Cybersecurity
and SMBs

  • A guide on how to get started with cybersecurity for SMBs.

Introduction

The internet is indispensable. Today, businesses of all sizes rely on the World Wide Web in almost every aspect of their operations. But, while the internet has helped companies grow, it has also introduced serious security risks. Cybercrime is today’s fastest-growing form of criminal activity, with data breaches and their enormous costs making news headlines almost daily. It’s safe to say that cybersecurity has become a concern for the entire business community.

One thing we learned over the past few years is that no one is safe, because cybersecurity is no longer only a large enterprise’s concern. Cybercriminals have found a new sweet spot — small and medium-sized businesses, which often lack the resources to keep up with the growing security threats.

Leveraging innovative technologies is critical if SMBs want to succeed in today’s economy, but such organizations must be acutely aware of the dangers those technologies pose. Knowing what to look out for and how to set up cybersecurity defenses should be on the priority list of any SMB these days.

In the face of these challenges, SMBs devote their attention to mitigating any risk of a cyberattack or data breach. Recent high-profile incidents have prompted small companies to review and re-evaluate their security practices. As a result, many are trying their best to adapt.

Alarmingnumbers

  • Over the past several years, we have witnessed an array of successful cyberattacks against some of the world’s most prominent enterprises. The pace at which such breaches occur is simultaneously spectacular and frightening. Since the media and law enforcement tend to focus on large-scale attacks and breaches, it is easy to overlook that SMBs are often at an even greater risk and are much more vulnerable to cybercriminal activity.
  • Here are some basic statistics that frame the scope and urgency of the problem SMBs face.
  • The Ponemon Institute report reveals that, in 2019 alone, 66% of SMBs experienced a cyberattack, and 63% faced a data breach.

  • Even more concerning is the fact that cybercrime poses an existential threat for SMBs. Statista notes that the average cost of a cyberattack stands at about $8.64M, while the National Cyber Security Alliance states that 60% of small and midsize businesses that fall victim to a severe cyberattack go out of business within six months.

Why SMBs attractcybercriminal activity?

  • The rate at which small and medium-sized businesses (SMBs) are targeted by cybercriminals is at an all-time high. There are a number of reasons that make SMBs an attractive target for cybercriminals, but the main one is simple. Small enterprises are easier targets than large organizations because they often lack the resources to protect themselves from cybercriminal activity and don’t have sufficient in-house expertise to deal with cyberattacks and the shifting landscape of cyber threats.
  • Sometimes, SMBs operate with a false sense of security. According to Forbes, 57% of small business owners feel they won’t be targets of cyberattacks. Such upside-down thinking is a major factor why SMBs are so attractive to cybercriminals.

Most commoncybersecurity threats

Phishing

Phishing is a form of social engineering. Simply put, a phishing attack occurs when a bad actor disguises himself as a trusted contact to get the user to click a malicious link, download a malicious file, or provide access to sensitive accounts.

Phishing attacks are among the most dangerous and the most widespread threats small businesses face. According to Verizon’s 2020 Data Breach Investigations Report (DBIR), 22% of breaches in 2019 involved phishing. In 2020, 75% of organizations around the globe experienced some kind of phishing attack.

Phishing attacks are becoming more sophisticated by the day. Attackers find new and more convincing ways to imitate legitimate business contacts. This is what makes phishing scams so tricky to detect and combat. Rather than exploiting cybersecurity weaknesses within businesses, the attackers use social engineering to target humans within the organization.

Human error is a major contributing factor in most data breaches.

Ransomware attacks

Ransomware attacks are another common cybersecurity threat that hits thousands of small businesses every year. In recent years, ransomware attacks have become more frequent as they prove to be extremely lucrative for attackers. The 2020 Verizon Data Breach Investigations Report reveals that 83% of all cyberattacks on SMBs with under 1,000 employees are financially motivated.

In a ransomware attack, hackers encrypt company data so it could not be accessed or used in any way and, as the name suggests, demand a ransom to unlock it. This is a nightmare for any business.

SMBs are especially vulnerable to these types of attacks. The Datto report highlights that 1 in 5 SMBs fall victim to a ransomware attack, with the average requested ransom standing at around $5,900. The leading cause of ransomware attacks, as noted in the report, is phishing emails. In the first quarter of 2020 alone, ransomware attacks on SMBs rose by a whopping 67%. What’s even worse is that, in 2020, 73% of all ransomware attacks were successful. It wouldn’t be an exaggeration to say that ransomware attacks can pose an existential threat to any SMB.

Weak passwords

Employees using weak, reused, or compromised passwords is another major cybersecurity issue that puts small businesses at risk. While the risks of using weak passwords are well known these days, some SMBs still struggle to establish company-wide password practices or keep track of their employees’ password usage.

According to a recent study, 47% of SMBs reported that a cyberattack against them involved an employee's compromised password and that the average cost of such an attack amounted to $384,598. Our own research revealed that a whopping 73% of the world’s most popular passwords could be cracked in less than a second.

A Google report reveals that two-thirds of users reuse passwords either across work accounts or between work and personal accounts.

Insider threats

These are described as a risk to a company posed by the actions of employees, former employees, business partners, or associates. Such attacks can often be the most dangerous since insiders can access critical data more easily than anyone from the outside.

A Verizon Insider Report revealed some alarming numbers. According to the report, 57% of database breaches involved insider threats, while 20% of cybersecurity incidents and 15% of data breaches are due to misuse of privileges. Another study reported that 71% of users have access to company data they should not be able to see.

Prevent cybersecurity threats

  • Secure your business with NordPass.

Helping SMBs overcomecybersecurity threats

Cybersecurity is a profoundly difficult issue, made even more complicated by the limited resources SMBs have. Nevertheless, there are ways in which the threats and problems pointed out above can be addressed proactively.

Below, we provide explanations, tips, and recommendations on what SMBs can do to improve their virtual security and thus minimize the risk of being hit by a cyberattack.

Determine your vulnerabilities

Any SMB looking to boost its cybersecurity should first assess and evaluate the risks that might compromise the security of the company's networks, systems, or information. Detecting and analyzing possible threats will help you prepare a plan and fill in any gaps in your cybersecurity strategy.

Be sure to examine where and how you store your business's data and who can access it.

Evaluate who may want to access the data and how they might go about doing so. Determine the levels of risk as well as the entry points of possible cyberattacks and breaches.

Once you are done with the analysis and have identified the potential cybersecurity threats, use the information to develop or refine your security strategy. Don't forget to review and revise the strategy regularly and notify your staff if there are any changes to it.

Tip:

  • Consider hiring a professional to evaluate your company’s security.

Cybersecurity training for staff

Unfortunately, in many small enterprises, employees are too often underprepared when it comes to protecting themselves and their company from cyberattacks.

Cybersecurity training should be a must in this day and age.

If your company lacks the resources to outsource cybersecurity training, make sure to get your employees on the same page about security policies within the company yourself. Educate them on the company’s data protection policies to spread individual awareness. Take the time to answer questions or clarify any points of confusion. Also, arrange follow-ups with long-term employees. Be sure to issue awareness messages to update employees on any new changes to the guidelines.

Tips:

  • Introduce a company-wide password policy.
  • Consider setting a company-wide policy for email use.
  • Establish regular follow-ups.

Secure your database

Nowadays, everything is stored in databases. They contain a lot of data, and data has become a valuable asset, especially in the eyes of cybercriminals. It may be customer records, credit card details, or internal company documents. Unsurprisingly, database security has become a hot debate. For businesses, it is equally important to choose a database optimized for avoiding such breaches and to take proactive steps to ensure the security of a database.

Tips:

  • Separate database servers and web servers.
  • Audit and monitor database activity.
  • Disable Public Network Access to database servers.
  • Encrypt your database.

Backup your data

Think about how much your business relies on data: orders, payment details, quotas, and customer details. Now, imagine what happens if all of a sudden you lose access to all of it.

Making regular data backups and securely storing them is essential for any business, regardless of its size.

By making backups a priority, you proactively defend yourself against a variety of cybersecurity threats.

Tips:

  • Identify essential data you need to back up.
  • Store your backups on an offline machine if possible.
  • Set up a regular backup schedule.

Use antivirus software

Antivirus software, which is often the first line of proactive defense, should be used on all company workstations, desktops, and laptops. Basic antivirus software is usually included in popular operating systems. If you lack the resources for third-party software, make sure to enable all the default antivirus and anti-malware tools within the operating system. Otherwise, a good idea for any SMB is to invest in reliable third-party antivirus software.

Most antivirus developers can offer a more robust product with a significantly better detection capability than the default tools within the operating system. Smartphones, tablets, and other electronic devices might require a different approach, but make sure not to overlook them since only a single compromised point of entry could be enough to cause a breach.

Tips:

  • When choosing antivirus software, take detection rate into account.
  • Antivirus software for professional use should scan emails, attachments, and documents and provide a robust firewall.
  • Take into account how much of the system resources your antivirus will use.

Deploy a password manager

Weak, compromised, or reused passwords are the leading reason for data breaches. Password fatigue is real and affects pretty much everyone online. Our recent study has revealed that, in 2020, an average internet user had about 100 passwords.

A lot of those passwords get constantly reused, and some of those might have been breached and are now up for grabs on the dark web.

Unfortunately, this makes cyberattacks a lot easier to carry out and much more effective. In any case, password management solutions are a must-have for business entities of any size.

Reliable password management software for business offers an encrypted vault from which you and your employees can safely and quickly retrieve passwords. It eliminates the need for spreadsheets, which often store passwords in plain text and are unprotected. Corporate password managers such as NordPass Business also ensure effective user management from a single place – the Admin Panel – and offer features such as groups for a more effective management.

Password managers do more than protect passwords. Most offer a way to protect other sensitive data, such as credit cards, secure notes, and personal information. For instance, NordPass Business offers additional security tools and features, such as a password generator, data breach scanner, and password health tool.

Tips:

  • Consider cross-platform compatibility so that you and your employees could reach passwords on desktops, laptops, and mobile devices.
  • Look into user management capabilities.
  • Carefully read and consider the vendor’s privacy and security policies.
  • Look for a service with 24/7 customer support.

Keep your software updated

If you use one or more proprietary software programs on your organization's devices, they should be regularly updated with patches from the developer, just like the operating systems. Have you ever been interrupted by a notification prompting you to update a certain application? Those can be annoying, and most of us are guilty of postponing them for an indefinite amount of time. However, regular updates are crucial for your business's cybersecurity.

The updates not only add new functionalities and features but also patch any security vulnerabilities. Be sure to let your staff know when updates are ready and how to install them. Explain that it's important to do so straight away for the security of the entire organization.

Tips:

  • Turn on automatic updates.
  • Get to know the software’s update schedule.

Use multi-factor authentication

Multi-factor authentication (MFA) can play a critical role in your overall cybersecurity strategy. MFA is a form of authentication that provides an additional security layer to every platform or app you or your employees access and use.

If you have an option to use MFA for any of your business accounts, you should.

There's a variety of multi-factor authentication methods available, but all of them are built to provide that extra layer of security.

MFA helps with safety, productivity, and compliance. It also provides businesses with an effective way to protect the organizational infrastructure.

MFA works by requesting multiple verification forms to prove the user's identity. To name a few, that could be text messages, email codes, or phone calls. You can choose an option that suits your business needs the most to ensure it does not interfere with effective workplace operations.

Tips:

  • If your company uses cloud-based software, you should require your employees to use MFA at all times.
  • Any remote desktop logins should require MFA.
  • Consider a company-wide policy that would require everyone to use MFA for work-related accounts or apps.

Secure your network

Ultimately, the more security measures you can put in place, the better. Nowadays, as cybercrooks are getting better at network interceptions and snooping, securing your company's network should be at the top of your list. The easiest way to do that is by deploying a virtual private network (VPN) service within your organization.

A VPN encrypts internet connection and the data transferred over your business network. Services like NordVPN also offer other features such as a kill switch, which is designed to disconnect hardware from the network if the protected connection is suddenly lost. This keeps your business network safe from unexpected and unwanted data leaks. With a VPN for company-wide use, your employees can securely use Wi-Fi without compromising the company's sensitive data while working from home. This is especially important during the COVID-19 pandemic as many businesses are forced to move their operations online.

Tips:

  • When choosing a VPN for your business, consider the encryption protocol.
  • Make sure the service provides adequate connectivity speed for your business.
  • A reliable VPN service should offer a kill switch feature.
  • Take into account the logging policies of the VPN service provider.
  • Customer support should be available 24/7 to ensure the business’s stable network connectivity.

Final thoughts

Every day, a new organization gets hit by a cyberattack. This includes universities, schools, healthcare providers, government institutions, and businesses of all sizes. Anyone can become a victim of a cyberattack. The current trend suggests that such attacks will only increase in the future.

Security experts are already talking about what it means for SMBs to be cyber-resilient and how that can improve your organization’s overall cybersecurity. With cyberattacks on SMBs on such an increase, being prepared ensures that you can withstand all threats and recover quickly in the event of an actual attack or breach. Remember: embracing a proactive approach to cybersecurity and makes small to medium-sized businesses more resilient.

As you continue to protect, detect, and respond in 2021, remember to follow the latest cybersecurity trends because hackers keep coming up with more sophisticated and creative ways to harm your business.

We hope you’ve found this cybersecurity guide helpful. If you have further inquiries about how you could deploy a password manager or a VPN service to ensure your business’s security, do not hesitate to reach out.

Stay safe,NordPass Team!