Just Because You’re Small, Doesn’t Mean You’re Safe – Why SMBs are lucrative targets for cyber adversaries


By: Lisa Plaggemier, interim director, NCA, National Cybersecurity Alliance

There is a common misconception that small businesses aren’t targeted by cybercriminals. They surmise, “I don’t have anything of value compared to a big business.” While cyberthreats are often associated with billion-dollar organizations, small and medium-sized businesses (SMBs) are at equal risk, and usually, at an even greater disadvantage.

Consider the Colonial Pipeline incident. Despite having less than 1,000 employees, the cyberattack on the company caused large-scale panic across the U.S. and disrupted operations for days. The Oldsmar Water Treatment plant in Florida also employed only a dozen people when an adversary attempted to alter chemical levels in the water. Had a team member not caught the disturbance, people’s health and safety would have been at risk.

One slip on a phishing email, one weak password, one orphaned account or a misconfigured privilege could wreak havoc — even for an SMB.

Common Cyberthreats Facing SMBs

As a result, SMBs need to keep their guard up because the reality is that every business is a potential target for cybercriminals. According to Forbes, the cyberthreats that SMBs most commonly face are “ransomware, misconfigurations and unpatched systems, credential stuffing and social engineering.”

Ransomware, simply put, means cybercriminals lock your data and hold it captive for a ransom payment. Imagine you open your laptop and your screen goes dark, only to find out that a criminal has encrypted and/or stolen your data and is threatening to leak your personal information if you don’t pay. From a business perspective, not only does this put your business’ data at risk of exposure, it also causes business disruption and lost revenue for the time it takes to address the incident, not to mention the agonizing decision to pay or not to pay. Paying ransom is no guarantee that the criminals will release your data back to you, and paying only perpetuates the problem.  The best prevention is to back up your data so that you can recover quickly.

Misconfigurations are also an easy target for attackers because they are highly detectable. The most common misconfigurations are unpatched systems and cybercriminals can take advantage of those security weaknesses to get access to systems and data.

Another common cyberthreat is credential stuffing, which is when an attacker uses stolen credentials to gain access to systems, employing bots to automate and scale the process. It’s a tactic that relies on the fact that users frequently re-use passwords across multiple systems and accounts. It’s a bad habit that makes it easier for cybercriminals to successfully access accounts without multi-factor authentication.

Lastly, social engineering is a common cyberthreat that SMBs can fall victim to, and it is usually employed to directly target individuals based on their role or access to systems, data and money. This happens when a person unknowingly releases confidential information, frequently obtained by an email phishing attack. Individuals are tricked into giving up their credentials, downloading malware or transferring funds.

Best Practices

There are a few simple best practices to follow, but the most important thing to do is to do something. Doing nothing, hoping for the best or assuming you won’t be a target are all risky business. Doing the below simple things will go a long way in making your business more secure:

  • Make a habit of properly configuring security settings for new accounts. Every time you sign up for something new and create an account for an app or set up a new device, it is crucial that you configure your privacy and security settings. Routinely delete old apps, or accounts that you no longer use. Attackers can use default login information from any device that is connected to the internet, so managing your company’s privacy settings is a key factor in protecting against cyberattacks.

  • Most data breaches start with a phishing email. Phishing messages can be delivered via text, phone or email.  The messages often come from illegitimate email addresses and often have a sense of urgency. Phishing can entice you to click on a link or open an attachment that installs malware on your device. Before clicking on links or opening attachments, it’s a good idea to check with the sender to make sure they are legitimate.

  • Multi-factor authentication is a must, not only on your financial accounts, but also on social media accounts and email. It can also help ensure that your accounts are secure through authentication tools, such as a code sent to your cell phone.

  • Have a company policy that employees must use long, complex and unique passwords. Because it’s nearly impossible to remember them all, use a password manager for your business. When you are duplicating passwords or using common passwords, you are falling right into the hacker’s trap.

  • Software updates can also eliminate new or ‘zero-day’ security flaws, so it is very important to keep your software up-to-date in order to reduce risk of infection from ransomware and malware.

The size of your company does not indicate your level of risk of cyber attack. The first step is to take action to protect your business. Implementing some simple cybersecurity best practices will make it difficult for criminals to victimize your company. And incidentally, many of these best practices are free or low cost.  Basic cybersecurity doesn’t have to be expensive for your business, but doing nothing and dealing with a security incident can be very expensive.

Taking place on the second Tuesday of April, Identity Management Day is an annual event designed  to help spread awareness about the importance of managing and securing digital identities. For organizations – both large and small – who want to build better cybersecurity defenses, it’s the ideal time to focus on making life much harder for today’s sophisticated cyber adversaries.


No posts to display