If you thought that running an SMB put you at lower risk of IT threats than larger enterprise-level businesses, think again. In fact, it is estimated that 43 percent of all data breaches affect SMBs — perhaps in part because surveys find that not only are the majority of SMB owners not concerned about their risk, but only 28 percent have a response plan for cyber attacks.
This is especially concerning in light of FBI data that reveals cyberattack losses reached nearly $7 billion in 2021 — with small businesses suffering the majority of those losses.
As Stephen Kurtz, president of Total IT, a Dallas-based IT consulting and managed services firm explains, this level of complacency can be dangerous. “SMBs are an attractive target for hackers, in large part because they are far less likely to have strong security measures in place. There are many ways that malicious individuals can access this information, and then make off with a significant payday. Depending on the severity of the breach, this can be devastating for your business.”
With that in mind, few things are more important for business owners than understanding the biggest threats they face, and how to deal with them.
1. Phishing Attacks
Research from Cisco indicates that roughly 90 percent of data breaches can be linked to phishing attacks. Phishing attacks typically involve receiving an email from someone pretending to be a legitimate contact. The email may request sensitive information, have the user click on a fraudulent link or even request a payment from the individual who received it.
These emails can be surprisingly sophisticated, aiming to fool both employees and SMB owners into giving up confidential information, or even accidentally providing access to their accounts.
“One of the most important things you can do is keep these emails from ever reaching your inbox in the first place,” says Kurtz. “Email security gateways and cloud security providers can help put a stop to these emails. When someone reports a phishing email, system admins can block that email and delete messages from that email to all users on the network. Your safest bet is to ensure that no one ever has the opportunity to click on these emails.”
Kurtz also suggests providing phishing/email security training: “User education may seem remedial, but training does work, and allows companies to keep their users in the know about the latest trends in phishing and other security issues.”
Your own business should have clear standards in place for its own emails — be they the signatures and imagery used, or the type of information that is discussed or requested. This makes it easier for employees and customers to recognize when someone is trying to imitate your own communications.
2. Ransomware
Ransomware is another major IT threat that sees hackers encrypt company data so that an SMB can no longer use or access it. To unlock or release its data, the company is forced to pay a ransom to the hackers. IBM estimates the average cost of a ransomware attack to be $4.54 million. And that’s just from downtime, recovery costs and PR needs — it doesn’t include the ransom payment itself.
Ransomware attacks leave SMBs in a Catch-22 scenario. Those who pay the ransom but fail to implement stronger security right away could easily find themselves targeted again. On the other hand, those who don’t pay could be without services for a significant period of time.
Kurtz advises that SMBs make use of a few key tools to protect against ransomware. “First, all devices at your business should use endpoint detection. This makes it easier to detect and stop ransomware attacks by examining each file that enters the network to block unsafe files. Second, SMBs should use cloud backups. This way, even if a successful attack occurred, they can quickly resume operations without paying a ransom.”
3. Insider Threats
As valuable as an SMB’s employees may be, they can also represent a major IT threat. This can be the result of both intentional and accidental actions — though quite often, they share many of the same root causes.
“Two of the biggest issues stem from employees having access to information they shouldn’t, as well as just poor knowledge of basic IT security practices in general,” Kurtz explains. “Business leaders have the responsibility of ensuring that each team member only has access to the data they need to do their job. Other basic steps, like having strong password standards and requiring multi-factor authentication to access work-related accounts, can reduce the risk of an employee’s account serving as the source of a breach.”
As part of this, business owners should regularly conduct cybersecurity training — for themselves as well as their employees. Understanding what a phishing email or malware attack looks like can help team members respond appropriately so they don’t accidentally trigger a breach.
Business owners should also be mindful of potential bad actors who would deliberately sabotage their information. A recently fired employee or a supplier that just had their contract terminated should have access revoked immediately to ensure that greed or malice don’t result in an intentional breach.
Keep Your Business Safe
“Ultimately, mitigating IT threats to your SMB primarily comes down to two things: having the right protections in place for your networks and software, and ensuring that your people understand and follow cybersecurity best practices,” Kurtz says. “You can’t control everything, but by performing some basic due diligence and working with trusted partners to secure your system, you can greatly reduce your risk.”
Mitigating IT threats doesn’t require disconnecting from the internet entirely. Rather, it ensures that businesses will use tech resources appropriately and safely so they can better serve their customers without compromising confidential data.