Light Dark
October 2, 2018 By Grant Gross 4 min read
Data Protection

Data breaches that compromise hundreds of thousands — or millions — of records tend to grab the most headlines, but small- and medium-sized businesses (SMBs) are far from immune to cyberattacks.

SMB security is full of holes, and these vulnerabilities are often the most damaging, according to recent research. For example, Verizon’s “2018 Data Breach Investigations Report” found that about 58 percent of all data breaches target small businesses. In addition, 60 percent of SMBs hit with a data breach close within six months, according to Switchfast Technologies, even though more than half of all small business leaders don’t believe they’re targets.

Small Businesses Are Easy Targets

“Think your business is too small to be targeted by a hacker? Think again,” said Chris Stoneff, vice president of security solutions at secure remote access provider Bomgar. “If your business handles any financial information or valuable data about your customers, then guess what? You’re a target for cyberattacks.”

As large enterprises increasingly focus on improving cybersecurity, cybercriminals may take the path of least resistance.

“If that path is via a smaller business with tempting customers,” Stoneff added, “you better believe they will take the easy route.”

At the same time, many small businesses don’t have a lot of money to spend on cybersecurity. In fact, nearly half of all small businesses fail within five years, according to the U.S. Small Business Administration, and cash flow problems account for a huge number of those closures.

Why You Shouldn’t Skimp on SMB Security

Cybersecurity is not the place for SMBs to cut costs, said John Watkins, vice president and chief information officer (CIO) of inRsite IT Solutions, a cloud and security provider for SMBs.

“If you don’t take cybersecurity seriously, and one day you’re forced to pay $8,000 in bitcoin to — hopefully — unlock your QuickBooks data, just remember, you saved $500 by not getting a firewall,” Watkins quipped.

Clearly, small businesses — even those with razor-thin profit margins — shouldn’t skimp on their cybersecurity protections. But assuming budgets are tight, how can SMBs make the most of their spending?

Many cybersecurity experts still recommend the basics:

  • Use multifactor authentication to sign on to company devices.
  • Require strong passwords.
  • Deploy antivirus, antispyware and firewall protection.
  • Identify the sensitive data you hold and encrypt it.
  • Regularly update software.
  • Train employees on cybersecurity.

A business-grade firewall is one of the essential basics no SMB should ignore, Watkins said.

“No, the ISP modem is not good enough,” he said. “Just run a Google search on the model number of your modem and you’ll find 10 articles listing the default admin password for it.”

Building a Holistic Security Strategy

SMB cybersecurity efforts should focus on their people and processes, “coupled with the support of reliable, well-implemented tools and technologies,” said Chris Duvall, senior director at The Chertoff Group, a company that advises clients on security and risk management.

Beyond the basics, Duvall urged SMBs to consider a virtual private network (VPN) to protect traffic in and out of their networks and a password management tool to help employees store their credentials in a single, secure location. Small businesses should also look into commercial products that package a number of security tools, such as intrusion detection and prevention systems, together.

What to Look For in an MSSP

Managed security service providers (MSSPs) enable small businesses to outsource their cybersecurity protections for a monthly fee. MSSPs can be useful for a resource-strapped SMB, Duvall noted, “but using the right MSSP and ensuring regular and detailed communication is key.” He added that with managed service becoming a popular offering in the cybersecurity industry, some companies are “labeling themselves as MSSPs but are not capable of, or qualified to, manage the security of other organizations.” SMBs should do their homework and request a “proof-of-concept” period before signing an MSSP contract.

Mike Baker, founder and principal of managed cybersecurity provider Mosaic451, agreed that outsourced services can help SMBs fight off attackers. An SMB’s IT staff can “get bogged down by providing the basics — such as routine system monitoring, software upgrades, training on new systems and services, help desk support, and the seemingly endless number of meetings,” he said. The best way to find a managed service provider, then, is through word of mouth.

“It’s always better to go with an actual referral,” Baker said. “Go with someone you know. Go with someone that a peer knows.”

Online ratings, “random top-10 lists and whatnot are paid-for marketing,” he added. “Trust them at your peril.”

Why You Must Actively Manage Your Data

Watkins and other cybersecurity professionals also advised SMBs to frequently back up their data. A cloud service is a good way to make copies that are protected from direct attacks on the business. Ransomware remains a serious threat, and some network-attached storage device makers include software to encrypt and replicate a business’ data in the cloud.

SMBs should have at least three backups of their data, Watkins recommended.

“One of the most devastating things that can happen to an SMB is data loss,” he said. “Whether caused by lightning frying your PC or cryptoware infecting your server, data loss can literally bring a business to the brink of closure.”

Frequent backups, a managed security provider, a VPN, and a well-rounded package of antivirus and intrusion detection tools are among the protections SMBs should consider to better secure their data, but establishing these defenses is only the beginning. To sustain a successful enterprise security strategy, organizations must regularly audit the efficacy of each tool and team, establish a culture of security from the top down, and scale consistently through growth phases.

 |  |  |  |  |  |  |  |  |  |  |  |  | 
Grant Gross
Writer

More from Data Protection
November 2, 2023

Defense in depth: Layering your security coverage

2 min read - The more valuable a possession, the more steps you take to protect it. A home, for example, is protected by the lock systems on doors and windows, but the valuable or sensitive items that a criminal might steal are stored with even more security — in a locked filing cabinet or a safe. This provides layers of protection for the things you really don’t want a thief to get their hands on. You tailor each item’s protection accordingly, depending on…

November 1, 2023

What is data security posture management?

3 min read - Do you know where all your organization’s data resides across your hybrid cloud environment? Is it appropriately protected? How sure are you? 30%? 50%? It may not be enough. The Cost of a Data Breach Report 2023 revealed that 82% of breaches involved data in the cloud, and 39% of breached data was stored across multiple types of environments. If you have any doubt, your enterprise should consider acquiring a data security posture management (DSPM) solution. With the global average…

October 25, 2023

Cost of a data breach: The evolving role of law enforcement

4 min read - If someone broke into your company’s office to steal your valuable assets, your first step would be to contact law enforcement. But would your reaction be the same if someone broke into your company’s network and accessed your most valuable assets through a data breach? A decade ago, when smartphones were still relatively new and most people were still coming to understand the value of data both corporate-wide and personally, there was little incentive to report cyber crime. It was…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature