Do’s and Don’ts of SMB Cybersecurity

It's no secret that the COVID-19 pandemic has severely impacted small and medium-sized businesses (SMBs). While dealing with decreased foot traffic, more effective local regulations, and growing expenses, cybersecurity has undoubtedly become a lesser priority for SMBs struggling to get back on their feet. In the midst of all this, cyberattacks have increased significantly throughout the pandemic. 

With more remote work and businesses letting their guard down, hackers have targeted them with domain spoofing and spam-based attacks. Knowing the hit SMBs have taken and the possibility of cybersecurity cuts, malicious actors have leveraged the pandemic as an opportunity to pounce. 

Recent data shows that nearly 50 percent of SMBs have fallen victim to ransomware attacks, and approximately three-quarters of those have had to pay up.

With limited financial resources and overburdened IT teams, likely, an SMB may not recover if it were to be hit by a costly cyberattack. To protect against all possibilities, these businesses must understand the dos and don'ts of implementing a robust cyber resilience strategy.

Do's and Don'ts of implementing a cyber resilience strategy:


Don't: Assume All Threats Are Malicious or From Outside the Organization

Threats aren't always from outside the business. The biggest threat to an organization often comes from within its walls. While occasionally there are the threats of rogue, disgruntled employees looking to seek revenge, approximately 90 percent of insider threats come simply from non-tech-savvy employees. Cyber incidents are often the result of employees not having the appropriate training or know-how to catch a potential attack. Without the ability to identify malicious activity, it's much more likely they will accidentally click on dangerous attachments or links, forward a damaging email, or respond to an impersonation attack. The result of such a distraction can be far-reaching and potentially take down an entire organization's systems.


Don't: Make Assumptions About What You Have and What You Know 

Many small business owners don't have a cybersecurity background. As a result, they may be unaware that the security solutions they implement aren't equipped to handle their business needs. This can be detrimental, leaving their business riddled with holes open to malicious activity.

Leadership might also hold the incorrect assumption that training will break their tight budget. What they may not realize, though, is that a small investment in virtual training programs, such as video modules and phishing simulations, is far cheaper than it would be to pay a ransom or revive lost data. Investing now can help SMBs save later.


Don't: Wait to Invest in Cybersecurity

SMBs have a lot on the line in 2021. Coming out of 2020's economic hardships will be expensive and time-consuming, but cybersecurity should not be an added burden. Instead, it should be a helpful addition to their business strategy. Investing in cyber resilience practices like employee training and SMB audits are long-term investments that need to be made for the organization's future success.



Do: Couple External and Internal Analyses

SMBs should consider bringing external experts to analyze their IT infrastructure regularly. This will ensure that they have an unbiased opinion of their needs and the strongest protection possible. Coupled with this, SMBs should regularly conduct internal security audits to understand better where hidden back doors exist across their organization. For instance, given that employees are likely working remotely, SMBs should take the time to review their network infrastructure to ensure all connected devices meet security standards with regular software updates in place. With an internal and external check, businesses can better understand their pain points and focus their cybersecurity spend where it's needed.


Do: Provide Awareness Training for Employees

With insider threats accounting for the most significant majority of cyberattacks, SMBs need to get to the root of the problem, human behavior. Inspiring change begins with raising awareness. To do this effectively, SMBs must first reflect on their business as a whole. This means identifying every "weak point" and addressing every potential impact the company could suffer if those weak points were targeted. For instance, many SMBs operate across supply chains, which include various virtual and physical touchpoints. Because of this, if one section of the supply chain were to get hit by a cyberattack, the entire system could come crumbling down. By gathering and sharing this information inconsistent organization-wide training sessions that inform and entertain, SMBs can empower their staff with deeper threat awareness and help improve their security posture.

Michael Markulec

technology executive, cyber-security guru, politician, rugby player, deadhead, brewer, former army officer, crossfitter, and hard-drinking calypso poet.