Small and medium businesses are the backbone of many economies, yet they often do not have the same level of cybersecurity as larger businesses. This is because they think that they are too small to be a target, or they believe that their cybersecurity measures are adequate. In this blog post, we will discuss why SMBs are doing cyber security wrong – and how to get it right!
Security is an enabler to your business growth when implemented correctly. This ensures a balance with usability, delivering frictionless performance while delivering a safe and secure workplace. If your business already has cyber security maturity, and are looking to discuss your security concerns – please visit SME cyber security services.
SMB Cyber Security
Cybersecurity is not a game that can be solved by simply ticking a box. It is important to understand ‘why’ and ‘how’ cybersecurity should be done correctly in order to be effective.
Your why lies in identifying where are your crown jewels. Your how lies in what all currently is in place amongst people, processes and tech; and what’s needed to fulfil the gaps. Utilising cloud services or SaaS subscriptions doesn’t mean you don’t have digital assets, lesser security vulnerabilities or a small security posture. Common examples of crown jewels include Active Directory, customer databases, and source code repositories.
Many IT directors and managers feel their senior stakeholders aren’t concerned about cybersecurity threats. Whether you are a CTO, CIO or IT manager handling security, cyber security as a business case needs to be made in order for SMBs to invest in the right tools and processes.
Your critical data protection starts from your board room, which must set the risk management regime. Security policies, adhering to cybersecurity best practices, tackling known threats, purchasing next generation firewalls or endpoint detection software from an industry leader, or whether or not to utilise limited resources or managed services are all afterthoughts. None of these assures you guaranteed ways of reducing the cybersecurity risks.
Here is the list of top 10 reasons that we think cyber security isn’t working in SMBs, followed by each of the ‘how’ to get it right.
1. Lack of awareness of cyber security
Why do small businesses are lacking awareness?
In this day and age of data breaches covering headlines, most of us are aware of the main security measures such as multi-factor authentication, timely patching/ updates, phishing and social engineering attacks. However, it is true that when it comes to the business side, stakeholders at SMBs lack awareness of the latest cyber threats. This means that they do not have the right measures in place to protect themselves against these threats.
Cybersecurity should be seen as an investment, not a cost. There are no immediate ROI figures like your advertising or retail project. This is related to risk controls, effectively following a risk-focussed approach to reduce the probability of adverse events in the future.
2. Reactive instead of a proactive approach to security
Why do a reactive approach to cybersecurity is less effective?
Many SMBs adopt a reactive approach to security, instead of a proactive one. This means that they wait for something to happen before taking action. For example, they may only start to think about cybersecurity after regulatory concerns, security incidents or any related compulsory situations to act.
A proactive approach to security is much more effective. This ensures that SMBs are always one step ahead of the attackers. SMBs should start with a basic security strategy and then keep a continuous tab on the people, processed and technology functions.
Examples of a proactive approach to cybersecurity would be:
Responding only to regulatory concerns or tender requirements
Organisation wise cybersecurity is defined as anti-virus software, firewalls and web proxies usage only
Reactive incident response after security incidents occur
A proactive approach to cybersecurity includes:
Have a comprehensive security strategy
Active logging and monitoring controls to identify and analyse unusual events
Regular attack surface analysis to stay aware of your exposures
Continuous penetration testing to identify and plan risk remediations
Train your staff to be aware of cyber threats
3. Limited understanding of how to mitigate cyber risks
Asking a cyber security company to carry out penetration testing is the easy part, the actual homework for the business starts after the pen test report is handed to them. This includes risk analysis and preparation of a risk remediation plan.
Additionally, businesses live under the myth that having modern security products in place will auto-magically take care of all things under the security domain. However, protecting company data or sensitive data involves a layered approach that includes multiple controls across all entry and exit points of Internet traffic. This could be email and voice communication, Internet access through endpoints (both mobile and office-based) and assets access (devices and servers).
Cyber risks can only be effectively mitigated if businesses have a good understanding of them. Ensure that you choose a partner that’s supportive of your proactive approach, not a ‘report and run’ company.
For example, phishing attacks can’t be prevented by enforcing an awareness course that runs once a year, nor it can be prevented by an email security gateway. It’s the combination of people, process and technical controls that are functional in a continuous manner while measuring ROI. This attack vector impacts pretty much everyone on the planet, be it an individual, SMB cybersecurity issue, midsize businesses or large enterprises.
An advanced persistent threat exploits loopholes that are not always zero-day security issues, they are mostly misconfiguration, vulnerabilities or default settings leading to privilege escalation.
An organisation (whether a larger enterprise or small business) that has well-defined ways how to handle the infection of malicious code from a security incident could easily give bad actors a tough time. This would ensure limiting the impact and reducing the infection rate, allowing security teams more time.
4. Ineffective or nonexistent incident response plan
An incident response plan is crucial for any business, yet many SMBs do not have one in place. This means that they are not prepared for a cyber attack, and they do not know how to respond to one.
Ransomware attacks are not the be-all-end-all situations if businesses are prepared to limit the infections and reduce the likelihood. The majority of the businesses have failed to control such situations due to the lack of incident response plans and logging and monitoring controls.
A response plan outlines a step-by-step procedure for handling an incident successfully, whether it’s caused by malware injection, ransomware, advanced persistent threat (APT) or a Distributed Denial of Service (DDoS) attack.
A cyber security incident response plan is a document that provides instructions for an organisation to detect and analyse a cybersecurity incident, as well as respond to minimise the damage caused.
5. Not understanding the cybersecurity investments
Why cybersecurity investment is more than security tools or hiring security professionals?
Rise in the cyber crime over the last few years has opened eyes across the boards and risk committees responsible for organisations. This has caused organisations to plan strategically against a data breach situation. Having antivirus software and firewall, those days are long gone.
Cybersecurity investments do not stop at outsourcing the cyber security function or buying modern products. It involves strategic planning in line with business objectives, keeping in mind all three areas i.e. people, process and technological controls.
Many SMBs believe that they do not need to invest in cybersecurity because they are too small to be a target. At other times, IT directors or managers face resistance from senior stakeholders due to a lack of awareness.
Over-reliance on IT service providers for security needs has a proven downside. The same teams handling your IT and cybersecurity needs at the same time adds to a conflict of interest. Further downsides could be a lack of security skill-set within IT MSPs or selling cybersecurity software without due diligence.
Presenting cyber security as a business case could be achieved in various ways, starting with a gap analysis that portrays the weaknesses across the infrastructure. These vulnerabilities or weaknesses could be at ground level – ones that can be mitigated using skill-set – or functional level due to the absence of the organisation’s strategic approach to security.
The best way to get around this challenge is to explain the implications of assessment findings translated into reputational, regulatory or financial risks, a language that senior stakeholders can easily understand.
Another reason SMBs do cyber security wrong is that they lack trained personnel. This means that they do not have the right people in place to carry out the necessary tasks. Some businesses prefer in-house teams, and some prefer a hybrid model to leverage partnerships with managed service providers. However, be aware that an IT service provider and a managed security service provider are two completely different skill-sets.
Continuous and interactive training programmes aimed at employees are crucial for SMBs to stay ahead of the curve. These programmes should be designed to increase awareness about cyber threats and how to mitigate them. Think of it as internal consulting work for your security team, and various departments are their customers.
Suspicious activity can have varied forms of attack vectors, therefore, you need your business users to be on your side. It has multiple advantages: creating a positive culture, a security-conscious culture where employees are an additional layer of defence, not just technical and process controls.
Remember, your people can be your strongest link to protect your organisation.
7. Poorly configured security systems and mobile devices
Misconfiguration attacks, default and weak credentials are often the most exploited security weaknesses. They can leave SMBs open to cyber attacks, even if they have the best security tools in place. Similarly, web applications lacking secure coding practices could leave gaping holes, an open invitation for attackers.
Encryption misconfiguration can cost dearly where organisations feel committed to a security solution while staying open to exposing their valuable data or intellectual property. Examples include AWS S3 buckets leakage or cloud security threats where minor misconfiguration has serious consequences.
Lack of testing backups, Distributed denial of service controls or DR situations could add to serious challenges to ensuring business operations during adverse events.
At the minimum, ensure secure baseline technology controls are documented as checklists and used every time new assets are rolled out into your environment. Also, regular change management audits should be done to flag potential risks. SMBs should also consider using security automation tools to help with the configuration of security.
Secure coding practices, secure SDLC for secure development and OWASP Top 10 web applications and API risks.
8. Lack of coordination between different teams responsible for cybersecurity
Another reason SMBs are getting cyber security wrong is that there is a lack of coordination between different teams responsible for cybersecurity. This can lead to duplication of effort and a waste of resources.
For example, the network team may be responsible for firewall configuration, while the IT team is responsible for configurational changes to servers in the DMZ. Without liaising about the upcoming change’s potential impact, timelines and other details, one could easily miss and allow certain gaps in the firewall forever. This would have a future impact on the company’s network, which might include allowing the transfer of malicious programs or allowing threat actors to gain access utilising connections initiated from inside.
Communication between teams, across departments and in general between senior management and the staff is one of the critical elements when it comes to handling a ransomware attack. Crisis communication is not just about a press release to handle financial information or other data leakage situations.
In this agile world, an organisation should utilise workflow mapping and issue trackers. Alternatively, SMBs should have a centralised repository for all documentation related to cybersecurity, including network diagrams, asset inventory, contact details and so on.
9. Lack of balance across people, process and technology controls
Many SMBs make the mistake of thinking that they can solve all their cybersecurity problems with technology. However, this is not the case. SMBs need to have a balance between people, process and technology in order to be effective.
The best way to achieve this balance is to have a comprehensive security strategy in place. This strategy should be reviewed and updated on a regular basis. It should take into account the changing landscape of cyber threats and the evolving needs of the business
10. Small businesses failure to keep up with the basics
The final reason SMBs are getting cyber security wrong is that they fail to keep up with the basics. This includes things like lack of implementation of the least privilege principle, lack of segregation, and insecure information storage practices.
Avoiding exceptions would help businesses to ensure any controls are applicable across the estate. For instance, preparing against spear-phishing attacks includes awareness and controls applicability across the estate without exceptions. Losing login credentials in a phishing attack is not a disastrous situation if small or medium-sized businesses are prepared to limit the impact of such security risks.
This is also applicable to third party supply chain risks and insider risks related to former employees, and current employees (disgruntled or part of espionage), SMBs often outsource or use cloud-based solutions and neglect to ensure these services have appropriate security controls in place.
Organisations should make sure that they are doing the basics right. This includes things like enforced use of password managers, using two-factor authentication, securing mobile devices, VPN or IP restrictions on admin interface and encryption for sensitive information at rest and in transit.
Keeping a business online involves a layered approach, right from the outset, with defence in depth being a key consideration. Cybersecurity issues are not something that can be left to the IT department – it should be everyone’s responsibility.
Here are the 10 basic tips for a business still at the start of the cyber security maturity ladder:
Educate your employees about cyber threats
Implement the least privilege principle
Utilise segmentation concepts at network, user and environment levels
Use multi-factor authentication
Secure your mobile devices
Regular analysis and enforcing strong passwords
Harden your systems through operating systems patching and adherence to secure baselines
Implement a comprehensive security strategy
Monitor your environment for changes
Regularly review and update your security policies
It’s not all doom and gloom, though. There are simple steps you can take to shore up your cyber security posture and protect your business from these threats. We’ve outlined the top ten reasons why businesses are doing cyber security wrong, as well as tips on how to get it right. So where do you stand?
Get in touch to schedule a casual conversation with one of our experts and find out how you can improve your cybersecurity posture. Thanks for reading!