When it comes to cybercrime, small and medium-sized businesses (SMBs) have a growing target on their backs. Bad actors identified the vulnerability of these organizations with limited resources and underdeveloped cybersecurity policies. Furthermore, these smaller entities are often seen as gateways to larger organizations within the supply chain, making them potentially lucrative targets for attacks.
98% of cyberattacks on SMBs were financially motivated, with 54% involving compromised credentials - 2023 Verizon DBIR
To shed light on how these trends are playing out within SMBs, LastPass recently polled more than 600 business and IT security leaders from companies with fewer than 3,000 employees.
The survey revealed a concerning pattern: while SMB leaders are becoming more proactive in their approach to cybersecurity – increasing awareness of and investment in security measures, for example – respondents identified that human factors are still creating serious security gaps that can leave these organizations vulnerable from cybercriminals.
How can SMB leaders fill these gaps? Read on for analysis and advice from the LastPass threat intelligence team.
Revealing the Accountability Disconnect
The most salient phenomenon the survey identified is the accountability disconnect between executive actions and employee behaviors.
Executives are increasing their focus on and investment in cybersecurity, with 90% of IT leaders and 80% of non-IT leaders reporting an increased focus on cybersecurity measures over the past year, and 82% of businesses boosting their cybersecurity budgets.
In turn, 92% of executives and 93% of IT leaders reported believing employees understand security expectations. And the majority of executives and IT leaders reported feeling confident about their cybersecurity measures, with only 30% of leaders believing their company faces a high risk of cybersecurity issues.
While SMB leaders are becoming more proactive in their approach to cybersecurity, human factors can still create serious security gaps that leave these organizations vulnerable.
However, the survey results suggest a different reality on the ground:
- Only 78% of non-IT leaders believe employees understand the security expectations of their jobs
- 1 in 5 business leaders admits to circumventing security policies
- 1 in 10 IT security leaders admits to circumventing security policies
- 1 in 4 younger workers are likely to break policies
- 36% of Gen Z professionals admit to writing down passwords
The survey suggests that while financial investments in cybersecurity are increasing, qualitative investments are equally crucial.
How to Close the Gap: Cybersecurity tips and best practices
Considering these findings, SMB leaders can enhance their cybersecurity strategies by focusing on policy improvements, employee education, and cultivating a culture of security awareness.
Tip 1: Boost cybersecurity education
Non-IT business leaders identified lack of understanding, perceived unimportance, and the fast-paced nature of business as the main barriers to compliance against cyber threats, pointing to the need for targeted educational programs that address these specific challenges.
To bridge the accountability disconnect, SMBs should develop clear communication strategies and regular training sessions across all levels of the organization. This can help ensure every single employee understands the role they play in maintaining cybersecurity – bringing everyone into the circle of accountability and behavior change.
And education isn’t just top-down. More robust communication is needed to ensure that all employees are on the same page regarding security protocols. Leaders should conduct cross-departmental meetings to ensure every part of the organization understands and commits to cybersecurity policies. Regular audits and feedback sessions can also help identify areas where understanding is lacking.
Tip 2: Grow your carrots and sticks
Given the survey findings around policy violations, especially among younger employees and certain leadership roles, SMB leaders should implement a balanced approach of stronger incentives for compliance, as well as stricter consequences for violations. An open and accepting culture for reporting violations can also empower employees to be their own security professionals.
In addition, anyone who’s been in security long enough has witnessed policy violations committed in order to get work done. With that knowledge, leadership should implement simplified processes for cybersecurity policy exceptions. An easy and clear process by which employees can gain permission to temporarily circumvent a security policy can help employees get work done without taking dishonest measures.
Tip 3: Adopt a threat intelligence-led security program
It’s heartening that SMB leaders are optimistic about security – but optimism can lead to complacency. These leaders must have an understanding of their crown jewels, who is coming after them, and their most likely threats. A threat intelligence-led security program can help them understand their true risks, rather than just guess what might be coming.
SMBs should implement regular risk assessments and threat monitoring to maintain an accurate understanding of their security posture. Engaging in proactive threat hunting and response strategies can also help in identifying and mitigating risks before they escalate.
Tip 4: Use a password manager
The survey exposed password management as an area requiring critical attention. The widespread use of password managers within SMBs is a positive sign, yet nearly half of the breaches reported by the respondents involved compromised passwords.
In response, SMBs should implement and enforce company-wide use of password managers. Continuous education on password security will also be vital to combat lack of employee understanding and the perceived unimportance of password policies.
Tip 5: Prepare for AI-powered threats
As SMBs prepare for future challenges, they must remain vigilant against phishing attacks, cloud vulnerabilities, and the potential for business data loss due to ransomware attacks or malware. The evolving role of artificial intelligence in cybersecurity, particularly AI-powered phishing attacks, is also something that SMB leaders need to watch closely.
To stay on top of technological advancements in AI and cybersecurity, leaders might consider investing in AI-driven security tools that can provide advanced threat detection and response capabilities. Training employees about the latest phishing tactics, including those powered by AI, will also be crucial.
The largest companies in the world, with every possible resource at their disposal, still see themselves at high risk every day; there’s no reason SMBs shouldn’t see themselves the same way.
Small steps can make a big difference for SMBs
The journey towards robust cybersecurity is ongoing for SMBs, and it’s clear that a policy of “trust but verify” still very much applies to this type of organization. While it's important for leaders to trust their employees and systems, it's equally crucial for them to continuously ensure that security policies are up-to-date, functioning, and being followed.
The increasing awareness and investment reported in the SMB Cybersecurity survey are commendable. Yet, there is still considerable work to be done to align cybersecurity culture with policy and bridge the gap between leadership perceptions and employee behaviors. By focusing on comprehensive education, policy enforcement, and innovative technologies, SMB leaders can fortify their defenses and foster a more secure future.
Read the full report to learn more about cybersecurity challenges facing SMBs.