treat these policies as living, breathing documents and review and update them regularly, especially as the business grows and circumstances change. Make sure the security policies are specific and employees are aware of them. Ideally, the policies are also mapped to security frameworks.

The good news is that according to Kaseya’s SMB Cybersecurity for MSPs Report, SMBs are actively investing in cybersecurity and regular vulnerability assessments. However, many organisations will still need expert help preparing for, and dealing with, attacks. A third of UK SMBs already rely on outsourced IT support; this proportion will likely grow.

Jason Manar is CISO at Kaseya                                                            Image: energepic

You Might Also Read: 

Navigating Priorities: Cloud vs Cyber For SMEs:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Security Gaps In Business-Critical Identity Services 
Mapping Out The Journey To Zero Trust »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

CyberDefenses

CyberDefenses

CyberDefenses services combine best-in-class cybersecurity oversight, managed services and training to help our clients truly address their cybersecurity challenges.

Synology

Synology

Synology provides high-performance, reliable, and secure Network Attached Storage (NAS) products.

Center for Internet Security (CIS)

Center for Internet Security (CIS)

CIS is a nonprofit entity that harnesses the power of a global IT community to safeguard private and public organizations against cyber threats.

JPCERT/CC

JPCERT/CC

JPCERT/CC is the first Computer Security Incident Response Team (CSIRT) established in Japan.

NuData Security

NuData Security

NuData Security, A Mastercard Company, is an award winning behavioral biometrics company.

Paygilant

Paygilant

Paygilant’s disruptive technology is designed to protect mobile payment  financial transactions against fraudulent attacks, whether executed by NFC, QR code, P2P or in-app.

Hazy

Hazy

Hazy specialises in financial services, helping some of the world’s top banks and insurance companies reduce compliance risk.

Center for Infrastructure Assurance and Security (CIAS)

Center for Infrastructure Assurance and Security (CIAS)

CIAS is developing the world's foremost center for multidisciplinary education and development of operational capabilities in the areas of infrastructure assurance and security.

CyberUK

CyberUK

CYBERUK is the UK government’s flagship cyber security event and the authoritative event for the UK’s cyber security community.

NARIS

NARIS

NARIS is the leading provider of an integrated Governance, Risk and Compliance platform called NARIS GRC.

Privacy Compliance Hub

Privacy Compliance Hub

Privacy Compliance Hub provide an easy to use platform with a comprehensive data protection compliance programme including training, information, templates and reporting.

National Coordinator for Security and Counterterrorism (NCTV) - Netherlands

National Coordinator for Security and Counterterrorism (NCTV) - Netherlands

The NCTV serves the Netherlands’ national security. We protect national interests, identify threats and strengthen resilience.

Phylum

Phylum

Phylum provides powerful, automated software supply chain risk analysis that protects organizations, defends developers and enables secure innovation.

Panoplia Digital Protection

Panoplia Digital Protection

Panoplia Digital Protection is a cutting-edge cybersecurity company that leverages the power of AI and ML to help businesses and consumers protect themselves against cyber threats.

Cypfer

Cypfer

CYPFER is a global market leader in ransomware post-breach remediation and cyber-attack first response.

Prophet Security

Prophet Security

Prophet Security empowers organizations to triage, investigate, and respond to alerts with unparalleled speed and accuracy.