Why SMBs are a Weak Link in Cybersecurity

While cybersecurity was often not a priority for smaller businesses, they are increasingly becoming impacted due to higher focus by threat actors on small to medium businesses. As a result, SMBs are seeing their businesses increasingly being impacted by cyber attacks, or even worse they are becoming a weak link in the supply chains of larger enterprises.

Cyber attacks on small business

The increasing use of digital technology by businesses of all sizes has seen SMBs digitizing their businesses at a rapid rate. Unfortunately, at the same time, this is leading to a massive increase in cyber attacks against small businesses. According to Verizon’s Data Breach Investigations Report, 61% of SMBs were the target of a cyber attack during 2021 and 2022. Accenture’s Cybercrime Study indicated that nearly 43% of cyber attacks are on small businesses, and only 14% of small businesses are prepared to face a cyber attack. These statistics give an indication of the level of importance which cybersecurity should have for SMBs.

At the same time, the costs of breaches against SMBs are proving to be considerable. According to IBM’s 2023 Cost of Data Breach report, breaches cost organizations with under 500 employees an average of $3.31 million. For many businesses of this size that kind of cost would be crippling, and would result in them going out of business.

SMBs are underprepared

While the volume of attacks and the scale of their impact on SMBs is significant, SMBs are overwhelmingly underprepared to deal with cyber attacks.

According to Digital Ocean, 38% of small businesses have no staff who are even dedicated to security as part of their role. For many SMBs, this is a cost consideration. Regardless of this constraint, the fact that so many smaller businesses have no resourcing dedicated to security illustrates just how underprepared many are to deal with the challenges of securing their IT infrastructure and systems.

Only 8% of small businesses actually have a dedicated budget allocated for cybersecurity, while an astonishing 47% of businesses with 50 or fewer employees have no funding allocated for cybersecurity whatsoever. Incredibly, in the face of these alarming facts, according to CNBC and SurveyMonkey, 64% of small business owners do not seem to perceive a major issue, and are confident that they can address a cyber attack. The reality, however, is far more sobering: 60% of small companies are likely to go out of business within 6 months of a breach.

Why SMB security represents a risk

It is easy to underplay the role which smaller businesses play in the broader economy and in the operations of large enterprises. The reality is that many small businesses play important roles in the supply chains of large enterprises. As a result, an attack against an SMB which is a supplier to a large enterprise can result in significant disruption.

This kind of risk is nothing new. A breach which occurred at Target in 2013 was instigated via an initial intrusion at a subcontractor that supplied refrigeration, heating and air conditioning systems to Target. The attackers managed to break into Target’s network using credentials that were stolen from the subcontractor.

More recently, in February 2022, Toyota had to suspend 28 production lines across 14 of its plants in Japan as a result of a breach at a supplier, Kojima Industries. Kojima is a supplier of plastic parts and electronic components to Toyota. Toyota’s decision to halt production was made as a precautionary measure given that many of Toyota’s 400 tier 1 suppliers are connected directly to its production control systems. At the time of the attack, Toyota warned that production would be reduced by 13,000 units as a result.

The flow-on effects of breaches upstream in the supply chains of larger enterprises are resulting in larger companies paying much more attention to third party supplier risk. This scrutiny will result in SMBs needing to focus on cybersecurity in order to maintain their business relationships with large customers. Failing to do so may put their business relationships with large customers at risk

There are actions that SMBs can take

The costs of security products and systems are often a concern to SMBs. While large enterprises are able to invest significant amounts of money into cybersecurity, there are steps that SMBs can take without breaking the bank.

The National Cybersecurity Alliance provides some good advice on where to start. We’ve taken their advice to help to build a list of steps that SMBs can take to start improving their security while keeping costs under control:

• Develop a set of policies: Having policies is an important starting point. They create a framework and make it possible to set goals for steps to take in improving cybersecurity posture.
• Train employees: Regardless of any technology and tools, people remain the weakest link. Companies need to show their staff what to do, what to avoid and what to look out for. Training is also essential for staff to be able to use available security tools correctly.
• Require strong passwords: Brute force attacks against weak passwords represent an ever-present threat. Enforce a minimum length as well as rules for complexity. Most applications and systems now have the ability to enforce rules for minimum password complexity.
• Enable Multi-Factor Authentication: The theft of credentials proves that passwords on their own are not enough. Many systems now support the use of authenticator apps or at least the use of codes sent via SMS to provide a second layer of authentication and to guard against password theft.
• Use a password manager: Small businesses can’t afford the higher prices that application providers often charge to enable single sign-on. This leads to a proliferation of or reuse of passwords. While not perfect, a cost-effective solution is to encourage staff to use a password manager app, allowing them to use unique and complex passwords for every site or application, while not needing to remember those passwords.
• Patching: Make sure that you apply the latest security patches to operating systems and applications as soon as possible when they become available.
• Secure your data: Know where your data is located and ensure that files and systems are encrypted and regularly backed up.

While the steps we’ve taken you through here can all be accomplished without significant expense, SMBs do still need to invest in security technology, such as firewalls to protect their networks and endpoint security to protect notebooks and desktop computers. Even with a modest investment in security technologies small businesses will still find that they are faced with the challenge of how to know when they are under attack and how to manage security alerts without being overwhelmed. This is where XDR can help by detecting the activity of even stealthy threat actors and providing an easy-to-use interface which brings all of your security alerts into a single pane of glass. XDR has also been designed with the goal of being cost effective. The monthly cost can be as little as the price of a cup of coffee per endpoint!

To find out more, register for a free 30 day trial of Samurai XDR.