Key Security Risks For Small Businesses
Small and medium-sized businesses are under attack from cyber criminals. There are five key risk areas to improve cyber resilience, among them, preventing human error and correcting weak governance. Whether it’s lack of resources, awareness or expertise, small businesses are as much at risk of cyberattacks as larger enterprises.
A report by Vodafone Business published in February found that over half of small and medium-sized businesses (SMBs) in the UK had experienced some form of cyberattack in 2022 – up from 39% in 2020. In addition, one third of SMBs had seen the number of attempted attacks against their business increase.
Another survey by Kaseya, the SMB Cybersecurity for MSPs Report, shows the extent to which small businesses were plagued by phishing (32%) and viruses (30%) in the past year. Worse still, around 60% of respondents feared they might be hit by a ransomware attack in the next 12 months.
Almost three quarters said that such an incident could be a death blow to their organisation due to the difficulty and cost of recovering. According to the report, the average cost of downtime following an attack on a UK-based company is as much as £53,000, while over a third of UK SMBs suffered downtime of three days or more. Worryingly, many SMBs don’t have much confidence in their ability to recover from a cyber security incident.
More than half of UK respondents admitted their organisation would find the recovery process difficult, while 8% even feared that they would not recover at all.
With cyberattacks steadily increasing, the risk of being hit is real, so businesses must ramp up their defences now to boost their cyber resilience. Here are some important measures that SMBs can take to mitigate the five most common security pitfalls.
Risk 1: Misconfigurations & Human Error
Around 90 per cent of intrusions come down to human error and misconfigurations. One example: Phishing is one of the most widely used, and successful, methods for intrusion. Malicious actors who have gained access to an employee’s user account through stolen credentials can then use misconfigurations to escalate their privileges across the business network and compromise further systems and data.
Misconfigurations in IT systems often arise over time due to the common practice of ‘set it and forget it,’ meaning new systems are configured when they are first introduced, and the settings are never updated. Or, for convenience, businesses are not following the principle of least privilege, and users and applications are granted more access rights than they need – creating security risks.
SMBs should therefore have security policies and standards that mandate regular reviews of their IT configurations and all egress areas within their digital environment. As a minimum, this process should happen annually. Look for misconfigurations in user access management, in firewall rules, in connected devices, for open ports and more. There should also be someone dedicated to keeping identity and access management rules up to date.
Risk 2: Insufficient, Or No, Security Measures
During my tenure as cybersecurity specialist with the FBI, I saw too many SMBs rely on antivirus software only. Some had no security measures at all – often because small enterprises failed to educate themselves on security, or because they had outgrown their cyber defences. The business had developed, but security had got left behind.
Any organisation, no matter how small, is a potential target for hackers. SMBs must make sure their security measures keep up with their requirements and maintain a ‘security first’ mindset. Just 15 minutes a day, or week, are enough to start educating yourself about fundamental security practices. The Center for Internet Security (CIS) Critical Security Controls and the NIST cybersecurity framework are good starting points and explain step by step the measures that organisations should take, while the SANS Institute offers training and resources.
Risk 3: Lack Of Security Awareness
Many security breaches start with employees unwittingly clicking on links in phishing emails. Security awareness training for staff is a must, but to make sure it’s effective, it’s important to pick the right training tools and the right partners.
Experience is the best teacher: Look for tools that simulate live phishing attacks, testing employees’ defences and empowering behaviour change. On top of this, SMBs should set out clear expectations for security-aware behaviour, with the end goal of educating users on being the first line of defence and empowering them to recognise phishing attempts – including consequences if best practices are not followed.
Risk 4: Unpatched IT systems, Or systems Not Regularly Updated
Unpatched security vulnerabilities in software and hardware, or outdated systems, can leave the door wide open to cybercriminals. SMBs need repeatable and sustainable processes to keep all their IT systems up to date. This includes not only staying on top of their patch management, but also regularly upgrading components and software to the latest supported versions.
When a new threat is found, it’s important to act immediately, so SMBs also need to make sure they receive critical security updates from their vendors - such as Microsoft’s Patch Tuesday bulletins, or the Android security bulletins issued by Google.
Risk 5: Weak Governance & Policies
Security problems also arise when organisations don’t manage and enforce their security policies – for instance, on strong passwords or two-factor authentication. When I was in the FBI, too many times, I saw SMBs that didn’t have policies or governance around securing their IT systems, or the policies were written once many years ago and never revisited.
SMBs should treat these policies as living, breathing documents and review and update them regularly, especially as the business grows and circumstances change. Make sure the security policies are specific and employees are aware of them. Ideally, the policies are also mapped to security frameworks.
The good news is that according to Kaseya’s SMB Cybersecurity for MSPs Report, SMBs are actively investing in cybersecurity and regular vulnerability assessments. However, many organisations will still need expert help preparing for, and dealing with, attacks. A third of UK SMBs already rely on outsourced IT support; this proportion will likely grow.
Jason Manar is CISO at Kaseya Image: energepic
You Might Also Read:
Navigating Priorities: Cloud vs Cyber For SMEs:
___________________________________________________________________________________________
If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.
- Individual £5 per month or £50 per year. Sign Up
- Multi-User, Corporate & Library Accounts Available on Request
- Inquiries: Contact Cyber Security Intelligence
Cyber Security Intelligence: Captured Organised & Accessible