Some believe hackers are aggressively targeting these smaller firms because they believe SMBs lack adequate resources and enterprise-grade security tools, making them easier prey than larger businesses.
A new report from Cisco, however, challenges this assumption. SMBs have made significant strides enhancing their security protocols and are closing the gap with their bigger counterparts. The report notes 87 percent of SMB business owners rank security a top priority, and more than 99 percent have a dedicated resource focusing on security.
SMBs are also becoming more diligent about defining metrics to assess their security effectiveness and implementing security controls and tools at rates similar to large enterprises.
No doubt, the emergence of security solutions developed specifically for SMBs is supporting this trend. Security tech providers are now offering affordable tools that cover multiple attack vectors, making it easier and more cost-effective for SMBs to improve their defenses.
Reason Cybersecurity, for example, includes real-time protection capabilities alongside its anti-virus, anti-ransomware, and anti-malware functionalities. It also protects unauthorized applications from accessing communications peripherals like webcams and microphones, often used by hackers to spy on team members and steal sensitive information remotely.
The increased focus on security and better implementation of cybersecurity solutions among SMBs are certainly positive developments. With enterprise-style protection now available to literally any size organization, the threat can be dramatically minimized for any size organization.
Yet even with improved technology to reduce threats, the human factor is still a significant concern; one single misstep by an employee can cause a breach that leads to a major security incident. To achieve a truly effective security posture, SMBs must put systems in place to minimize human error that can turn an unintentional mistake into a security disaster.
The Psychology of Human Error
The reality is this: Humans make mistakes. A Tessian study found that 88 percent of data breaches can be linked to human error. That doesn't necessarily mean that humans are the "weak link" in your organization's security, but it is important to understand how and why they make these all-too-human errors. As Tessian points out, employees have psychological reactions to stimuli and judgment that make them likely to commit errors and be susceptible to manipulation.
Hackers use social engineering attacks like phishing to take advantage of these human tendencies, cleverly manipulating users into giving up sensitive information or downloading and running malware onto their work devices.
Hackers carefully disguise these phishing emails to circumvent security measures like spam filters, with requests for sensitive data or access often appearing to come from a trusted colleague. Because we have little resistance to following our colleagues' requests, it's quite possible for a normally security-savvy team member to click on a malicious link or send sensitive information.
Those seemingly innocent clicks make ransomware a growing threat, too; take the recent cyberattack that successfully disrupted Garmin Connect, flyGarmin, and Garmin Pilot, resulting in days-long outages. Garmin reportedly paid the multimillion-dollar ransom to restore functionality across their network of users.
Massive attacks like these are the ones that get media mileage, yet SMBs are not immune. Almost half (46 percent) of SMBs have been targeted by ransomware, and nearly three out of four victims have paid a ransom to restore control of their systems.
Addressing the Issue
Clearly, there's a critical need to adopt technical solutions that protect vulnerable areas where humans interact with possible risks.
For example, installing security solutions on each workstation – especially now with so much of the world's business being done remotely – can protect against attacks that could occur over the course of a typical workday.
Moreover, the human element must be taken into account when assessing any security strategy. Staff education and training are crucial. Team members must know how to use the organization's tech resources securely and properly.
At the same time, they must be able to recognize social engineering attacks or dubious networks and devices. Continuous real-time training can help develop this security-first mindset.
Just as SMBs can now access enterprise-strength security solutions, they can also take advantage of security apps and services that minimize human input into certain tasks. For example, many businesses still process card payments manually and store the information insecurely, leaving them exposed to data breaches.
A simple solution is to use a trusted third-party payment processor that allows customers to securely pay for orders and invoices without requiring human staff to access and handle customer financial data.
Businesses should also look for ways to maximize the capabilities of their existing security solutions. Reason for Business, for instance, provides developer tools that allow users to integrate their security solution across the organization's other apps.
Through its SDK and cloud API, businesses can integrate protection features into their own applications that filter spam, suspicious URLs, and potential attacks across the board. Their real-time alerts and notifications make it easy to keep IT teams informed and communicate quickly when security concerns arise.
Committing to Improvement
Cyberattacks are part of today's business landscape; it's a threat as real as fire, theft, or any other possible loss. Regardless of their size, businesses are more focused than ever on making cybersecurity a priority for their organizations. This improvement in mindset – especially among SMBs -- is noteworthy. The availability of affordable tech solutions should enable more SMBs to secure their infrastructure.
Beyond these measures, SMBs must be more vigilant about managing the human element of security. Simple human error continues to present a very real risk.
Training, automation, and using solutions that cover previous security blind spots will help develop that critical security-first mindset.
