Key Security Risks For Small Businesses

Small and medium-sized businesses are under attack from cyber criminals. There are five key risk areas to improve cyber resilience, among them, preventing human error and correcting weak governance. Whether it’s lack of resources, awareness or expertise, small businesses are as much at risk of cyberattacks as larger enterprises.

A report by Vodafone Business published in February found that over half of small and medium-sized businesses (SMBs) in the UK had experienced some form of cyberattack in 2022 – up from 39% in 2020. In addition, one third of SMBs had seen the number of attempted attacks against their business increase.

Another survey by Kaseya, the SMB Cybersecurity for MSPs Report, shows the extent to which small businesses were plagued by phishing (32%) and viruses (30%) in the past year. Worse still, around 60% of respondents feared they might be hit by a ransomware attack in the next 12 months.

Almost three quarters said that such an incident could be a death blow to their organisation due to the difficulty and cost of recovering. According to the report, the average cost of downtime following an attack on a UK-based company is as much as £53,000, while over a third of UK SMBs suffered downtime of three days or more. Worryingly, many SMBs don’t have much confidence in their ability to recover from a cyber security incident.

More than half of UK respondents admitted their organisation would find the recovery process difficult, while 8% even feared that they would not recover at all.

With cyberattacks steadily increasing, the risk of being hit is real, so businesses must ramp up their defences now to boost their cyber resilience. Here are some important measures that SMBs can take to mitigate the five most common security pitfalls.

Risk 1: Misconfigurations & Human Error

Around 90 per cent of intrusions come down to human error and misconfigurations. One example: Phishing is one of the most widely used, and successful, methods for intrusion. Malicious actors who have gained access to an employee’s user account through stolen credentials can then use misconfigurations to escalate their privileges across the business network and compromise further systems and data.

Misconfigurations in IT systems often arise over time due to the common practice of ‘set it and forget it,’ meaning new systems are configured when they are first introduced, and the settings are never updated. Or, for convenience, businesses are not following the principle of least privilege, and users and applications are granted more access rights than they need – creating security risks.

SMBs should therefore have security policies and standards that mandate regular reviews of their IT configurations and all egress areas within their digital environment. As a minimum, this process should happen annually. Look for misconfigurations in user access management, in firewall rules, in connected devices, for open ports and more. There should also be someone dedicated to keeping identity and access management rules up to date.

Risk 2: Insufficient, Or No, Security Measures

During my tenure as cybersecurity specialist with the FBI, I saw too many SMBs rely on antivirus software only. Some had no security measures at all – often because small enterprises failed to educate themselves on security, or because they had outgrown their cyber defences. The business had developed, but security had got left behind.
Any organisation, no matter how small, is a potential target for hackers. SMBs must make sure their security measures keep up with their requirements and maintain a ‘security first’ mindset. Just 15 minutes a day, or week, are enough to start educating yourself about fundamental security practices. The Center for Internet Security (CIS) Critical Security Controls and the NIST cybersecurity framework are good starting points and explain step by step the measures that organisations should take, while the SANS Institute offers training and resources.

Risk 3: Lack Of Security Awareness

Many security breaches start with employees unwittingly clicking on links in phishing emails. Security awareness training for staff is a must, but to make sure it’s effective, it’s important to pick the right training tools and the right partners.

Experience is the best teacher: Look for tools that simulate live phishing attacks, testing employees’ defences and empowering behaviour change. On top of this, SMBs should set out clear expectations for security-aware behaviour, with the end goal of educating users on being the first line of defence and empowering them to recognise phishing attempts – including consequences if best practices are not followed.

Risk 4: Unpatched IT systems, Or systems Not Regularly Updated

Unpatched security vulnerabilities in software and hardware, or outdated systems, can leave the door wide open to cybercriminals. SMBs need repeatable and sustainable processes to keep all their IT systems up to date. This includes not only staying on top of their patch management, but also regularly upgrading components and software to the latest supported versions.

When a new threat is found, it’s important to act immediately, so SMBs also need to make sure they receive critical security updates from their vendors - such as Microsoft’s Patch Tuesday bulletins, or the Android security bulletins issued by Google.

Risk 5: Weak Governance & Policies

Security problems also arise when organisations don’t manage and enforce their security policies – for instance, on strong passwords or two-factor authentication. When I was in the FBI, too many times, I saw SMBs that didn’t have policies or governance around securing their IT systems, or the policies were written once many years ago and never revisited.

SMBs should treat these policies as living, breathing documents and review and update them regularly, especially as the business grows and circumstances change. Make sure the security policies are specific and employees are aware of them. Ideally, the policies are also mapped to security frameworks.

The good news is that according to Kaseya’s SMB Cybersecurity for MSPs Report, SMBs are actively investing in cybersecurity and regular vulnerability assessments. However, many organisations will still need expert help preparing for, and dealing with, attacks. A third of UK SMBs already rely on outsourced IT support; this proportion will likely grow.

Jason Manar is CISO at Kaseya                                                            Image: energepic

You Might Also Read: 

Navigating Priorities: Cloud vs Cyber For SMEs:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« Security Gaps In Business-Critical Identity Services 
Mapping Out The Journey To Zero Trust »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

The Hacker News (THN)

The Hacker News (THN)

THN is a leading source for Information Security, Hacking News, Cyber Security, Network Security with in-depth technical coverage of issues and events

Lares Consulting

Lares Consulting

Lares is a security consulting firm that helps companies secure electronic, physical, intellectual, and financial assets through a unique blend of assessment, testing and coaching.

Plixer

Plixer

Plixer delivers a network traffic analytics system used for monitoring, visualization, and reporting of network and security incidents.

Cybersprint

Cybersprint

Cybersprint's Digital Risk Protection platform continuously monitors your digital footprint so you can make informed decisions on exposure to online threats, identify vulnerabilities and take action.

IPN (ICT Research Platform Nederlands)

IPN (ICT Research Platform Nederlands)

IPN promotes academic research and education in the ICT field by building and maintaining a national community, and by developing policy to advance the field. Areas of focus include Cyber Security.

Cequence Security

Cequence Security

Cequence, a pioneer in API security and bot management, is the only solution that delivers Unified API Protection (UAP), uniting discovery, compliance, and protection.

Reed

Reed

reed.co.uk is a leading job site in the UK, providing a full online service for anyone looking for a new job.

Research Institute in Verified Trustworthy Software Systems (VeTSS)

Research Institute in Verified Trustworthy Software Systems (VeTSS)

The main purpose of VeTSS is to support program analysis, testing and verification, to achieve guarantees of software correctness, safety, and security.

CENSUS

CENSUS

CENSUS is a Cybersecurity services provider offering services to multiple industries worldwide such as Security Testing, Code Auditing, Secure SDLC, Vulnerability Research and Consulting Services.

TrustGrid

TrustGrid

Trustgrid is a pioneer and leader in secure, cloud-native software-defined connectivity.

XioGuard

XioGuard

XioGuard is a managed security service for 360-degree cybersecurity coverage, protecting the entire attack surface, increasing performance, reducing cost, and simplifying operations.

PCS Security (PCSS)

PCS Security (PCSS)

PCS Security provides secure, reliable and state-of-the-art security solutions to help our customers address their security concerns.

Sunday Cyber

Sunday Cyber

Sunday is a personal cybersecurity platform, built to protect the world’s top executive teams beyond the enterprise perimeter.

DataSolutions

DataSolutions

DataSolutions is a leading value-added distributor of transformational IT solutions in the UK and Ireland.

Security Awareness Special Interest Group (SASIG)

Security Awareness Special Interest Group (SASIG)

The Security Awareness Special Interest Group (SASIG) addresses the human aspects of security and fraud prevention in an initiative to improve trust and confidence in the online environment.

Diverto

Diverto

Diverto is a company that provides a high level of information security to companies, institutions and other organisations in an information-centric world.