By Megan Roddie
Small and medium businesses often struggle to achieve a strong cybersecurity posture. However, securing SMBs is just as important as securing large enterprises, so it is critical that the cybersecurity industry assist these businesses in working towards better security.
The first step is recognizing the common pitfalls and misconceptions that plague the SMB market and providing them with a better understanding of cybersecurity reality for organizations their size.
1) “We’re too small for security to be a priority.”
The first, and probably most common, pitfall that SMBs encounter is the mindset that since they are small, they are not a target. In reality, that is far from the truth for several reasons. To begin with, if a “Nigerian prince” thinks it’s worth his time to scam your sweet grandmother, there is someone who will put in the time to target your company. Everyone has something to target, whether it’s the value of your assets or your susceptibility to compromise.
SMBs may think that their assets are so much less valuable than enterprises’ in their industry, and while that may be true, when attackers are choosing their targets, they are not only looking at the value of the data, they are also taking into account the difficulty of the attack.
The last thing to think about is the impact that a successful attack would have. If a major conglomerate is hacked, their stock prices may fall and they’ll likely lose some customers, but they still have a good chance of recovery. Not only is there a higher risk of being attacked as an SMB, but there is also considerably higher risk to the future of the company. If an SMB is hacked, it is more likely to be a company-ending event.
2) “We can’t afford good security.”
An often misconceived perception that has developed toward information security is that if a company wants to have a decent security posture, they need to spend a lot of money.
SMBs often believe that the answer to security is “Next-Gen AI-Powered Blockchain Cyber Magic”. While it is great if a company has the money to spend on security appliances and tools, lack of a standard security budget should not be an excuse to ignore your security posture entirely.
There are a number of steps that an SMB can take to better secure your environment — without spending anything — that are enough to deter a lot of attackers.
For example, if you have an environment with Active Directory:
Have you ensured that your group policy settings are following best practices?
Are the default guest accounts disabled? There are dozens of GPO settings that can stop your company from being the lowest hanging fruit for an attacker.
What about your cloud platforms?
Is Multi-Factor Authentication enabled on all your publicly accessible platforms?
That alone can decrease the chances of a successful phishing attack to almost zero. If your organization can afford to buy expensive security solutions, there is no harm in an extra layer of defense. But if you haven’t already securely configured your existing solutions, you have a good starting point to improve your security posture without additional cost to your organizations.
3) “Our IT Team makes sure everything is secure.”
Although it is not feasible for many SMBs to have a dedicated, in-house security team, they do often have either an in-house IT team or they outsource IT-related needs to a managed service provider (MSP).
With the reliance on technology to operate a business, organizations typically need at least one person with technical know-how to assist, whether that is an employee or a contracted organization. One reason SMBs may not hire a managed security services provider (MSSP) to assist them in securing their organization is because their IT team or MSP have assured them they have the security skills to make sure everything they’ve implemented for the company was done securely.
My favorite analogy for the problem with this comes from Eric Capuano, founder of Recon InfoSec, who explains it with a rhetorical question: “If you ask a builder if the house he built is sturdy, what will he say?”
IT and cybersecurity are conflicting fields in a sense. IT aims for usability, performance, accessibility, etc., while a security team aims to lock down systems as much as possible to prevent an attacker from gaining access. An IT team can be tasked to implement certain best practices but, at minimum, a dedicated security professional or consultant should validate configurations to ensure that the organization is as secure as possible.
If you’re running a small or medium business, it is important to start thinking about cybersecurity right now. Whether your reason for not already pursuing a strong security posture is one of the above or a completely different reason, it’s important to realize that the longer you wait to start your security program, the more risk your company faces.
If you’re a security professional trying to assist small and medium businesses, arm yourselves with the above knowledge to be able to assist SMBs by helping them overcome the common misconceptions they may believe.
About Megan Roddie
Megan Roddie is a security analyst with Recon InfoSec. With previous experience in the public sector and a current position in the private sector, she has a variety of experience in different types of environments. With a love for public speaking, she has spoken at DEFCON, BSides Dallas, SOURCEConf, and various other conferences. Megan recently graduated with a Master’s degree in Digital Forensics and holds GCIH and GCFA certifications.