Small and medium-sized businesses (SMBs) are targeted by cyberattackers as much as large companies, the 2023 Verizon Data Breach Investigations Report (DBIR) has revealed; here are some cybersecurity controls they should prioritize.
Company size does not matter to cyber attackers
SMBs often underestimate their appeal as a potential target. They assume they are “little fish” not worth the attackers’ effort and that their data holds little value. But that’s not true: their systems store sensitive information, including employee and customer data and financial information.
What’s more, they are often used to access systems at larger organizations (partners, customers or suppliers) – and as a recent Proofpoint study has shown, cybercriminals frequently target SMBs (especially through regional MSPs) as a means to breach larger agencies and organizations in the public and private sectors.
Unfortunately, SMBs typically allocate only a small fraction of their budget to strengthening their cybersecurity defenses, and are often ill-equipped to effectively combat cyber threats.
One critical factor exacerbating SMBs’ vulnerability is the shortage of dedicated security personnel; bigger organizations can offer bigger salaries to cybersecurity professionals and smaller companies can’t compete on that front.
With limited staff and expertise, SMBs face an uphill battle in defending themselves against sophisticated cyberattacks.
How can SMBs up their cybersecurity game?
But not all hope is lost.
First and foremost, the notion that cybersecurity is solely the responsibility of the IT department must be dispelled; every individual within an organization plays a vital role in minimizing the risk of cyber incidents.
The Verizon 2023 DBIR report outlines three essential cybersecurity controls that will help SMBs with limited IT and cybersecurity expertise thwart general, non-targeted attacks:
- Security awareness and skills training – Make sure employees have the skills and knowledge to minimize general cybersecurity risks
- Data recovery – Create data recovery practices that can restore business assets to their original, trusted state in case of attack
- Access control management – Create processes for creating, assigning, managing and revoking access credentials and privileges for user, administrator and service accounts for enterprise assets and software.
Once essential cyber hygiene is achieved with those and after a company begins moving closer to the larger end of the SMB scale and has more resources available, it’s time to add other security controls:
- Incident response management – Establish and sustain an incident response program for prompt attack response
- Application software security – Identify and address vulnerabilities in internally developed, hosted, or acquired software to prevent potential harm to the company
- Penetration testing – Test the efficacy and resilience of enterprise assets and implemented controls by simulating attackers’ actions
“Now that you’ve already looked at the Controls and prioritized them, you know what you’re most likely to be hit with and you’re working your way through to the end—your ducks are almost all in a row. You have balanced preventive and detective capabilities and are on your way to being able to not only detect when something bad has happened but also respond quickly and appropriately. You have moved from the basics of putting your plan together to implementing a road map,” Verizon’s analysts pointed out.
“A few final things to consider at this point: Are you looking at aligning with a particular compliance framework? Do you track metrics around security in your environment? Do your efforts result in ongoing improvements to your security posture, or do they just provide a point-in-time snapshot that says, ‘I was good at this moment, but then things changed’? There is quite a bit you can do when you use good information about what is happening in your organization to steer your security strategy.”