Small- and medium-sized businesses (SMBs) are increasingly at risk from cybersecurity threats as hackers become more aware of their vulnerabilities and the potential worth of the data they possess.

The evidence is in the numbers: A 2022 research found that 76% of SMBs had experienced at least one cyberattack in 2021, up from 55% who reported the same in 2020. System intrusion, social engineering, and privilege abuse account for 98% of breaches impacting small organisations, according to the 2022 Verizon DBIR. Additionally, 93% of the data exposed in SMB attacks consisted of credentials. According to a CNBC poll of 2,000 small company owners, 61% of SMBs with 50 or more workers are scared they may be the target of a cyberattack within the next year.

To combat the risks of today, SMBs must update and reconsider their security plans. These firms frequently lack the contemporary security technology, expertise, and resources required to protect against sophisticated attacks, as well as a specialised cybersecurity staff. Due to the sensitive and important data that SMBs possess—including employee and customer information, intellectual property, financial transaction data, and access to the business’s finances and wider networks—this is an increasing worry.

Legacy Tech Is No Match for Modern Attackers

Many small companies may have installed only antivirus software and this is not sufficient to thwart human-engineered threats like social attacks, in which a target is persuaded to comply with the attacker’s demands, or identity-based attacks, in which hackers use account and identity information that has been stolen to access systems and resources while posing as authorized users.

According to the Falcon OverWatch Threat Hunting Report for 2022, 71% of breaches were malware-free, highlighting the prevalence of these more subtle attacks and cybercriminals’ growing preference for techniques that evade antivirus protection. With legitimate employee credentials or exploits for unpatched vulnerabilities, attackers can move throughout your organization to compromise additional systems, exfiltrate data, launch a ransomware attack, or take other nefarious actions once they have a foothold in your environment.

Some of the following effective measures can add strength to your Cybersecurity strategy:

• Enforce Multifactor Authentication (MFA): MFA offers an additional layer of security so you can be certain it’s an employee, not an attacker, accessing systems and resources as identification becomes a crucial component of cyberattacks.
• Keep up with software patches: When an attacker takes advantage of an unpatched vulnerability, data breaches frequently begin. This attack vector can only be stopped if the software is kept up to date.
• Perform regular backups of critical data: You’ll be grateful that you either backed up your data on-premises or in the cloud if a breach affects your small business. It’s important to note that if an attacker manages to access your systems, they could encrypt backups, thus building a solid backup strategy is essential.
• Implement a security awareness training program: In 98% of the reported incidents, data breaches are caused by phishing attempts, sticking with the theme of well-intentioned personnel (Verizon DBIR). Employees must be able to identify phishing emails and know what to do with them since anti-phishing systems can only catch so many phishing attacks. Phishing attacks may be avoided if employees and the organization both received security awareness training that taught them how to spot the tell-tale symptoms of phishing emails.
• Implement a program for third-party vendor risk management: Many businesses collaborate with outside suppliers and service providers, and in certain circumstances, these suppliers want access to the IT and corporate infrastructure. As in many high-profile breaches, the service provider was the victim of the breach, which led to their partners experiencing the same fate. Implement a third-party risk management strategy that requires all service providers, new and old, to demonstrate that they have internal security policies and controls in place before being given access to a corporate system.
• Implement and enforce policies to combat insider threat: In order to tackle the human aspect of cybersecurity, policies and procedures are crucial. If there are no policies in place to direct them, employees frequently do not comprehend what they can and cannot do with a company’s papers, hardware, and system access. An insider threat doesn’t always include a malicious individual trying to steal firm information; it can also take the form of a well-intentioned employee sharing a document with a partner in an unsafe manner, leaving the information open to unauthorized access.

In the event of a catastrophe, SMBs can take a critical step by redesigning their security strategy and upgrading their defenses now so they are better prepared to deal with a cyberattack.