What SMBs can learn from big breaches
As much as we try to avoid them, cyberattacks are a fact of life. There’s no doubting that the internet brought about heaps of benefits for both our…
Oliver Pinson-Roxburgh
CEO and Co-Founder
28th September 2021
The nature of SMB business means they typically have increased operational agility compared to their mid-market and enterprise counterparts. Whilst this flexibility brings the ability to adapt well to changing market conditions and new business opportunities, it’s not without its compromises. In the SMB world, staff work in multi-role positions, resource is tight and geared towards powering growth. This has historically increased the notable challenge of getting cybersecurity services that integrate well with SMB’s resource-limited, highly flexible business operations.
We can categorise the specific challenges facing SMBs when it comes to cybersecurity as follows:
SMB-specific cyber challenges need SMB-focussed solutions. Despite over 90% of the world economy powered by SMBs, much of the cyber protection available is catered towards bigger organizations. This has traditionally made SMB security an expensive and difficult proposition. But it doesn’t have to be this way.
We’re going to look at 4 cybersecurity services that, when taken together, cover the key SMB requirements:
Hackers begin their path to breaching your organization long before sending a phishing email or exploiting a security flaw. In fact the first step any cyber criminals takes is reconnaissance. Every business leaks a surprising amount of sensitive information that hackers find useful, such as what web assets, domains and ports are exposed, along with risks from web-based third-parties. Recon scans uncover this hidden information, allowing you to see through the eyes of a hacker and help you calculate your cyber risk. Recon scans are quick to run and are included in all Defense.com™ packages, so even the smallest start-up can get visibility of this unseen but important information.
No list of quick wins would be complete without penetration testing. It’s simply an essential cybersecurity service that no business, big or small, can afford to ignore. For SMBs in particular, penetration tests are low-touch and high value. It’s no wonder pen testing is mandated or recommended by every security standard and best practice guide you can think of.
SMB infrastructure is usually much less complex than mid-market or enterprise environments, and also tends to use more cloud services. This brings two key benefits to SMBs: it not only makes pen testing easier and quicker to complete, but it also means the remediations are easier to implement. SMBs: 1, Enterprise: 0.
The risk weighting applied to each uncovered vulnerability combined with the threat tracking dashboards in Defense.com™ make it easy to see at-a-glance which remediations need to be prioritized to get quick value – and effective defenses – from your pen tests.
Sometimes SMB business owners and IT managers think that because they’ve done a pen test, their scanning days are done for another year. These people couldn’t be more wrong. This actually ignores one of the biggest attack vectors: that of unpatched software. Missing security patches accounts for up to a third of all critical security vulnerabilities identified in penetration testing, so keeping on top of your patching is vital to keeping hackers at bay. Whilst annual penetration testing is a no-brainer, they’re point-in-time assessments, and new security patches come out each and every week.
The best SMB tactic here is to pen test annually and VA scan on a monthly basis – or weekly for the highest priority systems. This keeps on top of missed patches and shores up any security vulnerabilities until your next penetration test. This is another example of where SMBs have an advantage over larger organizations: scanning and patching is easier to do. And if you implement good patching regimes now, they’ll scale as your business grows.
The last item in this list might surprise you. It’s not a technical service, management system or compliance standard. What it is, however, is easy to deliver and mitigates the risk of the largest attack surface in your organization: your workforce. Human error is responsible for more cyberattacks than anything else. And the way to secure the human is through training.
Many cyberattacks start with phishing, and even advanced cyber controls can be compromised by simple human error. This makes training your employees in the direct security consequences of their day-to-day actions a powerful cyber defense. It helps them contextualize and prioritize cybersecurity in their daily work life.
The word ‘training’ can conjure images of boring presenters with enormous PowerPoint decks, but modern security training is much more engaging – it has to be to be effective. Defense.com™ includes a series of online training videos covering key information your staff needs to know. With SMB staff multi-role-ing and stretched thin, online video delivery gives a range of advantages:
When a cyberattack means lost revenue, ruined reputation and expensive recovery, making sure you’re doing the cybersecurity basics means you’re protecting your organization’s ability to function. Follow these 4 simple steps and you’ll have laid a strong foundation for SMB cybersecurity. The next step is to codify your security protection with Cyber Essentials certification – included for free in all Defense.com™ packages.
Oliver Pinson-Roxburgh
CEO and Co-Founder
Share this article
Try all these security quick wins and more with Defense.com™. Start a free trial today!
As much as we try to avoid them, cyberattacks are a fact of life. There’s no doubting that the internet brought about heaps of benefits for both our…
Cybersecurity will always remain a pressing issue for businesses around the world, particularly so…
Through years of helping businesses improve their IT security, we’ve heard many times that small businesses feel particularly underserved…
Get actionable cyber security advice and insights straight to your inbox.