There's an old joke about a documentary team filming wildlife in the African savannah. They're tracking some wildebeest moving through the long grass when suddenly, one cameraman spots a lion in the distance charging towards them, and breaks into a sprint. His colleague calmly bends down and tightens the laces on his running shoes, as the cameraman shouts over his shoulder, 'what are you doing? You'll never outrun a lion in those!'
His colleague replies, 'I don't have to outrun the lion; I just have to outrun you.'
Cybersecurity is a lot like that. Many small businesses labour under the misapprehension that they're too small for hackers to bother pursuing, and because they're not commanding vast turnovers or troves of secret information, security isn't something that they need to be overly concerned with - but this is not the case.
It’s not just large organizations being targeted
Cybercriminals aren't always looking for the biggest payout possible. In fact, in many cases, they're looking for the easiest, and while infiltrating one large enterprise to steal a million dollars all at once might take a year or more, hacking 200 undefended small businesses to steal $5,000 from each one has the same result with much less time and effort.
According to the latest edition of Verizon’s annual Data Breach Investigation Report (opens in new tab), 46% of data breaches affected SMBs with less than 1,000 employees, with more than 90% of incidents being financially motivated. In practice, that means that smaller organisations are, to all intents and purposes, as likely to be targeted by cybercriminals as larger enterprises.
Another point that often gets overlooked by smaller businesses in terms of security is that attacks are often about more than one specific organisation. So-called supply chain attacks (opens in new tab) - where hackers use information or access gleaned from breaching one company in order to attack another - are a growing threat. Even if an SMB isn’t an attractive target in itself, it may be that its proximity to a juicier prize puts it on the radar of potential threat actors, and poor security doesn’t just put you at risk, but also your clients and partners as well.
With all this being said, the discussion of security using terms like ‘hacker’ and ‘threat actor’ can conjure up certain images, often involving sinister figures in hoodies and ski masks. However, this idea can be misleading; not all cybercrime is carried out by nefarious Russian teenagers, and in fact, according to Verizon’s research, 44% of threats come from inside the company.
Improving your security posture can be easier than you think
These misconceptions about cyber security can lead smaller organisations to take a somewhat relaxed attitude to their protection policies, but the good news is that there are a number of basic security hygiene practices that SMBs can put in place to help safeguard their assets, employees and partners. Adopting these simple policy changes can make companies harder to target, reducing the risk of opportunistic attacks.
The first and often most endemic problem that can be addressed is password security. The explosion of digital services in recent years has left all of us with a huge number of passwords to remember, and in order to keep track of all of them, many people resort to either basing their passwords around easily guessable patterns (like 123456 (opens in new tab)), or simply re-using the same credentials (opens in new tab) across all their accounts.
This creates numerous potential problems; if the same password is used across multiple services, all of those services then become vulnerable when one account gets breached. The best way to combat this is by rolling out a password management platform (opens in new tab) to staff members. These services store a vast number of credentials, effectively remembering them on staff’s behalf, which means that they only need to memorise one password in order to access all their other logins.
This allows workers to protect all of their accounts with unique, complex passwords without having to worry about how they’re going to remember each one, and because they only need to remember a single password, it can be made significantly more complicated, reducing the likelihood of attackers guessing it.
Most password managers (opens in new tab) also include additional security features, such as the ability to instantly generate randomised secure passwords, or the ability to automatically change passwords you suspect may have been compromised. Finally, in order to prevent users’ master password from becoming a single point of failure, password managers layer on additional security options including multi-factor authentication.
Giving users access to password management software - and showing them how to use it - encourages them to adopt good password habits across the web, and reduces the risk of your business being compromised by basic attacks like credential stuffing, brute-force or dictionary attacks.
Patch now or regret not doing so later
Another way to protect against basic attacks is to ensure that operating systems, applications and device firmware is kept patched and up to date. This can be a tedious and time-consuming task, but known, unpatched security vulnerabilities are one of the easiest ways for attackers to break into your network, so it’s worth taking the time to apply software fixes as quickly as possible after release.
This can be made easier by upgrading to Windows 11 Pro (opens in new tab), which includes a range of built-in management tools to allow businesses to deploy patches quickly and seamlessly. It also comes with improved hardware security, encryption and malware (opens in new tab) protection capabilities as well, although it’s also worth looking at rolling out a third-party endpoint security solution (opens in new tab) across your devices to add more layers of protection.
Building security into your business
Security is a complicated area, and it can be tempting to dismiss it as something that only larger organisations need to worry about, but not even the smallest organisations are immune from being breached by hackers. Building security into your workflows and decision-making processes may take a little time, but as your business grows, you'll be able to outpace your competitors - and stay one step ahead of the lions.