Key Security Risks For Small Businesses

Small and medium-sized businesses are under attack from cyber criminals. There are five key risk areas to improve cyber resilience, among them, preventing human error and correcting weak governance. Whether it’s lack of resources, awareness or expertise, small businesses are as much at risk of cyberattacks as larger enterprises.

A report by Vodafone Business published in February found that over half of small and medium-sized businesses (SMBs) in the UK had experienced some form of cyberattack in 2022 – up from 39% in 2020. In addition, one third of SMBs had seen the number of attempted attacks against their business increase.

Another survey by Kaseya, the SMB Cybersecurity for MSPs Report, shows the extent to which small businesses were plagued by phishing (32%) and viruses (30%) in the past year. Worse still, around 60% of respondents feared they might be hit by a ransomware attack in the next 12 months.

Almost three quarters said that such an incident could be a death blow to their organisation due to the difficulty and cost of recovering. According to the report, the average cost of downtime following an attack on a UK-based company is as much as £53,000, while over a third of UK SMBs suffered downtime of three days or more. Worryingly, many SMBs don’t have much confidence in their ability to recover from a cyber security incident.

More than half of UK respondents admitted their organisation would find the recovery process difficult, while 8% even feared that they would not recover at all.

With cyberattacks steadily increasing, the risk of being hit is real, so businesses must ramp up their defences now to boost their cyber resilience. Here are some important measures that SMBs can take to mitigate the five most common security pitfalls.

Risk 1: Misconfigurations & Human Error

Around 90 per cent of intrusions come down to human error and misconfigurations. One example: Phishing is one of the most widely used, and successful, methods for intrusion. Malicious actors who have gained access to an employee’s user account through stolen credentials can then use misconfigurations to escalate their privileges across the business network and compromise further systems and data.

Misconfigurations in IT systems often arise over time due to the common practice of ‘set it and forget it,’ meaning new systems are configured when they are first introduced, and the settings are never updated. Or, for convenience, businesses are not following the principle of least privilege, and users and applications are granted more access rights than they need – creating security risks.

SMBs should therefore have security policies and standards that mandate regular reviews of their IT configurations and all egress areas within their digital environment. As a minimum, this process should happen annually. Look for misconfigurations in user access management, in firewall rules, in connected devices, for open ports and more. There should also be someone dedicated to keeping identity and access management rules up to date.

Risk 2: Insufficient, Or No, Security Measures

During my tenure as cybersecurity specialist with the FBI, I saw too many SMBs rely on antivirus software only. Some had no security measures at all – often because small enterprises failed to educate themselves on security, or because they had outgrown their cyber defences. The business had developed, but security had got left behind.
Any organisation, no matter how small, is a potential target for hackers. SMBs must make sure their security measures keep up with their requirements and maintain a ‘security first’ mindset. Just 15 minutes a day, or week, are enough to start educating yourself about fundamental security practices. The Center for Internet Security (CIS) Critical Security Controls and the NIST cybersecurity framework are good starting points and explain step by step the measures that organisations should take, while the SANS Institute offers training and resources.

Risk 3: Lack Of Security Awareness

Many security breaches start with employees unwittingly clicking on links in phishing emails. Security awareness training for staff is a must, but to make sure it’s effective, it’s important to pick the right training tools and the right partners.

Experience is the best teacher: Look for tools that simulate live phishing attacks, testing employees’ defences and empowering behaviour change. On top of this, SMBs should set out clear expectations for security-aware behaviour, with the end goal of educating users on being the first line of defence and empowering them to recognise phishing attempts – including consequences if best practices are not followed.

Risk 4: Unpatched IT systems, Or systems Not Regularly Updated

Unpatched security vulnerabilities in software and hardware, or outdated systems, can leave the door wide open to cybercriminals. SMBs need repeatable and sustainable processes to keep all their IT systems up to date. This includes not only staying on top of their patch management, but also regularly upgrading components and software to the latest supported versions.

When a new threat is found, it’s important to act immediately, so SMBs also need to make sure they receive critical security updates from their vendors - such as Microsoft’s Patch Tuesday bulletins, or the Android security bulletins issued by Google.

Risk 5: Weak Governance & Policies

Security problems also arise when organisations don’t manage and enforce their security policies – for instance, on strong passwords or two-factor authentication. When I was in the FBI, too many times, I saw SMBs that didn’t have policies or governance around securing their IT systems, or the policies were written once many years ago and never revisited.

SMBs should treat these policies as living, breathing documents and review and update them regularly, especially as the business grows and circumstances change. Make sure the security policies are specific and employees are aware of them. Ideally, the policies are also mapped to security frameworks.

The good news is that according to Kaseya’s SMB Cybersecurity for MSPs Report, SMBs are actively investing in cybersecurity and regular vulnerability assessments. However, many organisations will still need expert help preparing for, and dealing with, attacks. A third of UK SMBs already rely on outsourced IT support; this proportion will likely grow.

Jason Manar is CISO at Kaseya                                                            Image: energepic

You Might Also Read: 

Navigating Priorities: Cloud vs Cyber For SMEs:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« Security Gaps In Business-Critical Identity Services 
Mapping Out The Journey To Zero Trust »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

ThreatConnect

ThreatConnect

ThreatConnect is an enterprise threat intelligence platform by Cyber Squared bridging incident response, defense, and threat analysis for InfoSec & DFIR teams.

Data Destruction London

Data Destruction London

Data Destruction London offers fast, confidential and compliant expert data destruction services to businesses and organisations in London.

TES

TES

TES is a provider of IT Lifecycle Services, offering bespoke solutions that help customers manage the commissioning, deployment and retirement of Information Technology assets.

Cingo Solutions

Cingo Solutions

Cingo Solutions is a Managed Detection & Response company providing specialized data security services.

Blockchain Solutions

Blockchain Solutions

Blockchain Solutions Limited is a technological One Stop Solution provider, for Blockchain technology.

LinkShadow

LinkShadow

LinkShadow is a next-generation cybersecurity solution that provides unparalleled detection of even the most sophisticated threats.

FDD Center on Cyber and Technology Innovation (CCTI)

FDD Center on Cyber and Technology Innovation (CCTI)

The Foundation for Defense of Democracies is a nonprofit research institute focusing on foreign policy and national security. Ares of focus include cyber security and technology innovation.

US Marine Corps Forces Cyberspace Command (MARFORCYBER)

US Marine Corps Forces Cyberspace Command (MARFORCYBER)

US Marine Corps Forces Cyberspace Command (MARFORCYBER) conducts full spectrum military cyberspace operations in order to enable freedom of action in cyberspace and deny the same to the adversary.

Anterix

Anterix

Anterix is focused on empowering the modernization of critical infrastructure and enterprise businesses by enabling private broadband connectivity.

Matrixforce

Matrixforce

Matrixforce is a vetted IT support provider that uses the patented Delta Method of streamlining technology for financial and professional service firms to reduce complexity and avoid risk.

Visory

Visory

Great businesses depend on great technology. We make sure our clients go to market with enterprise-level technology and world-class security for their data and infrastructure.

Otava

Otava

Otava is a global leader of secure, compliant hybrid cloud and IT solutions for service providers, channel partners and enterprise clients.

Semgrep

Semgrep

Semgrep is a fast, open-source, static analysis tool for profoundly improving software security and reliability.

BJSS

BJSS

BJSS is an award-winning technology and engineering consultancy for business.

DACTA Global

DACTA Global

DACTA was established with the aim of simplifying the perception of complexity surrounding digital security challenges and solutions.

Alpha Echo

Alpha Echo

Specialising in security advice and enterprise-wide Cyberworthiness, Alpha Echo helps Australia deliver on cyber outcomes at a military grade level.