Security Experts:

5 Things Every SMB Should Know to Strengthen Defenses

You may find it surprising that small businesses make up more than 97% of total businesses in North America, according to the Better Business Bureau (BBB). Given this statistic, I suppose the good news is that fewer than half of all cyberattacks target small businesses. The bad news is that when small/midmarket businesses (SMBs) are attacked, the majority don’t survive. But this doesn’t have to be the case.

With National Small Business Week celebrated earlier this month, now is a good time to highlight five things SMB executives should know to prepare themselves and strengthen their defenses. 

1. SMBs are attractive targets. While 43% of attacks target small businesses according to SCORE, the 2018 Verizon Data Breach Investigations Report finds that 58% of small businesses have experienced a breach, indicating a high success rate. Beyond what they can steal from SMBs directly, threat actors also use SMBs as a launching pad for bigger campaigns and to infiltrate larger organizations. They play the odds and look for the biggest return for their efforts, which means SMBs will remain in their sights. 

2. The impact of an attack can be devastating. Depending on the nature and scope of the campaign, recovering from a cyber attack can be difficult and costly, if not impossible, for these businesses. SMBs are less likely to have multiple locations or business segments, and their core systems are typically more interconnected. When these organizations experience an attack, the threat can quickly and easily spread from the network to other systems with a ruinous effect. When the BBB asked small business owners in North America, “How long could your business remain profitable if you permanently lost access to essential data?” Only about one-third said that they could remain profitable for more than three months. More than half reported that they would be unprofitable in under one month.

3. SMBs are most concerned with these cyber threats. In Cisco’s research of 1,816 SMBs across 26 countries, we found (PDF) respondents lose the most sleep over:

• Targeted attacks against employees – think well-crafted phishing campaigns

• Advanced persistent threats – advanced malware the world hasn’t see before

• Ransomware – which can be particularly harmful since SMBs are more inclined to pay ransoms because they simply can’t afford the downtime and lack of access to critical data

4. Don’t forget about these other threats. Despite worries about ransomware, the threat is diminishing as more adversaries shift their focus to cryptomining – stealing computing power to mine cryptocurrencies and generate revenue. When cryptomining software gets into an environment it can slow down system performance, have regulatory implications and indicate that the SMB might be vulnerable to other types of threats. Insider threats are also on the rise and no organization is immune. But this doesn’t mean every organization has employees who are maliciously exposing the organization to risk. Careless employees or contractors are usually the root cause. 

5. These tips can help strengthen defenses. There are many ways – across people, processes, and tools – to drive improvements in cybersecurity. Below are a few recommendations.

• Approach outsourcing and the cloud with open eyes. Like their larger counterparts, SMBs suffer from a cybersecurity talent shortage, so many look to outsourced help and the cloud to bolster defenses. Both are effective means of helping businesses make the most of limited resources. However, companies can run into trouble if they assume that an outsourced provider or a cloud partner can deliver all the capabilities that they lack in-house. SMBs should understand the extent of analysis and monitoring services outsourced security providers offer, and the type and impact of security controls cloud providers deliver.

• Strengthen security processes. Comprehensive reviews of security practices help organizations identify weaknesses in their defenses. These processes aren’t as prevalent in SMBs, perhaps due to lack of staffing, but ultimately, they can go a long way to reducing the burden on staff. By reviewing security practices, SMBs may find they need to strengthen or add the following: consistent access privilege management and segregation of duties, network segmentation, password management, backing up critical data and confirming that those backups are not susceptible to compromise, and ongoing employee security awareness training. 

• Look for integrated tools. As SMBs consider new tools, avoid adding to the number of vendors to manage. Select an open platform that streamlines integration with tools in terms of sharing data and threat intelligence, rather than struggling with individual products that each generate their own set of alerts and make it difficult to identify those threats that pose the most risk. Such a platform can also offer automation capabilities to pull data from different security products and aggregate them into a single, easy to read pane to save a tremendous amount of time and frustration while delivering greater visibility and control.

Even if SMBs don’t have the resources for a comprehensive security assessment and possible overhaul, incremental change is better than none. It is also important to remember that the measures put in place today must be reviewed and revamped on an ongoing basis as the threat landscape and attack surface continuously evolve.

view counter
Ashley Arbuckle, Cisco’s VP/GM, Global Security Customer Experience, is responsible for the company’s security services portfolio, designed to accelerate customers’ success and deliver an exceptional customer experience. With over 20 years of security and customer success experience, Arbuckle has a long record of accomplishments that span security consulting, enterprise security operations, product management and general manager responsibilities. Arbuckle started his career in security consulting at PwC working with Fortune 500 customers. After PwC he joined PepsiCo, where he led enterprise security and the strategic planning process for PepsiCo’s IT budget of over $2 billion. He has a BBA in MIS and Accounting from the Rawls College of Business at Texas Tech University, is a CPA, and holds a CISSP and CISM.