Email Security

    As Attacks Rise, SMBs Need a Cybersecurity Playbook

    Smaller companies are under-resourced in the fight against cyberattacks. Four actions can help them manage their cybersecurity risks. 

    by Kiri Addison

    Key Points

    • Cybercriminals are increasingly targeting small and medium-size businesses (SMBs) now that big enterprises have tightened up their security.
    • One of the first things that SMBS should do is implement a software platform to secure their email systems, a primary source of vulnerability.
    • SMB leaders can also take on a visible role in cybersecurity initiatives and invest in identity management and cybersecurity awareness training.

    A small or medium-size business (SMB) isn’t necessarily the preferred target of an experienced cybercriminal. The bigger bang comes from penetrating the defenses of a large enterprise — one with millions of customers and billions in the bank.

    But cybercriminals go where the vulnerabilities are. And with large enterprises having improved their cyber defenses in recent years, SMBs are increasingly in the crosshairs.

    A 2022 survey by the insurance company Hiscox shows that companies with revenues between $100,000 and $500,000 are getting as many attacks as those 10 or 20 times larger.[1] Anyone with an understanding of SMBs’ security challenges, as we have at Mimecast, has heard anecdotal evidence of the same thing: SMBs are being targeted. There’s the B2B services company that told us its controller was on the verge of sending out $2,000 in gift cards before the  controller learned, at the last minute, that the request came from a fake email address. And there’s the small-company CEO who told us that the number of money requests he was getting through phishing emails was so high that it had become almost comical. But he recognized the serious risk such email attacks posed. “I figured it was just a matter of time before we fell for one of them,” the CEO said. Acting on that belief, the CEO bought a software program to secure his company’s email.

    All Eyes on SMBs

    Cybercriminals aren’t the only ones shifting some focus to SMBs, which seems to have begun during the work-from-home pandemic years when more SMBs adopted cloud-hosted software solutions and digitized more of their processes. The resulting uptick in SMB-directed cyberattacks has prompted many in the cyber defense ecosystem — including government agencies, researchers, and cybersecurity software companies — to shift more of their attention to SMB vulnerabilities as well. 

    While that may increase the pressure on SMBs, it can also benefit SMB leaders who have to make difficult decisions about their cybersecurity spending from year to year. Some may not even have a dedicated IT person on staff. Taking advantage of the experience, insight, and tools provided by researchers, regulators, and cybersecurity vendors, SMBs can mount an effective defense.

    4 Cybersecurity “Musts” for SMBs

    SMB leaders understand the importance of getting the most out of their limited resources — both their people and their investments. This is especially true when it comes to cybersecurity. The four best practices below are a good place for SMB leaders to start in making the most of their cybersecurity funding and personnel.

    • Put someone in charge of your cybersecurity effort. It doesn’t matter if you’re one of the many SMBs that doesn’t have anyone on staff with “technology” in their title. You still need someone to lead the charge on cybersecurity. Even at small companies, there’s usually someone who is already solving IT problems. It could be an operations manager who has spearheaded your company’s effort to replace a legacy database system with something more user-friendly and affordable. Or it could be a recent college graduate who took it upon herself to train your staff in how to use Slack or some other collaboration platform. If you don’t have someone who seems suited to the task of becoming your de facto cybersecurity czar, look for an outside SMB technology consultant or contractor who can take on the role.
    • Invest in an email filtering program that can protect your assets. Email remains the weakest link in defending against cyberattacks. SMBs need to fend off the spam, phishing attacks, malware, and domain impersonation attempts that arrive via email. A platform from an established company specializing in email security should be the top item in any SMB’s cybersecurity budget. A cloud-based system provides immediate access to software updates and eliminates the need to do maintenance. The best cloud email security systems today use artificial intelligence to spot suspicious emails and display pop-up banners to alert employees to potential malware. If you don’t know where to start, tap into your professional network for advice. But don’t make a selection based solely on someone else’s recommendation, no matter how much you trust them. What a peer finds important may not be what’s important to you. Test the software to make sure it fits your needs.
    • Use multi-factor authentication (MFA). By now, most of us are familiar with this approach to security, in which passwords must be followed by additional information (often a six-digit security code) before a system can be accessed. Although MFA may be a little cumbersome for your team, it is a highly effective defense against many email-borne threats as cybercriminals increasingly launch identity-based attacks. Even if one of your employees is taken in and provides password information during a phishing attack, cybercriminals won’t be able to penetrate your system if they don’t have access to the randomly generated access code. This extra layer of security provided by MFA is also useful in reducing your attack surface, which includes endpoint devices like laptops, mobile phones, tablets, and smart watches.
    • Make every employee a crusader in the battle against cyberattacks. Ultimately, the biggest vulnerabilities for any business are errors made by employees or partners as a result of a lack of awareness. Investing in cybersecurity awareness policies and related training delivers significant dividends. Your designated cybersecurity leader—whether you fill the role internally or externally—should maintain an understanding of current threats and can create a set of policies for risk avoidance and attack remediation. Institute in-person meetings to communicate these policies, and — if you’re the CEO — become an active participant in these learning sessions. The U.S. Cybersecurity and Infrastructure Security Agency specifically recommends that small-business CEOs play a role in instilling a “culture of security” at their companies.[2]

    The Bottom Line 

    With big enterprises having improved their security, cybercriminals are increasingly targeting SMBs. SMBs don’t need an ultra-sophisticated security strategy. Instead, they should focus on a handful of steps that have high impact. These include assigning a person to oversee their cybersecurity push and taking advantage of MFA and cloud-based email security products. Read how Mimecast’s Email Security, Cloud Integrated solution can advance your effort to keep your data and systems secure. 


    [1]The Hiscox Cyber Readiness Report 2022,” Hiscox

    [2]Cyber Guidance for Small Businesses,” Cybersecurity Infrastructure & Security Agency

    Subscribe to Cyber Resilience Insights for more articles like these

    Get all the latest news and cybersecurity industry analysis delivered right to your inbox

    Sign up successful

    Thank you for signing up to receive updates from our blog

    We will be in touch!

    Haut de la page