Organizations can boost their security posture by recognizing the risks and following best practices.
Small to midsized businesses (SMBs) account for 99 percent of all businesses in the U.S., employing nearly 60 million people and generating 44 percent of the country’s gross domestic product. However, these economic powerhouses are increasingly vulnerable to a variety of cyber threats. Here are five common mistakes SMBs make that contribute to their exposure:
False Sense of Security
The myth persists that smaller businesses are generally safe from cyberattacks because hackers are looking for a bigger score. In truth, however, SMBs are inviting targets because they lack the advanced security measures of enterprise organizations. According to Accenture’s Cost of Cybercrime Study, 43 percent of cyberattacks target small businesses, but just 14 percent of those organizations are prepared to defend their systems, networks and data.
In addition to underestimating their risk, SMBs misjudge the consequences of an attack. A benchmark study by Cisco found that 40 percent of SMBs suffer eight hours or more of downtime due to cyberattacks. Few SMBs are able to recover from the financial impact.
Lack of Awareness
Security awareness training helps employees learn to identify, avoid and respond to threats. However, a recent study from Proofpoint paints a disturbing picture of the lack of security awareness in most organizations. It found that more than two-thirds of end-users don’t even know what ransomware is, much less how to identify it.
Part of the problem is that awareness training tends to be infrequent and unimaginative. In a recent Osterman Research study, almost 90 percent of employees said they believed their awareness training was ineffective because the training materials were dry, boring, poorly written or irrelevant.
Failure to Update
Many organizations tend to put off updates and make do with aging applications and operating systems because people have become comfortable with them and they seem to work just fine. The lack of critical updates and security patches carries significant risk, however. According to a report by Tetra Defense, 82 percent of security breaches involve unpatched software. Additionally, these preventable attacks cost 54 percent more than those caused by user error.
Given the intertwined nature of today’s software systems, it has never been more important to ensure that critical programs are continually updated and secured. Much of today’s software is built on layers of pre-written code, scripts and web services pulled from open-source software libraries. A problem with one app can create vulnerabilities throughout the IT stack.
Poor Data Protection
Robust backup practices ensure data, files, applications and other resources can be reliably accessed in the event of ransomware attacks, system outages and a variety of other risks. However, one recent study found that more than 20 percent of SMBs have no data backup or data protection solution in place.
Even companies that perform regular backups are at risk. Many ransomware attacks can move laterally through a network, encrypting data on all network-attached storage and other backup devices connected to the network. Having at least one copy of the company data isolated in the cloud or in an offsite location provides an important safeguard against such threats.
Weak Passwords
More than 80 percent of all confirmed data breaches can be traced to compromised passwords, according to Verizon’s 2022 Data Breach Investigations Report. However, users tend to choose passwords that are easy to remember — and easy to guess. For several years running, “123456” and “password” have ranked among the most commonly used passwords in SplashData’s annual survey. Today’s brute-force cracking software and hardware can unscramble those passwords in seconds.
Research indicates that phishing attempts and password hacks have increased by upwards of 300 percent over the past two years. With millions of Americans working remotely at least part of the time, they need even more passwords than usual to access an array of company resources, applications, websites and cloud services.
How an MSP Can Help
Limited resources, staff and budget all make it difficult for SMBs to keep pace with the continually evolving threat landscape, but a managed services provider with broad security expertise can provide an edge. Qualified MSPs have invested in the tools and talent to implement and manage comprehensive cybersecurity solutions. A good starting point is to schedule a security assessment to identify gaps in existing controls and develop a plan for minimizing risk.
