Small and mid-sized enterprises (SMEs) are increasingly at risk of cyber-attacks, and often serve as a launch pad for larger threat campaigns, according to Cisco’s 2018 SMB Cybersecurity Report.
SMEs act as easy targets for malicious cyber agents because they tend to have less sophisticated security infrastructure and fewer trained cybersecurity workers on staff to manage and respond to threats.
The following are security challenges faced by small and medium sized businesses
Insiders are the Most Common Culprits
Humans remain the biggest and most common cybersecurity threat to businesses of all sizes. Several cases exist of employees who abuse their privilege access, harming the company’s security layers in the process and resulting in a huge loss.
According to a 2016 survey conducted by Ponemon Institute, 22% of businesses blamed cyberattacks on insiders. Moreover, the same survey also revealed that 56% of businesses reported that the attacks were either by new hires or employees leaving the company.
However, it is noteworthy that, it is not always an employee that harbors a malicious intent that is responsible for every cyberattack. From a report by Vormetric, 59% of businesses say that most often cyberattacks were a direct result of simple human errors.
To mitigate this security challenge, businesses must educate their employees on the basics of cybersecurity and include cybersecurity policies in the onboarding process of every new employee. Security awareness should be ongoing and evolving.
The Cloud Is not a Safe Haven from Security Flaws
The flexibility and scalability that the cloud offers makes this technology more compelling to small and mid-size businesses. Business owners can focus on core competences while outsourcing IT and business enabling capabilities to cloud and IT security service providers. However, huge concerns still exist for SMEs when it comes to the security challenge associated with the cloud technology. Although cloud technology is getting more secure, new vulnerabilities and loose ends make it a security concern worth paying attention to.
IoT Opens Excessive Entry Points
The Internet of Things (IoT) is undeniably the future of technology. Indeed, it has added convenience to our hectic schedules. However, it has also opened new doors for cyberattacks. It is imperative for employers to now ensure that all IoT devices are set up correctly and no room for a network breach is left.
Phishing and Spear Phishing
Despite constant warnings from the cyber security industry, people still fall victim to phishing every day. As cybercrime has become well-funded and increasingly sophisticated, phishing remains one of the most effective methods used by criminals to introduce malware into businesses.
Spear phishing is a targeted form of phishing in which phishing emails are designed to appear to originate from someone the recipient knows and trusts – like senior management or a valued client. If an employee is tricked by a malicious link in a phishing email, they might unleash a ransomware attack on their small business. Once access is gained, ransomware quickly locks down business computers as it spreads across a network. Until a ransom is paid, businesses will be unable to access critical files and services.
Therefore, to avoid the risk posed by phishing and ransomware, SMEs must ensure staff are aware of the dangers and know how to spot a phishing email. Businesses must also ensure they have secure backups of their critical data. Hence, since ransomware locks down files permanently (unless businesses want to cough up the ransom) backups are a crucial safeguard to recover from the hack.
Lack of Cybersecurity Knowledge
Cybersecurity strategies, policies and technologies are entirely worthless if employees lack cybersecurity awareness. Without any kind of drive to ensure employees possess an elementary level of cyber security knowledge, any measure or policy implemented will be undermined.
Many employees do not know (or care enough) to protect themselves online, and this can put businesses at risk. Hold training sessions to help employees manage passwords and identify phishing attempts. Then provide support to ensure employees have the resources they need to be secure. Eventually, a basic level of knowledge and awareness could mean the difference between being hacked or avoiding the risk altogether.
Distributed Denial of Service (DDoS) attacks have overwhelmed some of the largest websites in the world, including Reddit, Twitter, and Netflix. DDoS attacks, which ambush businesses with massive amounts of web traffic, slow websites to a crawl and, more often than not, force crucial services offline.
Should a small business rely on a website or other online service to function, any outage caused by DDoS attacks will be catastrophic. Studies show that most DDoS attacks last between 6-24 hours and cause an estimated $25,000 per hour, according to data from Incapsula, a DDoS prevention firm.
Ensuring there is extra bandwidth available, creating a DDoS response plan in the event of an attack or using a DDoS mitigation service are all great steps towards reducing the impact of an attack.
Malware is a blanket term used to describe any software that gets installed on a machine to perform unwanted tasks for the benefit of a third party. Ransomware is a type of malware, but others exist, including spyware, adware, bots and Trojans.
Businesses should invest in solid anti-virus technology or endpoint protection. Additionally, operating systems, firewalls and firmware must be hardened and updated with vendor provided patches regularly and timely, and previously mentioned anti-virus software must be kept up to date.
Almost every business relies on websites to operate and many depend entirely on the service they provide online. However, poorly secured websites could be wide open to data theft by cyber criminals, and the business enabling tool will then become the end of the business.
SQL injection refers to vulnerabilities that allow hackers to steal or tamper with the database sitting behind a web application. This is achieved by sending malicious SQL commands to the database server, typically by inputting code into forms – like login or registration pages.
It takes a few well-calculated steps to protect against SQL injection. As a precaution, businesses should assume all user-submitted data is malicious, get rid of database functionality that is not needed and consider using a web application firewall.
Businesses are vulnerable to data theft, especially if employees are using unsecure mobile devices to share or access company data. As more small businesses make use of bring your own device (BYOD) technology, corporate networks could be at risk from unsecured devices carrying malicious applications which could bypass security and access the network from within the company.
This threat is easily mitigated when there is a comprehensive BYOD policy which educates employees on device expectations and allow companies to better monitor email and documents that are being downloaded to company-owned devices.
To mitigate cyber risks, small and medium businesses must develop a strategy to improve their cybersecurity posture. This must include appropriate cybersecurity training for end users, insurance policies that cover the loss of business stemming from an attack, and the creation of business continuity and crisis communication plans to aid recovery and prevent reputational damage.