A panel of 20 SMB and cybersecurity experts discuss the top cybersecurity considerations for small to midsize businesses.
SMBs face substantial risk in today’s cybersecurity landscape. With hackers developing increasingly sophisticated attack methods, it’s challenging for smaller companies to keep up with the most robust cybersecurity solutions and best practices. Not only do they have smaller IT budgets compared to enterprises, but SMBs often lack awareness about their risks and vulnerabilities.
Unfortunately, SMBs are a prime target for hackers. In fact, according to the Ponemon Institute’s 2019 Global State of Cybersecurity in Small and Medium-Sized Businesses report, “76% of U.S. companies were attacked within the last 12 months, up from 55% in 2016. Globally, 66% of respondents reported attacks in the same timeframe.” Further, 82% of respondents in the U.S. reported having experienced a cyberattack at some point throughout their organization’s lifetime. According to the Verizon 2019 Data Breach Investigation Report, 43% of all data breaches involve small businesses.
With cloud adoption and the use of IoT devices and wearables on the rise across businesses of all sizes, the security perimeter is in constant flux, making it even more challenging to protect the company’s sensitive data. Given that 60% of small businesses close for good within six months of a cyberattack, a proactive approach to security is imperative.
What should SMBs focus on when it comes to cybersecurity, and what risks should be of the greatest concern? To gain some insight, we reached out to a panel of cybersecurity experts and small business leaders and asked them to answer this question:
Read on to find out what our experts had to say about the most important cybersecurity considerations for SMBs.
Brandon is a smartphone security expert. Founder of Tiger Mobiles, he heads up the help and advice section; answering customer questions and queries to help them stay safe on their smartphones.
“My top 3 cybersecurity considerations for small to midsize businesses (SMBs) are…”
1. Uploading sensitive data to cloud storage providers like Dropbox, Google Drive, etc.
Any SMB who is using cloud storage for sensitive information should consider locally encrypting files and folders before uploading them. So, if you're a Dropbox user keeping passport scans, customer details, passwords, commercially sensitive work files, etc. on there, then I would most certainly be encrypting locally first.
I know people reading will think: “Surely Dropbox uses their own encryption?” Dropbox does use an excellent encryption system for files, but because you're not the one encrypting, you're not the one that holds the decryption key. Since that decryption happens automatically when logged into the Dropbox system, anyone who accesses your account can also get your now non-encrypted data. If you further encrypt, it's a second line of defense.
2. Allowing remote workers too much freedom in how and where they access the internet.
Technology is beneficial for businesses as they can operate with a flexible, mobile workforce to reduce overheads and boost productivity, but it isn't without risk. Connecting to enterprise and client data over unsecured Wi-Fi networks and from poorly-secured devices can bring significant threats to the security of your business.
There's also an increasing tendency to use your own devices like phones and laptops for both professional and private tasks. When you couple that with using public networks, it creates a gaping hole in your cybersecurity.
Just like most larger enterprises have security policies in place, SMBs should also have a set of security measures that everyone should follow to help create a culture of cybersecurity awareness and protection among remote workers.
3. Reusing identical passwords and not using two-factor authentication.
It might seem like a hassle to set up a password manager or two-factor authentication for employees (and train them on using it), but it's far more hassle to have to clean up if someone's details are compromised. At best, you'll have to change multiple passwords and recover your account on whatever service was hacked. At worst, you'll have to perform a full security audit and trace what other accounts might be compromised. Of course, using 2FA or a password manager doesn't make you unhackable, but it does make you a tougher target to exploit.
Steven J.J. Weisman
Steven is a lawyer, an author, a professor at Bentley University where he teaches White Collar Crime, and one of the country's leading authorities on cybersecurity. Among his books is Identity Theft Alert. He also writes the blog www.scamicide.com where he provides newly updated information about the latest scams, identity theft schemes, and cybersecurity developments.
“Cybersecurity should be a consideration for all businesses, whether they are large or small…”
In fact, many small businesses are often targeted by hackers as easy targets due to their failure to take proper cybersecurity steps. Here are some steps SMBs should take:
1. Training employees in proper security practices is critical. Most malware, whether it is ransomware or keystroke logging programs that steal personal information stored on the company's computer for purposes of identity theft, is downloaded as a link or attachment in a phishing or more specifically targeted spear phishing email. While security software will recognize and block many spear phishing emails, it definitely will miss many others, which is why it is critical to train and remind employees about recognizing and avoiding spear phishing emails and never clicking on links or downloading attachments unless they have been confirmed to be legitimate.
2. Install security software and keep it constantly updated. There have been many data breaches, such as the major one at Equifax, that could have been avoided if the company had installed software updates in a timely manner.
3. Encrypt all sensitive data, particularly on laptops and portable devices that leave the office.
4. Maintain and regularly change complex passwords. Use dual factor authentication when possible.
5. Anything connected to the internet poses a threat to cybersecurity. Therefore, make sure that you have changed the default password on all your Internet of Things devices.
6. Shred all discarded documents that contain sensitive information.
7. The tremendous threat of ransomware is getting worse. Along with properly training employees to avoid the spear phishing emails that may contain ransomware and using proper security software, the best defense against ransomware is to make sure you back up all of your data daily on a couple of different platforms, such as in the cloud and on portable hard drives.
Steve Pritchard is the Founder of Checklate.
“People can still be the biggest component when it comes to safeguarding your company from cyber attacks, but…”
They can also be the biggest risk. If your staff are not aware of the dangers out there in the online world, you are potentially opening a serious can of worms for your business. To stand the best chance of not having any security issues, you need to educate your staff on how to safely use your computers and systems. Cybersecurity is one area of your company where a little cynicism is okay for you and your employees.
Guy Novik is the CEO of Orlando Villa Holidays.
“Password protection is a major component in protecting a small business from malware and hackers…”
Anyone with business technology assets needs to give serious thought to having strong and complicated passwords to ensure all their devices are protected, whether it’s mobile phones, laptops, tablets, or desktop computers.
Never disclose your password to anyone and have different passwords for each system. Whenever an employee changes jobs, you should overhaul the whole password system and change them to ensure they can no longer access sensitive company information or collateral they could use to compete with you in their new company.
Shayne Sherman is the CEO of TechLoris, based in Brookline, Massachusetts. With over 11 years of experience in the tech industry, Shayne founded the company with the goal of providing unbiased reporting on the tech world.
“The top 3 cybersecurity considerations for SMBs are…”
Employees: Your biggest resource and your biggest risk. A good employee is going to take measures to keep your information safe by doing everything right. But a poorly trained or unconcerned employee could be putting your information at risk by going to the wrong site, not password protecting information, or being unconcerned about updating their computer.
Software isn't negotiable. You can't run a business without computers in some shape or form anymore. They have become a necessity, and that means it's important to keep software up to date. The longer software goes without being updated or replaced, the more vulnerable it is to new methods of hacking or virus infection.
Be aware of mobility. Chances are your employees have mobile phones that are used for work only. Make sure they stay that way. Don't let employees jailbreak phones to give them access to other apps or games, because this can compromise security. In fact, keep the phone as basic as possible to ensure a low-tech mobile option that has fewer opportunities to be hacked.
Bret Carmichael is the founder of LEAP WORKS, a company that helps businesses achieve growth through branding, web, and digital marketing. Before founding LEAP WORKS, he was a freelance designer and an IT professional at a Fortune 100 insurance company for 10+ years.
“Of my top 3 security considerations for SMBs, number 1 leads by a lot…”
1. Password management: Small businesses lack resources for security and compliance. They tend to manage credentials in the same way that many individual consumers do; they use the same username and password combination everywhere. Their passwords are often weak and listed among Have I Been Pwned's records of exposed credentials – leaving all the SaaS products they use, including their Office 365 accounts, in a state of persistent threat.
2. WordPress: This isn't a knock on WordPress. However, as the most popular CMS on the web, WordPress installations are an attractive attack surface for bots. The risk is two-fold:
3. Web forms: Many businesses collect customer data through web forms, sometimes including NPPI. Even though the site has an SSL certificate, some use their webhost's phpmailer() function to send customer information to a business inbox. Mail sent via phpmailer() is unencrypted.
Peter Purcell is the co-founder of EVAN360, a problem-solving platform for businesses. He has 30+ years of experience in IT leadership and is a cybersecurity expert. He is also co-CEO and Managing Director at Trenegy Inc., where he helps companies solve strategic issues that hamper growth and change.
“Here’s what I recommend small to mid-sized businesses consider when it comes to cybersecurity…”
1. Learn why growing businesses are at risk of cyber attacks.
Though cyber attacks on large companies are more likely to make headlines, growing businesses are increasingly easy targets. That’s because they are notoriously under-resourced when it comes to cybersecurity. Growing companies faced with limited financial flexibility often consider IT support too costly. Cybersecurity is also a low priority among business owners who are primarily focused on growing their brand and turning a profit. With such an easy-in, hackers can extort thousands of dollars using seemingly inconsequential customer and employee data. While you may think your growing business isn’t at risk, one cyberattack could cost you everything.
2. Determine how you will make cybersecurity part of your company culture.
Cybersecurity is not just an IT issue. It’s a business issue on which your people have the most impact. You must remain proactive in securing information, and 90% of your efforts should center on training and education. The root cause of all security breaches is human error. So yes, utilize technology, but don’t forget people are the most important part. Here are some tips:
3. Take action to protect your business and stakeholders.
Consider the practical steps you will take to build a more secure environment. How will you back up data? How will you secure your network? What software is necessary? At a minimum, I recommend securing your network, protecting passwords, actively updating software, storing data in the cloud, and inventorying and protecting all networked devices. Such a list can seem overwhelming, but it’s always worth it.
Ray McKenzie is the Founder and Managing Director of Red Beach Advisors based in Los Angeles, CA. Red Beach Advisors is a technology management consultant group specializing in implementing solutions for startups, enterprise companies, and government entities through strategy, process, technology, and people.
“The top three cybersecurity considerations for small to midsize businesses are…”
Identity authentication, access management of resources, and malware protection and remediation. Small to midsize companies have difficulty with these three areas, as well as smaller budgets. Identity authentication is important. Passwords are a time of the past. While passwords can be placed with requirements to increase complexity, employees often opt for easy password options for their access. This causes a less secure IT environment and poses increased risks. Organizations should employ passwords with multi-factor authentication or biometric abilities to manage identities.
Access management is another complex cybersecurity concern. The assignment of roles, rights, and responsibilities is extremely important to protect internal and external data. The practice of implementing least-privilege access throughout an organization should be a standard operating procedure. Employees and executives should only have access to the information or systems required to perform their jobs. The more access, the more ability for a breach or release of information.
The last consideration or challenge is managing malware within an environment. Email is a primary form of communication and to ensure emails, files, and systems are protected, malware solutions are needed that can provide real-time environment protection and remediation when a breach or infection occurs. Malware is a significant cause of business disruption and productivity loss, while also being a primary cause of data breaches and vulnerabilities. Small to midsize companies should focus on implementing strategies to combat malware, strengthen identity authentication, and develop operating procedures and policies for access management.
After working as a computer forensic specialist since 2004, including a period in the Hi-Tech Crime Unit for the Metropolitan Police at New Scotland Yard, Jonathan founded Forensic Control in 2008. Since then, they have advised on hundreds of data breach cases for corporate clients of all sizes.
“The top 3 cybersecurity issues facing SMBs are…”
1. Confusion about what the risk is. There's a lot of noise generated on what cyber risks SMBs face, much of it from security vendors trying to sell you their solutions. Add in legal and regulatory compliance requirements, advice from your IT support guys, and daily headlines about breaches, and it leads to a recipe for confusion. Source a trusted adviser who is not tied to selling you a particular piece of software or hardware – they should be vendor-neutral.
2. Perceived expense of combating the risk. Good security culture can be developed within SMBs for surprisingly low cost. After ensuring all your devices are capable of running the latest versions of operating systems and apps, ensuring that they are configured securely (automatic updates are on, anti-malware is on, etc.) and ensuring people don't use admin accounts for day-to-day tasks don't cost much at all. Wrap this up in a decent set of governance and policies as to how your staff interact with data, and already you'll have significantly improved your cyber hygiene.
3. Perception that cyber breaches won’t happen to you. Maybe you think you're not significant enough for the hackers to target you; maybe you trust your staff to always do the right thing and not run off with your secrets or accidentally click on that phishing email. Many data breaches are so-called commodity attacks automated to send out many thousands of fraudulent emails or to scan IP addresses for vulnerabilities. The human factor is the biggest risk of all; malicious or accidental actions by people on the inside of your network can cause terrible damage, but this can be mitigated against.
The above factors can combine to cause a confusion and lead to the worst response – inaction. If you're responsible for securing your organization's assets, make sure that this isn't you.
Mike comes from technology consulting, building applications for companies ranging from small businesses to hospitals, the UFC, and the New England Patriots. He is currently at Hytiva.
“For companies that have developers and IT resources…”
Make sure the two talk about any applications to be deployed and share more with the IT/Security personnel than, “It's just a website.” Often, the biggest gains can be made from teams simply working together a little better. Encourage developers to share answers and IT to ask good questions like the following common examples:
When making a small business website, use a static website if possible. There are tools to help convert simple WordPress sites to static HTML as well as open source tools to build static sites from simple files if you have someone more technical. Other resources can help with adding search and form handling features to static websites. Doing this can make your website much less of a burden on security and IT for a young business without a big IT budget.
When training and speaking to staff, generally try to make even small, but regular mentions of protecting sensitive information and security. Positive reinforcement and showing a basic concern for everyone's privacy will make everyone positive about protecting your company as well as relate it to them personally. Having conversations about links in emails, confirming large or sensitive requests via a separate communication method than the original, and being supportive about fixing bad practices will get you far more participation than treating it like an interrogation when something occurs.
Jennifer Mazzanti is the CEO and Co-founder of eMazzanti Technologies, a 4X Microsoft Partner of the Year and 8X Inc. 5000 list honoree. As the leader of a woman-owned technology business, she inspires others and gives back to the community through the company's ocean wildlife conservation effort, the Blue Project.
“The top 3 cybersecurity considerations for small to midsize businesses (SMBs) are…”
1. Know the risk. SMBs are prime targets for cybercriminals because they under-invest in cybersecurity, and many SMBs fail after an attack.
2. Develop a security-first culture. It starts at the top but must pervade the organization.
3. Address the human factor. People are the weakest link in your cyber defense. Know this and train, train, train to shore up your defenses.
As the owner and senior technician at Motz Technologies, it is Sam’s job to make sure her clients’ networks work correctly. With over 10 years of experience in the IT field, she’s always integrating the best automation techniques into her services to make sure that even when everyone else is busy, they are keeping a close eye on their clients’ networks.
“I’d say the top three are user training, virus protection, and backup…”
User training – The world of cloud-based services has been a boon to all sorts of service providers. However, since these services are open to the world, anyone who has your login details can access them. A vast percentage of the systems that are “hacked” are accessed using legitimate credentials stolen or “phished” from end users. While two-factor authentication can help here, in recent months even that has been bypassed successfully. In the end, user education is one of the best ways to reduce the number and severity of successful phishing attempts.
Virus Protection – While using training can reduce the amount of infections that make it onto your network, it won’t stop them all. There is a myriad of ways that systems can be infected even without any users making a mistake. Putting proper business-class virus protection in place is critical to protecting your investment. It’s important that any virus protection decision put in place is appropriate for a business environment. Free anti-virus programs may seem like a good deal, but lackluster detection and limited configuration options will have you fighting your anti-virus more often than actual threats.
Backup – No matter how much training and security you put in place, no system is impervious to attack. People make mistakes, and security systems can’t catch everything. Having a good backup in place can make the difference between quickly recovering from a breach and spending weeks or months painstakingly re-creating data, if that’s even possible. The key to having a good backup system is to test, test, test. If your backup system is not monitored and tested regularly, you may not be able to count on it when it comes time to recover data.
Brian Gill co-founded Gillware Data Recovery and Gillware Digital Forensics, a data recovery company and digital forensics labs.
“In regard to data security, you need to walk before you can run, and most small companies aren’t even crawling yet…”
Before you are worried about advanced things like buying a service to perform external penetration tests, make sure your employees are utilizing password managers or U2F technology for logins. All your critical systems need to be backed up in near real-time to a different network with different authentication. You need to have thoughtful network permissions and a good 2FA+ firewall to get on your network. You need a patch management strategy and a good endpoint protection suite. You need to spend money on email security and social engineering training for your employees. There are 50+ more things I could list, but where to start?
Start with buying in. Acknowledge your company requires non-IT executive attention to this security initiative. Understand whether you are capable of hiring and retaining the right kind of security leadership if your plan is to do it internally. Understand that if your company has more than 1,000 employees, it’s probably a mistake to rely on 100% in-house security, and the organization would be better served by hiring a risk management company to assist with and watchdog the long-term effort. When IT is implementing new safeguards, and some will come with tradeoffs, accept them. Be sure your company has a disaster recovery plan that has been audited and implemented. Have the proper amount of cyber insurance and understand what the coverage will get you. Have an incident response company already contracted for the inevitable so you aren’t scrambling around trying to source a vendor when every minute counts.
James has worked with small and medium size businesses for the past 5 years, helping to formalize their internal digital practices. This includes customized application development and cybersecurity assurance procedures. James now works with Intact Partners’ product, ReAccess, a SaaS Microsoft no-code database application builder.
“The top 3 cybersecurity considerations for small to midsize businesses are…”
Add two-factor authentication to everything! At first it will feel like a chore, an extra 10 seconds of administration that you had not planned for; however, if your provider offers it, use it. It is the most effective everyday function of cybersecurity, and it is becoming more efficient by the day, with push notification and even biometric verifications.
Reduce the threshold of single-person authenticated payments. Besides data theft, identity theft is one of the biggest targets for online hackers. Once they have access to your identity (for example, your email account), they could instruct parties such as your accountant to make payments. If you only require a single person to authenticate a payment, as far as your accountant and bank are concerned, you have authenticated it. By adding a second person to authenticate payments over a certain amount, you’ll protect you and your business’ most prized asset (its funds).
Standardize your business’ digital utility provider. Whether it’s your email accounts, productivity tools, CRM, accounting tools, or computer operating system, it is now easy and affordable to use a single provider for all these services. As a result, you’ll only need a single login for all of these functions, and you’ll be universally protected by the most well-researched and maintained cybersecurity practices.
Stefan Chekanov is the co-founder and CEO of Brosix Instant Messenger, an IM service focused on providing businesses with secure private IM networks.
“When thinking about cybersecurity for SMBs, I generally organize my thinking into three factors…”
Software, hardware, and human. When it comes to software, small businesses need to provide their employees with a secure work environment, where their data is protected and they can safely collaborate. This is especially important for SMBs working with remote employees, as they need a secure way to connect and communicate with colleagues. One of the best ways to ensure this is by using an encrypted team communication tool.
SMBs also need to make sure that their hardware is secure. It’s not feasible for many SMBs to have their own server(s), meaning they must turn to hosted servers. When making a decision on a hosting service, it’s crucial to consider how these servers are secured and what layers of security are provided.
However, perhaps the most important consideration – and yet the most often overlooked – is the human element. There are studies that show that the majority of cybersecurity incidents are due to human factors: clicking on a link in a phishing email, accidentally sharing sensitive data, etc. That’s why SMBs need to make sure their employees are properly trained and know how to maintain a high level of security in their everyday work.
Mihai Corbuleac is a Senior IT Consultant at StratusPointIT, an IT support company providing professional IT support, cloud, and information security services to small and medium businesses across the United States since 2006.
“Unfortunately, cybersecurity is still a big problem for small/medium businesses…”
According to their latest Data Breach Investigations Report, Verizon has revealed that 43% of breach victims were small businesses. Also, the email service is still the most common delivery method for malware, which means that the human component is still the weakest link in the security chain, and that's because employees don't know what to expect, what an attack looks like, etc. They should be educated regarding cybersecurity, and business executives should begin using training platforms for that.
Before investing in expensive security controls, SMBs should test their threat response and recovery policies and procedures. Test your backups and ensure that your disaster recovery policies are exercised so that you can recover as fast as possible. Once you verify that you can recover from an attack, then start implementing some of the protections that are necessary to keep your data safe. Also, ensure that all employees access their work email from secure devices (preferably not their personal devices), and they don't open unsolicited emails, or download suspicious attachments. Your whole team should use MFA (multi-factor authentication) on all email accounts.
Nathan Maxwell is a cybersecurity consultant in the Kansas City area, working with small businesses for the past 20+ years. He focuses on organizations with staffing between 50 and 250 employees.
“Small businesses are now on the radar for online ne’er-do-wells…”
As large companies become harder to compromise, crooks are willing to target smaller businesses. The reward is less, but so is the effort. Crooks are clever, adaptive, and opportunistic.
One of the biggest issues for SMBs is financial. For cybersecurity to be correctly addressed in any company, the executive suite must be fully onboard and supportive. This equates to money and resources dedicated to the effort. In an SMB, the executive team is usually very small. Each person wears multiple hats. Cybersecurity usually receives little more than lip service, and budgets are tight. Because executives’ finances are tied directly to the company, spending on cybersecurity can feel like writing a personal check. Ultimately, many SMBs don’t feel like they are truly at risk.
The cybersecurity industry has significantly matured. Tools and processes have stepped up, as have cyber risks. The challenge is helping SMB executive teams to fully understand their risk, so they are willing to engage and open their checkbooks just a little.
Matt is the Founder and CEO of Acapella.
“The top 3 cybersecurity considerations for SMBs are…”
Number 3: Firewalls.
This is the first line of defense for your business. There are numerous levels of firewalls that range from the “firewall” functionality in your modem, to sophisticated and highly configurable and remotely manageable ones. Get advice from a professional, and don’t pinch pennies here.
Number 2: Consider some manner of traffic monitoring.
There are products in the market that will monitor traffic both incoming and outgoing from your business. Again, there are several levels of products that will perform all sorts of different functions. Consult your IT professional.
Number 1: People, people, people, people!
The greatest vulnerabilities in your infrastructure are not devices, but people. Be certain that awareness of cybersecurity is high within your company. Urge your employees to check and recheck before they click any links in emails or on websites. When in doubt, don’t click. Consider cybersecurity training, penetration testing, and phishing training for your staff.
As a founder of Vestige, Greg has been involved in the digital forensics field since 2000. He is responsible for the creation of Vestige’s infrastructure and continues to oversee the process of standardizing and streamlining Vestige’s forensic analysis to provide consistent high-quality results in a timely basis.
“The top 3 cybersecurity considerations for small to midsize businesses (SMBs) are…”
1. Having a good, off-line backup. Ransomware is popular these days because it works. It works because businesses either do not have backups of their data to revert to in the event of a ransomware attack, or the backups are done on the cheap by merely copying files to an external drive.
2. Utilize two factor authentication (2FA) for email and other cloud-based accounts. Passwords get compromised because they are either easily guessed or they are acquired by a hacker through social engineering (such as phishing). If 2FA is enabled, not only does that prevent the hacker from gaining access, but it also alerts the account holder that their password may have been compromised.
3. Have a cybersecurity or IT audit conducted by a third-party expert. Pricing is usually based on the size of the company having the audit performed, as well as the complexity of their environment and is usually 1/10th or less of the cost of remediating an incident. Having it done by a third party takes away the type of bias that is exposed during an incident with the phrase, “Well, I thought we had that covered.” Plus, you can use that audit as a marketing strategy to separate yourself from your competition.
Grant van der Harst
Grant van der Harst is the Managing Director of Anglo Liners.
“Malware is the biggest concern as far as my website is concerned…”
For a small company, having your data stolen would be disastrous. But sadly, thanks to innocent looking attachments or downloads, worms and viruses can easily infiltrate your entire system and help themselves to whatever they like. We deploy very tough firewalls to try to ensure that nothing can slip under the radar. Web vulnerability scanners can also help discover weaknesses in your website and other web apps.
It’s also vital that we keep our operating systems as up to date as possible to safeguard them from being infected with an advanced virus.