Cybersecurity threats are on the rise worldwide, with research fromCheck Point showing a 42% increase in weekly cyberattacks during the first half of 2022. The number one threat is ransomware—and small and medium businesses (SMBs) are not immune. Indeed, with many fast-tracking their digital transformations during COVID, SMBs may be even more vulnerable than larger companies.
Under lockdown, most SMBs worked fast to enable customers to buy and get service from digital channels and to allow people to work from home. The speed of the implementations meant that security was an afterthought. That was understandable at the height of the COVID crisis, but this approach is no longer good enough. The pace of digital transformation is only picking up as most businesses carry out more and more online transactions and interactions.
For most SMBs, the barriers to better cybersecurity are cost and complexity. Given that the average SMB runs a small IT department—if it even has a dedicated IT team—it will not have access to specialist security skills. Plus, the cost of the high-end security solutions like security information and event management (SIEM) and top-notch outsourced security services is prohibitive for a mid-sized business.
The good news is that there are steps SMBs can take to lock down security that will not cost them a fortune. A good place to start is to find a reseller or another trusted partner to work with the company in the early phases of new technology and transformation programmes. Such a partner will be able to help the SMB identify existing chinks in its security armour as well as provide an affordable and sustainable roadmap for cybersecurity.
Zero trust for SMBs
In our experience, tightening security can be easier and more affordable than SMBs imagine. Take the concept of zero trust security, which operates on the idea that no one user, device, service, or program is inherently trustworthy. It sounds complicated and intimidating, but the basics are relatively easy for any company that runs Microsoft Active Directory to implement. Start with an audit of who has access to which systems.
From here, the IT team can lock down permissions so that each user only has privileged access to the systems, data and areas of the network they need to do their job. For example, the HR team does not need access to the financial systems used by the credit control team, while the credit department should not have a view of personnel and payroll data. This approach means that an attacker who breaches one department will not get automatic access to all IT resources.
Another simple step that many SMBs neglect is to use multi-factor authentication. Simply getting each user to authenticate themselves with a password or PIN code received on a text message or authenticator app would be enough to stop an attacker who got hold of login details. All too many attackers succeed through techniques such as phishing and social engineering. As such, end-user education and clear security policy is a low-cost and essential protection measure.
"When SMBs take a more proactive and strategic approach to cybersecurity, it will actually save them money in the long run. They will be able to build and deploy digital systems that are secure from the outset. Not only will this safeguard them from breaches that can cost them money and hurt their reputations—it also gives them a solid foundation on top of which they can transform their businesses."