SMBs: A Common Target for Cybercriminals

People working on laptops

Many IT pros who work for small-to-medium businesses (SMBs) see themselves somewhere below the cybercrime radar. They often don’t feel their business is nearly as interesting and relevant to a cybercriminal and, as a result, have less to worry about. However, the challenges they face are no less daunting or serious.

Cybercriminals Are Paying Attention

Cybercriminals target SMBs because they’ve likely got more exposed vulnerabilities and opportunities to breach. In fact, according to the 2018 Verizon Data Breach Investigations Report, 58 percent of all organizations victimized by cybercrime are categorized as small businesses.

Cybercriminals also have better economies of scale to leverage these days. Malware attacks don’t require as much time, money or effort as they used to. And SMBs hold sensitive business information and personal data just like other firms. Even though it would be unlikely to hold records tied to millions of people, what they may have is just as easily marketable on the dark web.

In some cases there may be more value than just what an SMB has to offer itself. Some smaller firms’ networks can be connected to an enterprise-sized partner’s network. Once inside a compromised SMB network, a cybercriminal may find it easier to gain unauthorized access to the enterprise partner’s network versus attacking them directly.

To protect themselves better, enterprises are enforcing contracts, assessments, and policy on their smaller brethren. This only places a higher burden on the SMB to have security controls in place that can be out of reach.

The Challenges for SMBs

SMB security challenges might not be all that different from others when considering the fact that vulnerabilities, threats, and social engineering do not discriminate based on size or prominence. However, where SMBs and enterprises do obviously differ is size and scale and this disparity reveals some of the most difficult challenges SMB face, including:

#1 Security is Very Expensive

Technology and services that provide common defenses against cyberattacks can be harder to afford and maintain. Security vendors often do not charge on a sliding scale and tend to set prices where enterprises can afford it. In some cases vendor packages geared to SMBs can miss the mark because they don’t scale down small enough.

#2 People Aren’t Very Smart

Lack of security education and awareness among the workforce increases the chance of falling victim to a phishing attack. This doesn’t exactly mean people aren’t very smart, by the way. People just aren’t very likely to become smarter on a topic they don’t feel is important enough to them. Although this risk is common to any organization, an enterprise-sized firm is likely to enforce a formal education policy and courseware, while an SMB might not because of a false sense of complacency that they are not a target, or over-confidence that their workforce is plenty smart enough to defend itself.

#3 The Community is Very Elitist

The security community is elitist and SMBs security pros are often not invited to the table. A large or executive-level security media outlet or conference will purposely focus on pros from big firms to reach the audience with the most to spend. Enterprise pros assume a peer at an SMB wouldn’t have much to teach them anyway. It’s problematic for SMBs considering sharing problems and getting help from peers is a necessary part of anybody’s ability to manage risk. And given how an SMB IT pro may feel marginalized by the security industry, they might not even feel as worthy of attention.

Security is obviously way too hard for any SMB to handle perfectly, or even just really well. But with all this, there are still things are within reach to help become better protected against cybercrime.

Where to Focus Control and Ability

By focusing on where they can have more control and ability, on a reasonable budget, an SMB IT pro can reduce some of the highest risks.

A good place to start is with people and their most common behaviors that lead to higher risk of an incident or breach. After all, an SMB has the benefit of smaller workforce to reach and more opportunities to connect personally.

The 2018 Verizon Data Breach Investigations Report noted that phishing and the use of stolen credentials are two of the top three actions that lead to security breaches. Even just last year, Verizon reported that 81 percent of all breaches were caused by weak or reused passwords.

The good news is that any organization of any size can get better at password management by providing their workers with LastPass. For starters, it won’t break the IT budget or become another headache to maintain and manage. Users can store their passwords securely, while generating a unique, strong password for each and every one of their accounts.

And users don’t need to remember any of those passwords, either. All they need to do is remember a secret passphrase that only they know in order to access their password vault.

At the end of the day, one easy to remember passphrase can help solve some very hard to forget problems.