Why it’s so Difficult for Small Businesses to Tackle Security — and Why it’s Crucial They Do

When businesses like Target, Facebook, LinkedIn, or JPMorgan Chase suffer a cyber attack, it makes front-page news. This makes it easy to assume that large enterprises are the key characters on the battlefield where cyber good vs. cyber evil is playing out.  

If you’re a small or medium-sized business (SMB), you could be forgiven for assuming your organization occupies a small enough niche or has a low-enough public profile that you’re not a likely target. As a result, you may believe that what you’re doing with your limited security resources — following vendor recommendations, maintaining basic regulatory compliance — means your security posture should be “good enough.”

But these assumptions are myths, and buying into them could cost you dearly.

Myth: SMBs Aren’t a Target of Cyber Attacks

Attackers look more for weak defenses than for potential payouts. That’s why burglars target homes without alarm systems: Those homes are quicker and easier to invade. 

SMBs are tempting targets because of the high value-to-effort ratio they provide hackers. The low bar of security requires minimal effort to breach, but once breached, the payoff can be substantial.

Most hackers aren’t part of sophisticated operations in rogue states, meaning they typically lack the ability to go after large enterprises that have the tools and resources to defend themselves. As with home burglars, they tend to attack where it’s easiest — this often means SMBs as many of them lack the resources and expertise for a robust and comprehensive security posture.

The numbers bear this out. In 2021, 76% of SMBs reported that they were impacted by at least one cyber attack. On top of that, small businesses (<500 employees) saw an increase in the cost per data breach from $2.35 million in 2020 to $2.98 million in 2021 — a 26.8% increase. 

SMBs typically don’t have the security expertise, tools, or budget that enterprise businesses have, making them the perfect target for cyber criminals looking to attack quickly, make a quick buck, and move on. When SMBs are attacked at scale, it can be very lucrative to hackers.

Bottom line: If you’re in business, you’re a target regardless of size.

Myth: “Good Enough” Security is Enough to Protect Your Business

Apps change, people change, and new technologies introduce new vulnerabilities (hello, ChatGPT). Without a comprehensive, ever-evolving security policy, the likelihood of an attack increases with the passage of time.

More than half of the businesses surveyed by Sophos in 2021 believe that cyber attacks are now too advanced for their IT departments to manage. 

Additionally, more than half of all cyber incidents in 2022 for which exploit vulnerability was the root cause involved attackers taking advantage of vulnerabilities with patches available. These types of exploits would have been 100% preventable if businesses had applied the relevant patches to their software. 

Ransomware is a growing threat for SMBs and shows no signs of slowing down. In addition, we’ve seen a steep increase in ransomware as a service (RaaS) being used to attack SMBs. RaaS groups sell ransomware to criminals enabling even the ones with low technical skills to attack businesses and hold their data hostage. This enables groups like the Hive ransomware gang to victimize more than 1,300 businesses — receiving over $100 million in ransom payments — in just a year and a half!

Fact: SMBs Need Support to Build Stronger Security

A comprehensive security posture requires minimizing vulnerabilities across many facets of your business, including people, internal processes, tools, and any IT assets exposed to the Internet. Additionally, the dynamic threat landscape makes it important to regularly review and revise your security posture based on new threats and vulnerabilities; it can’t be a one-off “set it and forget it” approach. Small business IT departments with finite resources do heroic work to keep up with the ever-evolving threat landscape but many of them lack the resources to do everything they need to.

That said, there are tools, technologies, and best practices available that can help strapped IT departments make outsized improvements to the security of their organizations.

Here are 3 cybersecurity best practices that can help prevent an attack:

1. Invest in Strengthening Your Email Security

The security of an organization’s email infrastructure is a significant determinant of overall risk. 91% of all cyber attacks start with a phishing email, and email incidents accounted for 41% of At-Bay’s customer claims in the second half of 2022. 

SMBs that implement a Secure Email Gateway (SEG) — which is like a firewall for your email inbox — experience 40% fewer financial fraud claims (identity theft, credit card fraud, embezzlement) than those without one.

It’s not enough to just implement an SEG and follow best practices for strengthening the default settings on your email security. You need to be aware that not all business email and email security solutions are equally effective at preventing cyber incidents. Our data clearly shows that some are better than others.

We leveraged our in-house claims data to create an Email Security Research Report ranking the email solutions and SEGs with the highest to lowest frequencies of cyber incidents among At-Bay policyholders. 

Here are the key takeaways for SMBs:

• We recommend transitioning to a cloud-based email solution as soon as possible and certainly before current in-use solutions reach end-of-life status.
• Organizations should seriously consider implementing a market-leading email security solution (Mimecast was the top performer in our research).
• For organizations looking for the best out-of-box email solution for security, Google is the top performer with 40% fewer incidents than average.

2. Add MFA to Access Points as Your First Line of Defense

Multi-factor authentication (MFA) is a security setting that requires users to provide more than one method of verification to gain access to websites or applications. It can act as a first line of defense that can block the threats before they turn into a successful attack.

A 2022 study by the Cyber Readiness Institute (CRI) found that only 54% of SMB owners claim to have implemented MFA at their companies. Of the businesses that have not implemented MFA, 47% said they either didn’t understand MFA or see its value, and 60% of owners said they haven’t discussed MFA with their employees. Considering that MFA helps prevent account compromise attacks and thwarts bad actors, it’s clear that more SMBs need to implement these tools.

Microsoft claims that MFA can block more than 99% of account compromise attacks. While some dispute that exact figure, there’s broad agreement that implementing MFA at sensitive access points is simple and highly effective at protecting against ransomware and other cyber attacks. 

By not enabling MFA, attackers can more easily access your email service, send messages to your customers or employees asking for money to be sent to fraudulent bank accounts, access confidential information in the cloud such as payroll and payment information, etc. Just having a username and a strong password is not good enough anymore. If you are only requiring a username and password on an internet-facing application, it’s only a matter of time before your systems are compromised.

3. Providing Staff Training Improves a Company’s Security Posture

Despite the fact that most employees have good intentions, people play a role in 82% of all security breaches according to Verizon’s 2022 Data Breach Investigations Report. Employees are regularly the target of phishing and ransomware attacks, and honest oversights in password hygiene or mistakes in credential handling happen.

Company-wide training can raise awareness of spam, phishing, malware, and other social engineering techniques so employees can better protect themselves and their employers as they go about their day-to-day jobs. Best practices include mandatory security training once a year, plus specialized training options as needed (for example when a new growing threat is identified).

[Read More] How Small Businesses Should Build Their Cybersecurity Training in 2023

Fact: An At-Bay Insurance Policy Can Help SMBs Strengthen Their Security Posture

The number of tools and technologies available to help improve security is daunting. No SMB can reasonably be expected to explore or even be aware of all the options out there — or to know what’s worth the investment with their limited budget. That’s the job of a security expert, and they are expensive to hire. 

This is where At-Bay comes in: We’ve combined the best of insurance and cybersecurity into the world’s first InsurSec solution. We leverage our expertise in both industries, our in-house experts, and our proprietary claims data from over 30,000 policyholders, to not only help you in the event of an attack — but also enable you to maintain a strong security posture throughout your policy. 

We’ve combined industry-leading insurance with world-class cybersecurity technology to create At-Bay Stance™ — end-to-end prevention and protection that makes At-Bay policyholders 5X less likely to be hit with a ransomware attack.  We keep you ahead of the game by constantly identifying, aggregating, and prioritizing threats, all as part of your insurance policy.

Learn more at at-bay.com/security.