Key Security Risks For Small Businesses

Uploaded on 2023-10-03 in TECHNOLOGY--Resilience, FREE TO VIEW

Small and medium-sized businesses are under attack from cyber criminals. There are five key risk areas to improve cyber resilience, among them, preventing human error and correcting weak governance. Whether it’s lack of resources, awareness or expertise, small businesses are as much at risk of cyberattacks as larger enterprises.

A report by Vodafone Business published in February found that over half of small and medium-sized businesses (SMBs) in the UK had experienced some form of cyberattack in 2022 – up from 39% in 2020. In addition, one third of SMBs had seen the number of attempted attacks against their business increase.

Another survey by Kaseya, the SMB Cybersecurity for MSPs Report, shows the extent to which small businesses were plagued by phishing (32%) and viruses (30%) in the past year. Worse still, around 60% of respondents feared they might be hit by a ransomware attack in the next 12 months.

Almost three quarters said that such an incident could be a death blow to their organisation due to the difficulty and cost of recovering. According to the report, the average cost of downtime following an attack on a UK-based company is as much as £53,000, while over a third of UK SMBs suffered downtime of three days or more. Worryingly, many SMBs don’t have much confidence in their ability to recover from a cyber security incident.

More than half of UK respondents admitted their organisation would find the recovery process difficult, while 8% even feared that they would not recover at all.

With cyberattacks steadily increasing, the risk of being hit is real, so businesses must ramp up their defences now to boost their cyber resilience. Here are some important measures that SMBs can take to mitigate the five most common security pitfalls.

Risk 1: Misconfigurations & Human Error

Around 90 per cent of intrusions come down to human error and misconfigurations. One example: Phishing is one of the most widely used, and successful, methods for intrusion. Malicious actors who have gained access to an employee’s user account through stolen credentials can then use misconfigurations to escalate their privileges across the business network and compromise further systems and data.

Misconfigurations in IT systems often arise over time due to the common practice of ‘set it and forget it,’ meaning new systems are configured when they are first introduced, and the settings are never updated. Or, for convenience, businesses are not following the principle of least privilege, and users and applications are granted more access rights than they need – creating security risks.

SMBs should therefore have security policies and standards that mandate regular reviews of their IT configurations and all egress areas within their digital environment. As a minimum, this process should happen annually. Look for misconfigurations in user access management, in firewall rules, in connected devices, for open ports and more. There should also be someone dedicated to keeping identity and access management rules up to date.

Risk 2: Insufficient, Or No, Security Measures

During my tenure as cybersecurity specialist with the FBI, I saw too many SMBs rely on antivirus software only. Some had no security measures at all – often because small enterprises failed to educate themselves on security, or because they had outgrown their cyber defences. The business had developed, but security had got left behind.
Any organisation, no matter how small, is a potential target for hackers. SMBs must make sure their security measures keep up with their requirements and maintain a ‘security first’ mindset. Just 15 minutes a day, or week, are enough to start educating yourself about fundamental security practices. The Center for Internet Security (CIS) Critical Security Controls and the NIST cybersecurity framework are good starting points and explain step by step the measures that organisations should take, while the SANS Institute offers training and resources.

Risk 3: Lack Of Security Awareness

Many security breaches start with employees unwittingly clicking on links in phishing emails. Security awareness training for staff is a must, but to make sure it’s effective, it’s important to pick the right training tools and the right partners.

Experience is the best teacher: Look for tools that simulate live phishing attacks, testing employees’ defences and empowering behaviour change. On top of this, SMBs should set out clear expectations for security-aware behaviour, with the end goal of educating users on being the first line of defence and empowering them to recognise phishing attempts – including consequences if best practices are not followed.

Risk 4: Unpatched IT systems, Or systems Not Regularly Updated

Unpatched security vulnerabilities in software and hardware, or outdated systems, can leave the door wide open to cybercriminals. SMBs need repeatable and sustainable processes to keep all their IT systems up to date. This includes not only staying on top of their patch management, but also regularly upgrading components and software to the latest supported versions.

When a new threat is found, it’s important to act immediately, so SMBs also need to make sure they receive critical security updates from their vendors - such as Microsoft’s Patch Tuesday bulletins, or the Android security bulletins issued by Google.

Risk 5: Weak Governance & Policies

Security problems also arise when organisations don’t manage and enforce their security policies – for instance, on strong passwords or two-factor authentication. When I was in the FBI, too many times, I saw SMBs that didn’t have policies or governance around securing their IT systems, or the policies were written once many years ago and never revisited.

SMBs should treat these policies as living, breathing documents and review and update them regularly, especially as the business grows and circumstances change. Make sure the security policies are specific and employees are aware of them. Ideally, the policies are also mapped to security frameworks.

The good news is that according to Kaseya’s SMB Cybersecurity for MSPs Report, SMBs are actively investing in cybersecurity and regular vulnerability assessments. However, many organisations will still need expert help preparing for, and dealing with, attacks. A third of UK SMBs already rely on outsourced IT support; this proportion will likely grow.

Jason Manar is CISO at Kaseya                                                            Image: energepic

You Might Also Read: 

Navigating Priorities: Cloud vs Cyber For SMEs:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Security Gaps In Business-Critical Identity Services 
Mapping Out The Journey To Zero Trust »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Rohde & Schwarz Cybersecurity

Rohde & Schwarz Cybersecurity

Rohde & Schwarz Cybersecurity provide solutions for Secure Networks, Secure Communications, Network Analysis, and Endpoint Security.

Texplained

Texplained

Texplained specializes in security audits of microchips to identify vulnerabilities and protect against invasive cyber attacks.

Azeti Networks

Azeti Networks

Azeti Networks is a global provider of IoT technology to a variety of verticals including telecomms, oil/gas, manufacturing, finance and healthcare.

Quadrant Information Security

Quadrant Information Security

Quadrant Information Security is a consulting firm committed to supporting organizations in all vertical markets and protecting their sensitive data.

Secucloud

Secucloud

Secucloud GmbH is a provider of high-availability cyber-security solutions, offering a cloud-based security-as-a-service platform, particularly for providers.

Kapalya

Kapalya

Kapalya empowers businesses and their employees to securely store sensitive files at-rest and in-transit across multiple platforms through a user-friendly desktop and mobile application.

ECOMPLY

ECOMPLY

ECOMPLY is an all-in-one GDPR Compliance Solution. Efficient data protection management system for businesses and DPOsomply.

CyberSAFE Malaysia

CyberSAFE Malaysia

CyberSAFE Malaysia is an initiative to educate and enhance the awareness of the general public on the technological and social issues and risks facing internet users.

CyberSwarm

CyberSwarm

CyberSwarm is developing a neuromorphic System-on-a-Chip dedicated to cybersecurity which helps organizations secure communication between connected devices and protect critical business assets.

DCX Technology

DCX Technology

Recognized as a leader in security services, DXC Technology help clients prevent potential attack pathways, reduce cyber risk and improve threat detection and incident response.

Cybersecurity Innovation Hub

Cybersecurity Innovation Hub

Cybersecurity Innovation Hub is a non-profit network organization focused on cooperation, information sharing, research and implementation of cutting-edge technologies in cybersecurity.

Trapp Technology

Trapp Technology

Trapp Technology combines the very best cloud, Internet, IT managed services, and IT consulting to provide a true all-in-one IT solution for small to mid-sized businesses.

Trusted Technologies and Solutions (TTS)

Trusted Technologies and Solutions (TTS)

TTS is a security consulting company specialised on business continuity and crisis management, information security management, information risk management and identity and access management.

BrainStorm

BrainStorm

BrainStorm Threat Defense takes a new human-focused approach to security awareness that traditional training lacks. It’s a cutting-edge platform to make your users more security savvy.

Rezonate

Rezonate

Rezonate discovers, profiles, and protects Identities and their entire access journey to cloud infrastructure and critical SaaS applications. Preventing and stopping cyberattacks.

AVANT Communications

AVANT Communications

AVANT is a premier distributor of next generation technologies with the resources and relationships needed to successfully navigate the ever-changing world of communications and IT infrastructure.