October 2, 2018 By Grant Gross 4 min read

Data breaches that compromise hundreds of thousands — or millions — of records tend to grab the most headlines, but small- and medium-sized businesses (SMBs) are far from immune to cyberattacks.

SMB security is full of holes, and these vulnerabilities are often the most damaging, according to recent research. For example, Verizon’s “2018 Data Breach Investigations Report” found that about 58 percent of all data breaches target small businesses. In addition, 60 percent of SMBs hit with a data breach close within six months, according to Switchfast Technologies, even though more than half of all small business leaders don’t believe they’re targets.

Small Businesses Are Easy Targets

“Think your business is too small to be targeted by a hacker? Think again,” said Chris Stoneff, vice president of security solutions at secure remote access provider Bomgar. “If your business handles any financial information or valuable data about your customers, then guess what? You’re a target for cyberattacks.”

As large enterprises increasingly focus on improving cybersecurity, cybercriminals may take the path of least resistance.

“If that path is via a smaller business with tempting customers,” Stoneff added, “you better believe they will take the easy route.”

At the same time, many small businesses don’t have a lot of money to spend on cybersecurity. In fact, nearly half of all small businesses fail within five years, according to the U.S. Small Business Administration, and cash flow problems account for a huge number of those closures.

Why You Shouldn’t Skimp on SMB Security

Cybersecurity is not the place for SMBs to cut costs, said John Watkins, vice president and chief information officer (CIO) of inRsite IT Solutions, a cloud and security provider for SMBs.

“If you don’t take cybersecurity seriously, and one day you’re forced to pay $8,000 in bitcoin to — hopefully — unlock your QuickBooks data, just remember, you saved $500 by not getting a firewall,” Watkins quipped.

Clearly, small businesses — even those with razor-thin profit margins — shouldn’t skimp on their cybersecurity protections. But assuming budgets are tight, how can SMBs make the most of their spending?

Many cybersecurity experts still recommend the basics:

  • Use multifactor authentication to sign on to company devices.
  • Require strong passwords.
  • Deploy antivirus, antispyware and firewall protection.
  • Identify the sensitive data you hold and encrypt it.
  • Regularly update software.
  • Train employees on cybersecurity.

A business-grade firewall is one of the essential basics no SMB should ignore, Watkins said.

“No, the ISP modem is not good enough,” he said. “Just run a Google search on the model number of your modem and you’ll find 10 articles listing the default admin password for it.”

Building a Holistic Security Strategy

SMB cybersecurity efforts should focus on their people and processes, “coupled with the support of reliable, well-implemented tools and technologies,” said Chris Duvall, senior director at The Chertoff Group, a company that advises clients on security and risk management.

Beyond the basics, Duvall urged SMBs to consider a virtual private network (VPN) to protect traffic in and out of their networks and a password management tool to help employees store their credentials in a single, secure location. Small businesses should also look into commercial products that package a number of security tools, such as intrusion detection and prevention systems, together.

What to Look For in an MSSP

Managed security service providers (MSSPs) enable small businesses to outsource their cybersecurity protections for a monthly fee. MSSPs can be useful for a resource-strapped SMB, Duvall noted, “but using the right MSSP and ensuring regular and detailed communication is key.” He added that with managed service becoming a popular offering in the cybersecurity industry, some companies are “labeling themselves as MSSPs but are not capable of, or qualified to, manage the security of other organizations.” SMBs should do their homework and request a “proof-of-concept” period before signing an MSSP contract.

Mike Baker, founder and principal of managed cybersecurity provider Mosaic451, agreed that outsourced services can help SMBs fight off attackers. An SMB’s IT staff can “get bogged down by providing the basics — such as routine system monitoring, software upgrades, training on new systems and services, help desk support, and the seemingly endless number of meetings,” he said. The best way to find a managed service provider, then, is through word of mouth.

“It’s always better to go with an actual referral,” Baker said. “Go with someone you know. Go with someone that a peer knows.”

Online ratings, “random top-10 lists and whatnot are paid-for marketing,” he added. “Trust them at your peril.”

Why You Must Actively Manage Your Data

Watkins and other cybersecurity professionals also advised SMBs to frequently back up their data. A cloud service is a good way to make copies that are protected from direct attacks on the business. Ransomware remains a serious threat, and some network-attached storage device makers include software to encrypt and replicate a business’ data in the cloud.

SMBs should have at least three backups of their data, Watkins recommended.

“One of the most devastating things that can happen to an SMB is data loss,” he said. “Whether caused by lightning frying your PC or cryptoware infecting your server, data loss can literally bring a business to the brink of closure.”

Frequent backups, a managed security provider, a VPN, and a well-rounded package of antivirus and intrusion detection tools are among the protections SMBs should consider to better secure their data, but establishing these defenses is only the beginning. To sustain a successful enterprise security strategy, organizations must regularly audit the efficacy of each tool and team, establish a culture of security from the top down, and scale consistently through growth phases.

More from Data Protection

How governance, risk and compliance (GRC) addresses growing data liability concerns

4 min read - In an era where businesses increasingly rely on artificial intelligence (AI) and advanced data capabilities, the effectiveness of IT services is more critical than ever. Yet despite the advancements in technology, business leaders are increasingly dissatisfied with their IT departments.According to a study by IBM's Institute for Business Value, confidence in the effectiveness of basic IT services among top executives has significantly declined. While AI promises transformational capabilities, particularly generative artificial intelligence (gen AI), the road to realizing these benefits…

Access control is going mobile — Is this the way forward?

2 min read - Last year, the highest volume of cyberattacks (30%) started in the same way: a cyber criminal using valid credentials to gain access. Even more concerning, the X-Force Threat Intelligence Index 2024 found that this method of attack increased by 71% from 2022. Researchers also discovered a 266% increase in infostealers to obtain credentials to use in an attack. Family members of privileged users are also sometimes victims.“These shifts suggest that threat actors have revalued credentials as a reliable and preferred…

Ransomware on the rise: Healthcare industry attack trends 2024

4 min read - According to the IBM Cost of a Data Breach Report 2024, the global average cost of a data breach reached $4.88 million this year, a 10% increase over 2023.For the healthcare industry, the report offers both good and bad news. The good news is that average data breach costs fell by 10.6% this year. The bad news is that for the 14th year in a row, healthcare tops the list with the most expensive breach recoveries, coming in at $9.77…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today