As Attacks Rise, SMBs Need a Cybersecurity Playbook

A small or medium-size business (SMB) isn’t necessarily the preferred target of an experienced cybercriminal. The bigger bang comes from penetrating the defenses of a large enterprise — one with millions of customers and billions in the bank.

But cybercriminals go where the vulnerabilities are. And with large enterprises having improved their cyber defenses in recent years, SMBs are increasingly in the crosshairs.

A 2022 survey by the insurance company Hiscox shows that companies with revenues between $100,000 and $500,000 are getting as many attacks as those 10 or 20 times larger.[1] Anyone with an understanding of SMBs’ security challenges, as we have at Mimecast, has heard anecdotal evidence of the same thing: SMBs are being targeted. There’s the B2B services company that told us its controller was on the verge of sending out $2,000 in gift cards before the  controller learned, at the last minute, that the request came from a fake email address. And there’s the small-company CEO who told us that the number of money requests he was getting through phishing emails was so high that it had become almost comical. But he recognized the serious risk such email attacks posed. “I figured it was just a matter of time before we fell for one of them,” the CEO said. Acting on that belief, the CEO bought a software program to secure his company’s email.

All Eyes on SMBs

Cybercriminals aren’t the only ones shifting some focus to SMBs, which seems to have begun during the work-from-home pandemic years when more SMBs adopted cloud-hosted software solutions and digitized more of their processes. The resulting uptick in SMB-directed cyberattacks has prompted many in the cyber defense ecosystem — including government agencies, researchers, and cybersecurity software companies — to shift more of their attention to SMB vulnerabilities as well. 

While that may increase the pressure on SMBs, it can also benefit SMB leaders who have to make difficult decisions about their cybersecurity spending from year to year. Some may not even have a dedicated IT person on staff. Taking advantage of the experience, insight, and tools provided by researchers, regulators, and cybersecurity vendors, SMBs can mount an effective defense.

4 Cybersecurity “Musts” for SMBs

SMB leaders understand the importance of getting the most out of their limited resources — both their people and their investments. This is especially true when it comes to cybersecurity. The four best practices below are a good place for SMB leaders to start in making the most of their cybersecurity funding and personnel.
 

• Put someone in charge of your cybersecurity effort. It doesn’t matter if you’re one of the many SMBs that doesn’t have anyone on staff with “technology” in their title. You still need someone to lead the charge on cybersecurity. Even at small companies, there’s usually someone who is already solving IT problems. It could be an operations manager who has spearheaded your company’s effort to replace a legacy database system with something more user-friendly and affordable. Or it could be a recent college graduate who took it upon herself to train your staff in how to use Slack or some other collaboration platform. If you don’t have someone who seems suited to the task of becoming your de facto cybersecurity czar, look for an outside SMB technology consultant or contractor who can take on the role.
• Invest in an email filtering program that can protect your assets. Email remains the weakest link in defending against cyberattacks. SMBs need to fend off the spam, phishing attacks, malware, and domain impersonation attempts that arrive via email. A platform from an established company specializing in email security should be the top item in any SMB’s cybersecurity budget. A cloud-based system provides immediate access to software updates and eliminates the need to do maintenance. The best cloud email security systems today use artificial intelligence to spot suspicious emails and display pop-up banners to alert employees to potential malware. If you don’t know where to start, tap into your professional network for advice. But don’t make a selection based solely on someone else’s recommendation, no matter how much you trust them. What a peer finds important may not be what’s important to you. Test the software to make sure it fits your needs.
• Use multi-factor authentication (MFA). By now, most of us are familiar with this approach to security, in which passwords must be followed by additional information (often a six-digit security code) before a system can be accessed. Although MFA may be a little cumbersome for your team, it is a highly effective defense against many email-borne threats as cybercriminals increasingly launch identity-based attacks. Even if one of your employees is taken in and provides password information during a phishing attack, cybercriminals won’t be able to penetrate your system if they don’t have access to the randomly generated access code. This extra layer of security provided by MFA is also useful in reducing your attack surface, which includes endpoint devices like laptops, mobile phones, tablets, and smart watches.
• Make every employee a crusader in the battle against cyberattacks. Ultimately, the biggest vulnerabilities for any business are errors made by employees or partners as a result of a lack of awareness. Investing in cybersecurity awareness policies and related training delivers significant dividends. Your designated cybersecurity leader—whether you fill the role internally or externally—should maintain an understanding of current threats and can create a set of policies for risk avoidance and attack remediation. Institute in-person meetings to communicate these policies, and — if you’re the CEO — become an active participant in these learning sessions. The U.S. Cybersecurity and Infrastructure Security Agency specifically recommends that small-business CEOs play a role in instilling a “culture of security” at their companies.[2]

The Bottom Line 

With big enterprises having improved their security, cybercriminals are increasingly targeting SMBs. SMBs don’t need an ultra-sophisticated security strategy. Instead, they should focus on a handful of steps that have high impact. These include assigning a person to oversee their cybersecurity push and taking advantage of MFA and cloud-based email security products. Read how Mimecast’s Email Security, Cloud Integrated solution can advance your effort to keep your data and systems secure. 

[1] “The Hiscox Cyber Readiness Report 2022,” Hiscox

[2] “Cyber Guidance for Small Businesses,” Cybersecurity Infrastructure & Security Agency