Light Dark
October 2, 2018 By Grant Gross 4 min read
Data Protection

Data breaches that compromise hundreds of thousands — or millions — of records tend to grab the most headlines, but small- and medium-sized businesses (SMBs) are far from immune to cyberattacks.

SMB security is full of holes, and these vulnerabilities are often the most damaging, according to recent research. For example, Verizon’s “2018 Data Breach Investigations Report” found that about 58 percent of all data breaches target small businesses. In addition, 60 percent of SMBs hit with a data breach close within six months, according to Switchfast Technologies, even though more than half of all small business leaders don’t believe they’re targets.

Small Businesses Are Easy Targets

“Think your business is too small to be targeted by a hacker? Think again,” said Chris Stoneff, vice president of security solutions at secure remote access provider Bomgar. “If your business handles any financial information or valuable data about your customers, then guess what? You’re a target for cyberattacks.”

As large enterprises increasingly focus on improving cybersecurity, cybercriminals may take the path of least resistance.

“If that path is via a smaller business with tempting customers,” Stoneff added, “you better believe they will take the easy route.”

At the same time, many small businesses don’t have a lot of money to spend on cybersecurity. In fact, nearly half of all small businesses fail within five years, according to the U.S. Small Business Administration, and cash flow problems account for a huge number of those closures.

Why You Shouldn’t Skimp on SMB Security

Cybersecurity is not the place for SMBs to cut costs, said John Watkins, vice president and chief information officer (CIO) of inRsite IT Solutions, a cloud and security provider for SMBs.

“If you don’t take cybersecurity seriously, and one day you’re forced to pay $8,000 in bitcoin to — hopefully — unlock your QuickBooks data, just remember, you saved $500 by not getting a firewall,” Watkins quipped.

Clearly, small businesses — even those with razor-thin profit margins — shouldn’t skimp on their cybersecurity protections. But assuming budgets are tight, how can SMBs make the most of their spending?

Many cybersecurity experts still recommend the basics:

  • Use multifactor authentication to sign on to company devices.
  • Require strong passwords.
  • Deploy antivirus, antispyware and firewall protection.
  • Identify the sensitive data you hold and encrypt it.
  • Regularly update software.
  • Train employees on cybersecurity.

A business-grade firewall is one of the essential basics no SMB should ignore, Watkins said.

“No, the ISP modem is not good enough,” he said. “Just run a Google search on the model number of your modem and you’ll find 10 articles listing the default admin password for it.”

Building a Holistic Security Strategy

SMB cybersecurity efforts should focus on their people and processes, “coupled with the support of reliable, well-implemented tools and technologies,” said Chris Duvall, senior director at The Chertoff Group, a company that advises clients on security and risk management.

Beyond the basics, Duvall urged SMBs to consider a virtual private network (VPN) to protect traffic in and out of their networks and a password management tool to help employees store their credentials in a single, secure location. Small businesses should also look into commercial products that package a number of security tools, such as intrusion detection and prevention systems, together.

What to Look For in an MSSP

Managed security service providers (MSSPs) enable small businesses to outsource their cybersecurity protections for a monthly fee. MSSPs can be useful for a resource-strapped SMB, Duvall noted, “but using the right MSSP and ensuring regular and detailed communication is key.” He added that with managed service becoming a popular offering in the cybersecurity industry, some companies are “labeling themselves as MSSPs but are not capable of, or qualified to, manage the security of other organizations.” SMBs should do their homework and request a “proof-of-concept” period before signing an MSSP contract.

Mike Baker, founder and principal of managed cybersecurity provider Mosaic451, agreed that outsourced services can help SMBs fight off attackers. An SMB’s IT staff can “get bogged down by providing the basics — such as routine system monitoring, software upgrades, training on new systems and services, help desk support, and the seemingly endless number of meetings,” he said. The best way to find a managed service provider, then, is through word of mouth.

“It’s always better to go with an actual referral,” Baker said. “Go with someone you know. Go with someone that a peer knows.”

Online ratings, “random top-10 lists and whatnot are paid-for marketing,” he added. “Trust them at your peril.”

Why You Must Actively Manage Your Data

Watkins and other cybersecurity professionals also advised SMBs to frequently back up their data. A cloud service is a good way to make copies that are protected from direct attacks on the business. Ransomware remains a serious threat, and some network-attached storage device makers include software to encrypt and replicate a business’ data in the cloud.

SMBs should have at least three backups of their data, Watkins recommended.

“One of the most devastating things that can happen to an SMB is data loss,” he said. “Whether caused by lightning frying your PC or cryptoware infecting your server, data loss can literally bring a business to the brink of closure.”

Frequent backups, a managed security provider, a VPN, and a well-rounded package of antivirus and intrusion detection tools are among the protections SMBs should consider to better secure their data, but establishing these defenses is only the beginning. To sustain a successful enterprise security strategy, organizations must regularly audit the efficacy of each tool and team, establish a culture of security from the top down, and scale consistently through growth phases.

 |  |  |  |  |  |  |  |  |  |  |  |  | 
Grant Gross
Writer

More from Data Protection
November 19, 2024

Communication platforms play a major role in data breach risks

4 min read - Every online activity or task brings at least some level of cybersecurity risk, but some have more risk than others. Kiteworks Sensitive Content Communications Report found that this is especially true when it comes to using communication tools.When it comes to cybersecurity, communicating means more than just talking to another person; it includes any activity where you are transferring data from one point online to another. Companies use a wide range of different types of tools to communicate, including email,…

November 8, 2024

SpyAgent malware targets crypto wallets by stealing screenshots

4 min read - A new Android malware strain known as SpyAgent is making the rounds — and stealing screenshots as it goes. Using optical character recognition (OCR) technology, the malware is after cryptocurrency recovery phrases often stored in screenshots on user devices.Here's how to dodge the bullet.Attackers shooting their (screen) shotAttacks start — as always — with phishing efforts. Users receive text messages prompting them to download seemingly legitimate apps. If they take the bait and install the app, the SpyAgent malware gets…

November 7, 2024

Exploring DORA: How to manage ICT incidents and minimize cyber threat risks

3 min read - As cybersecurity breaches continue to rise globally, institutions handling sensitive information are particularly vulnerable. In 2024, the average cost of a data breach in the financial sector reached $6.08 million, making it the second hardest hit after healthcare, according to IBM's 2024 Cost of a Data Breach report. This underscores the need for robust IT security regulations in critical sectors.More than just a defensive measure, compliance with security regulations helps organizations reduce risk, strengthen operational resilience and enhance customer trust.…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature