Small and medium businesses (SMBs) have increased their digital footprint, embracing remote work, employing more internet-connected devices, and adopting new tools and technologies. They now find themselves a more attractive target to cyber criminals, and behind the headline-making attacks on large organizations, SMBs are being attacked with increasing regularity.
The exact numbers can be hard to gauge, but 69% of SMBs reported experiencing at least one cyberattack in the last year, according to Devolutions’ State of IT Security in SMBs 2023-2024 report, an increase from the previous year.
Cybersecurity incidents are particularly damaging to smaller businesses because there aren’t the financial and organizational resources to cope with the impact. In some cases, it can result in them going under.
Yet despite the increased risks, less than two-thirds are fully protecting their business with measures such as password managers, two-factor authentication, and cybersecurity training, according to the Devolutions’ report. To limit the risk of being a victim, experts share their advice for SMBs to help turn their bad habits into better defenses.
1. Thinking you’re too small to be a target
SMBs can fall into the trap of thinking that cyber criminals are only going after the big fish, but this is far from the case. Not only are SMBs not too small to be a target, but that’s very often the reason they’re attacked.
This belief can lead to a whole host of poor practices that leave businesses exposed to a range of vulnerabilities. “Statistics show that most of the cyber attacks are geared towards SMBs because they’re seen as an easier target that doesn’t have the security posture that bigger organizations do,” says Sadiq Iqbal, cyber security advisor at Check Point Software Technologies, who oversees a raft of SMB customers.
The advice is don’t ignore precautions because you think the business is not on the radar of threat actors. “You have a bank account, and you use the internet. You’re a target, even if it’s not an intentional one,” says Carlota Sage, founder of Pocket CISO, which provides cybersecurity advice to small organizations.
In Sage’s experience, SMBs want to do the right thing, but they need more support from industry and government. Unlike in the UK and Australia, government oversight in the US is lacking and more dedicated resources are needed. “The onus is on us as security practitioners and on SMB vendors’ security teams, to better enable SMBs. We, as a nation and as those serving SMBs, need to step up,” they say.
2. Underestimating the ransomware threat for SMBs
SMBs underestimate the threat of ransomware, according to Grayson Milbourne, security intelligence director at OpenText Cybersecurity and long-time threat analyst, including for small businesses. He cites OpenText’s Global SMB Ransomware survey that found more than two-thirds (67%) of respondents either don’t believe or aren’t sure they are ransomware targets.
Too many SMBs believe cybercriminals are highly technical and sophisticated and not interested in smaller businesses. Yet this isn’t the case, with nearly half (46%) of respondents reporting being hit by a ransomware attack.
67%
More than two-thirds of SMBs don’t believe they are ransomware targets, according to OpenText’s Global SMB Ransomware survey.
It’s a low-cost, relatively easy attack tool that can be readily deployed against SMBs. “Ransomware as a service (RaaS) can be simply bought or deployed, with little technical know-how,” Milbourne tells CSO. As a result, SMBs are not setting aside sufficient resources, leaving them poorly protected. “Reframing how SMBs think about ransomware and putting policies and technology in place to better protect themselves is critical to avoid falling victim.”
If they do suffer an attack, businesses need to call on expert support to help manage the situation, especially given that making a payout is by no means a guarantee of recovering data.
There are some sobering statistics on the impact of an attack. US small businesses paid over $16,000 in ransoms last year, according to the Hiscox Cyber Readiness 2023 report. “Ransomware is costing small businesses in a big way,” says Christopher Hojnowski, VP and product head of technology and cyber at Hiscox insurers, who works with over 600,000 small businesses across the US.
Only half of surveyed businesses that paid a ransom ended up getting their data back, while half had to rebuild systems. In addition, a staggering 27% were attacked again, and another 27% were asked for more money, the survey found. “It’s certainly not recommended to pay the ransom,” says Hojnowski.
3. Viewing cybersecurity as just a technology problem
Cybersecurity can’t be addressed with technology alone and in many ways it’s a human problem, according to Sage. “Technology enables attacks, technology facilitates preventing attacks, technology helps with cleaning up after an attack, but that technology requires a knowledgeable human to be effective, at least for now,” they say.
This also feeds into other problems, which are a lack of budget and no dedicated responsibility for cybersecurity. “These are significant challenges for SMBs, leaving them without guidance on compliance frameworks and a clear direction, and reliant on providers for support,” says Iqbal.
Iqbal recommends that SMBs always look to government resources for guidelines and best practices and at least start with the basic protections that are recommended. In the US, for example, the Small Business Administration and the Federal Communications Commission both have information and resources, while the UK’s National Cyber Security Centre has guidance and the Global Cyber Alliance (GCA) also has a small business toolkit. The Australian Signals Directorate also have a guide for small business.
Sage adds that as most businesses are using Google Workspace or Microsoft Office 365, the respective knowledge bases are a wealth of information. Outside of these platforms, look to local sources of guidance. “There’s also local community colleges, town and county small business centers or economic development departments, and state commerce departments should also be able to connect you to cybersecurity resources,” Sage tells CSO.
4. Not employing good cyber hygiene
Adopting good cyber hygiene habits should be a no brainer, although it can be a hit and miss. For instance, allowing the use of weak passwords is all too common, according to Iqbal. He’s also found instances where the default password for logins has not been changed or all the passwords for security servers are changed to a single password and there isn’t a separate administrative password. “The admin account is the most lucrative account threat actors are looking to compromise. It just takes one compromise and then the keys to the kingdom are flung open to all your potential threat actors,” he says.
Backups are widely deployed, but SMBs often overlook the importance of backup testing. If the business suffers an attack and the backup fails, it can be catastrophic. “You want to be able to recover and mitigate damage from a threat attack and that means having a reliable backup that’s been checked to ensure it’s not corrupt or doesn’t have any other issues,” Iqbal says.
53%
Just over half of US SMBs have a cyber insurance police, according to the Hiscox Cyber Readiness 2023 report.
It’s also important to have adequate cyber insurance, yet only 53% of US small businesses have an insurance policy that includes cyber coverage, Hiscox has found.
And it’s not just the cost to their own business they risk. “Small businesses that don’t hold sufficient cyber coverage may be financially liable for the results of an attack,” says Hojnowski. Cyber insurance provides protection from emerging threats and the cost of responding to a breach, as well as a point-person, which can help contain the damage.
5. Not prioritizing cybersecurity
When SMBs leverage new technologies, the consideration of risks isn’t the same as it is for enterprises, but they face many of the same risks, according to Raj Samani, chief scientist at Rapid7.
Whereas enterprises tend to have more of a risk management lens, smaller outfits tend to prioritize efficiency above security. Samani has seen cases where smaller businesses acquire new digital systems such as remote access protocols which can then leave them vulnerable to attacks as it’s a common entry vector used by ransomware groups to break into companies.
For SMBs, adopting new digital tools requires a different approach, but they don’t have the luxury of bringing in a big consulting firm to give them advice. “There needs to be a simpler means to articulate what needs to be done for their security,” says Samani.
Another common mistake small businesses make is not implementing multifactor authentication, according to Hojnowski. “It should be one of the first steps to help better secure your business.”
To set the right priorities, Hojnowski’s advice is to start by analyzing the current cybersecurity posture, but don’t overlook potential vulnerabilities. Evaluate if the budget is sufficient and the particular needs the business may have. “Are you operating in, with or for an industry considered as higher risk targets, and what are your needs in the event there’s a breach?” Hojnowski says.
Once this baseline is established, take a systematic approach to improving defenses and adopt best practice principles, such as:
- All systems and software need automatic updates enabled and to be properly patched.
- Employee training programs to help spot phishing emails, business email compromise, wrongful funds transfer, how to create strong passwords and other education where needed.
- Employ a range of security tools, including firewalls, anti-virus, endpoint detection and response, and inbox protection mechanisms.
- Back up data both to the cloud as well as maintaining on-site backups and ensure all data is encrypted and backups checked.
- Company policies and procedures geared to protect against attacks, secure data and handle things in the event data can’t be accessed.
6. Not matching the budget to the growing risk profile
SMBs need a budget commensurate with their risk profile and that considers their needs, important business information, and if they hold sensitive personal data. “Each company needs to evaluate their operations and how much they are willing to spend to help prevent a potential business interruption,” says Hojnowski.
The cost of security needs to sit alongside marketing, sales and other costs that support the operations of the business. “A business knows how much it costs per employee to buy the tools and licenses for the business to run and how much it spends on sales and marketing to acquire or keep customers,” Sage says. It needs to spend a proportionate amount to secure the work of the employees and to protect the customers, prospects, and its products. “It needs to be calculated in relation to the businesses’ market and its complexity,” says Sage.