Cybersecurity for Small Businesses: Statistics
Cybersecurity for small businesses is not a popular topic. With mostly large enterprises making the headlines for suffering devastating cyber-attacks, small businesses can be forgiven for thinking that they are safe. However, this is far from the truth. Small companies are on the receiving end of a large number of cyber-attacks – they just don’t get the same attention. The following cybersecurity statistics for small businesses from various industry reports provide evidence of this.
The 2019 Data Breach Investigations Report by Verizon found that small business victims made up 43% of data breaches, while the 2022 Verizon Data Breach Report found that 61% of small and midsize businesses (SMBs) experienced a cyber-attack in the last year. The results can be devastating too. IBM’s Cost of a Data Breach 2022 Report found that data breaches cost SMBs an average of nearly $3 million per incident. According to the United States Securities and Exchange Commission (SEC), about 60% of SMEs go out of business within six months of a data breach or cyber-attack. Cisco reports that 40% of small businesses that fell victim to cyber-attacks experienced 8+ hours of downtime.
These figures should have small business owners pretty worried. But you may be left wondering why small businesses are getting targeted. What’s in it for the attackers? To answer this question, let’s analyze some of the cybersecurity threats faced by small businesses.
Cybersecurity for Small Businesses: The Threats
To understand the cybersecurity threats small businesses face, we first have to understand the concepts of targeted and untargeted cyber-attacks.
Targeted vs. Untargeted Cyber Attacks Against Small Businesses
Targeted cyber-attacks are attacks in which specific individuals, organizations, and industries are targeted. Attackers typically research their targets before attacks and may develop customized strategies and tools to carry out the attack. Targeted cyber-attacks are more successful and damaging than untargeted attacks and can result in large-scale data breaches, ransomware attacks, and sabotage through DDoS attacks.
There are various reasons why small companies are targeted. The most obvious reason is that they are easy targets. Small companies may not have the finances and know-how to run basic security operations. Even so, what is there to gain? Well, a lot. While small businesses may not possess the same financial clout as large enterprises, carrying out a ransomware attack to extort a few thousand dollars may be enough to satisfy the objectives of amateur hackers. Some tech startups may possess innovative and valuable intellectual property, which can be stolen and sold for a handsome profit. Established cybercrime organizations also attack small businesses that have access to a larger organization’s network as a supplier or partner. Since access from the small company is often trusted, attackers gain a much easier route into the target organization compared to attacking it directly.
Untargeted cyber-attacks are attacks in which no specific individual, organization, or industry is targeted. Instead, victims get infected with malware planted on the internet (such as websites and infected software) or malware distributed indiscriminately to many people (such as phishing emails). Malware infections can cause different types of damage. For example, some malware exfiltrates data to the bad actor that planted it. Keyloggers record keystrokes to steal login credentials. Spyware monitors user activity.
Malware infections are less destructive than targeted cyber-attacks and may be confined to the infected endpoint as they may not be followed up with an attack. Even so, malware infections also present a considerable risk to small companies. A 2022 study involving 2,031 small businesses in the US conducted by Intuit found that malware was the most prevalent cyber threat at 18%.
Now that you have an idea of the cybersecurity threats small businesses face, let’s go through 10 cybersecurity best practices that can help you mitigate these threats and protect your business.
Cybersecurity for Small Businesses: 10 Best Practices
1. Install Next-Generation Endpoint Security
Endpoint security is the fancy word for a category of security tools that include the more familiar antivirus software. These security tools are installed on endpoints like PCs, laptops, and mobile devices and are designed to prevent, detect, and respond to malware infections and cyber-attacks.
Worryingly, a 2021 study of over 3,000 small and mid-size businesses in the US and UK found that 23% didn’t use endpoint security, while 32% relied only on free solutions. Since most malware infections and cyber-attacks occur and begin on endpoint devices, inadequate or non-existent endpoint security can leave small businesses at risk of compromise.
However, small businesses shouldn’t just deploy any old endpoint security solution. Free and consumer antivirus and antimalware products can only detect known malware using signature-based detection. When you consider that over 450,000 pieces of new malware and malware variants are created daily, signature-based detection doesn’t cut it in today’s threat landscape. Small businesses are recommended to invest in an endpoint detection and response (EDR) product – the next generation of endpoint security solutions. Apart from being able to detect malware based on known signatures, EDR is also capable of detecting threats through behavior-based detection. Behavior-based detection works by identifying irregular and suspicious behavior that deviates from the regular activity of the endpoint. This is effective for detecting the newest malware and sophisticated cyber-attacks.
Sangfor Endpoint Secure is our world-leading endpoint security solution that uses advanced technologies like artificial intelligence and machine learning to detect the most sophisticated of threats. Visit the Endpoint Secure product page to discover its advantages or its outstanding performance in performance testing against ransomware and unknown malware.
2. Practice Unified Firewall Management
A firewall is the most basic security tool businesses need to deploy. A firewall controls what traffic is allowed to enter and exit a private network, like a security guard who controls what people and items can enter and leave a building. A firewall does this by monitoring and filtering traffic against pre-defined rules. Any traffic that violates these rules is blocked. For example, incoming traffic from an IP address that is deemed malicious (possible malware intrusion) or outgoing traffic to an unknown destination (possible data exfiltration or command and control). Firewalls can also be configured to block access to certain types of websites that lower employee productivity.
Most PC operating systems come with a built-in software firewall, such as the Windows Firewall, which may be most small companies' default choice. This is all and well, but how are the firewalls being managed? For a firewall to be effective, rules must be frequently updated in response to new threats and must be consistent across the users and devices to which they apply. Without a unified management platform, IT administrators would need to configure each firewall to achieve this. This is extremely inefficient and not recommended in actual practice. To ensure that firewall rules are consistent across users/devices in a more convenient way, IT administrators can set up a domain environment to centralize the operations and maintenance of firewalls.
However, it must be noted that software firewalls have limited security capabilities, are at risk of being subverted in cyber-attacks, and can drain system resources. While they may satisfy the needs of some small businesses, they may not be enough for others. Small companies should consider investing in an enterprise-grade hardware firewall for enhanced firewall protection. Read our enterprise firewall buyer’s guide for SMBs to decide whether an enterprise firewall is what your company needs.
3. Make Use of Managed Detection and Response Services
It’s good for small companies to know how to improve their cybersecurity posture, but they may not have the resources to implement the required measures. This is understandable as small companies operate on tight budgets that don’t leave much room for expensive security tools or hiring dedicated cybersecurity staff. In fact, companies that wish to employ dedicated cybersecurity staff may have difficulty doing so because of the global talent shortage.
For small companies that wish to enhance their cybersecurity operations but suffer from the above constraints, managed detection and response (MDR) services may well be the answer.
MDR is a security service in which a company hires a cybersecurity company to manage its security operations. MDR services are delivered remotely over the internet and can be rendered using the MDR service provider’s security technology. The MDR service provider will usually have a 24/7 security operations center (SOC) from which security operators continuously monitor the customer’s environment for threats. When threats and suspicious activity are detected, the security operators will respond to the threat or assist the customer with the response. With MDR, small businesses can enjoy fully fledged security operations without forking out on expensive security equipment and going through the trouble of hiring and retaining dedicated cybersecurity staff.
To learn more about MDR services, check out the following article about MDR from our experts or visit the main webpage of our Cyber Guardian MDR service.
4. Keep All Software Up to Date
Updating software isn’t just about getting the latest features; more importantly, it applies patches to any known vulnerabilities. Software vulnerabilities, more commonly known as bugs, are flaws in software programs that attackers can exploit to gain access. In fact, software vulnerabilities are one of the main entry points to systems and networks. Vulnerabilities also make the software more susceptible to malware infection. For example, internet browsers containing vulnerabilities may allow malware to automatically download onto the PC from a malware-infected website without user interaction.
Vulnerabilities are often discovered in much of the software used by almost any business. For example, Windows, macOS, and Linux operating systems, web browsers such as Google Chrome and Mozilla Firefox, and Oracle’s MySQL are found to have some of the most vulnerabilities in 2022. Software vendors regularly release new software updates to patch their vulnerabilities, but updates are only effective when applied. IT administrators must ensure that all software on all devices used by the company is updated promptly. This can be a real challenge in environments with many PCs and even more software products. Luckily, there are security tools like Sangfor Endpoint Secure that provides centralized detection and patching of operating system vulnerabilities.
For those who wish to learn more about vulnerabilities, the following article thoroughly explains how to understand the exploitability and impact of vulnerabilities, how you can keep track of the latest vulnerabilities, and why this is important.
5. Arrange Company-Wide Phishing Awareness Training
You’ve most likely heard of phishing emails. These fraudulent emails are made to look like they come from well-known companies, such as Microsoft, Google, LinkedIn, and PayPal. The subject and content of these emails are crafted in a way that attempts to manipulate recipients into clicking on a link, opening an attachment, and disclosing sensitive information such as login credentials and credit card numbers. Long story short, these could lead to malware infection and the start of a cyber-attack.
Email scams have been around for a long time but remain surprisingly potent. Targeting phishing attacks, known as spear-phishing, has been reported to be the most used tactic for network intrusion in cyber-attacks. Unfortunately, security mechanisms cannot prevent all phishing emails from landing in inboxes. This leaves protection against phishing attacks in the hands of email recipients – not the most reassuring thought when you wonder how keen an eye your employees have for spotting a phishing email. Therefore, providing employees with phishing awareness training is vital to mitigate the risk. Simulated phishing attacks are also beneficial for verifying the effectiveness of the training. This must be a company-wide effort, as the company’s defense against phishing is only as strong as its weakest link – it only takes one person to slip up to drag the whole company down.
Small businesses that don’t have the resources and expertise to arrange phishing awareness training and simulations may wish to hire a professional cybersecurity company like Sangfor. Feel free to contact us to find out about the cybersecurity awareness training we can provide for your business.
6. Back Up Critical Data to Mitigate Ransomware Attacks
Ransomware is a destructive type of malware that encrypts files and renders them inaccessible. Attackers then demand a ransom payment from victims for a unique decryption key to recover their data. Victims that refuse to pay most likely end up losing their data. Either way, companies can suffer substantial financial loss and business impact from ransomware attacks.
An effective countermeasure against ransomware attacks is regularly backing up your systems, especially those housing critical data and applications vital to business continuity. By backing up, you can get your business back up and running without kneeling to the attacker’s demands.
There are various options companies can choose to back up their systems. Local backup stores backup files on an on-premises storage device. Remote backup, otherwise known as cloud backup, stores backup files in storage facilities provided by a cloud service provider. Cloud backups enjoy the benefit of being secured professionally by the cloud service provider. By contrast, some sophisticated attackers may look for and wipe local backup files to prevent businesses from being able to restore their operations without paying a ransom. Cloud storage is also scalable on-demand to meet additional backup requirements.
Small businesses that cannot afford any business downtime can also make use of Sangfor’s Disaster Recovery Management (DRM) solution. With Sangfor DRM, customers can replicate their critical systems to an external data center (DR site) in real time. In the event of a system failure due to a cyber-attack or natural disaster that results in massive data loss or damage, systems will automatically failover to the DR site to ensure business continuity. All historical data and all new data since the failover can be recovered to the main site once systems have been repaired. Visit the Sangfor DRM product page to learn more.
7. Keep Track of All IT Assets
Knowing what IT assets, be it hardware or software, are used in your company’s IT environment is crucial to maintaining a solid security posture. If you think about it, it’s impossible to protect something if you don’t know it exists, right? For example, suppose the IT administrator isn’t aware of a laptop connected to the company’s network. In that case, they cannot ensure that the laptop is installed with the required security software, apply the necessary firewall rules, and make sure its operating system and software are up to date. The problem of unaccounted assets is likely more pronounced in small companies due to a bring-your-own-device policy that allows employees to use their personal computers for work. There’s unlikely to be a policy that requires employees to report any new IT equipment they connect to the network, including IoT devices such as printers.
Without adequate protection, these unknown devices, known as shadow assets, are more vulnerable to compromise and put the entire network at risk. To mitigate the risk of shadow assets, conduct an asset identification exercise to compile a complete asset inventory. Categorize the assets and secure them according to their needs. Establish a mechanism that requires employees to report any new devices they connect to the company’s network. Granted, keeping track of all assets is cumbersome work for companies with hundreds of devices. This process can be aided by security tools such as Sangfor’s Cyber Command. Cyber Command is equipped to monitor the entire network to identify and categorize all connected devices be it PCs, laptops, servers, mobile devices, or IoT devices, to give IT administrators complete asset visibility.
8. Enable Two-Factor Authentication
Weak access control is one of the main enablers of cyber-attacks. To a hacker, an account with a weak password is like a house with a simple lock. Hackers can easily break into the account using a brute force attack, where a list of common passwords is attempted using hacking tools. Other times, passwords are stolen using fake login sites that record the user’s login credentials. After gaining access to user accounts using valid credentials, attackers have free rein to carry out their operations. For example, a hacked email account of a high-ranking company official can be used to direct employees to transfer funds or reveal sensitive data. A compromised active directory account allows attackers to distribute their malware to all network devices.
Setting strong passwords helps, but relying on employees to set stronger passwords is futile, as there will always be those who set easy-to-remember passwords and the same passwords for all their accounts for the sake of convenience. Even then, hackers can still steal stronger passwords using various means. This is why enabling two-factor authentication (2FA) is the best practice for securing access to accounts. 2FA works by requiring users to provide two different factors for authentication. One factor is something they know, i.e., their username and password. The other factor is something they have, such as a one-time passcode received on their mobile phone. This ensures that attackers are kept out of accounts even if they manage to crack the password. 2FA is available for many accounts used in daily business operations and enabling it whenever possible is highly recommended.
The following article provides a deeper explanation of two-factor authentication and provides a comparison to help users understand the difference between two-step authentication.
9. Don’t Use Cracked Software
Genuine software licenses and subscriptions can be very expensive, and small companies may find themselves using cracked or pirated software in their environment. This might be due to a top-down policy to save costs or individual employees who resort to using cracked software because they believe the company would not pay for the genuine software. However, not only is cracked software illegal, but they also pose a hidden threat to its users. A large portion of cracked software is embedded with malware, and anyone using it risks infecting their devices.
Top management needs to understand the security risks of using cracked software so that there isn’t a top-down policy of using them to save costs. Recognize that a successful malware infection or a cyber-attack could lead to costs far greater than software license and subscription fees. Additionally, establish a system for employees to request software license purchases and subscriptions so they don’t simply assume that the company would not pay for them.
10. Block or Regulate the Use of USB Drives
While the availability of cloud storage has meant that companies are relying less and less on USB drives to move their work files between devices, they still pose a threat to businesses. This is especially the case for small companies that haven’t subscribed to cloud office suites like Office 365 and Google Docs.
You may think that personal USB drives are safe, but USB drives can also get infected with malware if the computer it’s inserted into is malware infected. Then there’s the problem of USB drives that come from unknown sources. In early 2022, the FBI reported that malware-laced USB drives in mail packages purporting to come from the Department of Health and Human Services and Amazon were sent to companies in the US. Unsuspecting employees who insert malicious USB drives like these into a network computer would put the company at serious risk if the mechanisms to block the USB from connecting weren’t in place. In fact, some of the world’s most infamous cyber-attacks started from infected USB drives, including the Stuxnet attack on Iran’s nuclear facilities and the ransomware attack on TSMC, one of the world’s leading chip makers.
This is why it’s recommended that small companies prohibit USB drives on all network devices or disable the auto-run setting so that a malware scan can be run on the USB drive before it’s permitted access. These are possible using Microsoft’s Active Directory Group Policy.
Sangfor is Here to Help
Good on you for making it this far. This shows that you are serious about improving the cybersecurity of your company. So now let’s follow up that vision with action. At Sangfor, we totally understand that cybersecurity can feel like rocket science and that it would be easier to just close this page and carry on like it’s business as usual. That’s why Sangfor is here to help should you require any assistance in implementing some of the best practices mentioned above or any other cybersecurity and IT-related matters.