Small to medium businesses (SMBs) made tough choices this past year to keep their business running. Staff scattered to work from home—unexpectedly—and SMBs had to quickly enable them with tools and support to stay connected. Many small companies were forced to sacrifice cybersecurity best practices in favor of business productivity, increasing their risk of attack.
43% of cyberattacks are aimed at small businesses, but only 14% are prepared to defend themselves, according to Accenture’s Cost of Cybercrime Study.
For many SMBs, a cyberattack—especially one that results in stolen data and loss of customer trust—can spell the end. Data breaches often result in reputation damage, legal damages, and financial loss. The total cost of a single data breach for an SMB is approximately $150k. Unfortunately, many SMBs lack cyber insurance and savings that could help them absorb that cost.
If you’re a small business owner or leader, you need to know: What steps can small businesses take to reduce their cyber risk? How can small businesses prioritize cyber strategies to match limited budgets and resources? And, what requirements do small businesses need to consider when selecting cybersecurity tools?
SMB cyber risk mirrors enterprise in many ways
Cyber threats for organizations with under 1,000 employees are starting to mirror enterprises, according to the 2021 Verizon Data Breach Investigations Report. Among the latest findings:
- Both SMBs and enterprises are facing the continued rise of social attacks, such as phishing—the #1 attack vector.
- Both SMBs and enterprises are being targeted by financially motivated organized crime actors and are increasingly victims of ransomware. In fact, almost half (46%) of SMBs have been targeted by ransomware, and nearly 75% of victims have paid a ransom to gain back data and restore control of their systems.
- Both SMBs and enterprises are moving to the cloud and using a variety of web-based applications – often chosen by individual staff or business functions vs. a central IT team—that may not follow security best practices for authentication and permissions.
Cyber issues of particular concern for SMB
While small businesses share the same risk as enterprises, they also have special concerns.
SMBs have fewer cybersecurity professionals and tools for protection. In our most recent research of global CISOs, we found that smaller organizations are least likely to have implemented protection such as multi-factor authentication (MFA) and virtual private networks (VPNs), and the least likely to have received training in the last year compared to larger organizations. These factors increase the risk of cyberattacks.
Every employee has an even greater responsibility to adopt safe cyber habits
Because a small business may not have a department or any staff solely focused on cybersecurity, every employee has an even greater responsibility to adopt safe cyber habits. Therefore, everyone must be trained to recognize flags of phishing attacks and malware and know how to manage their passwords and credentials securely. Cybersecurity tools must be easy for non-technical team members to use as part of their everyday workflow, or they won’t be adopted.
Companies that have a solid incident response plan can reduce the costs of a security incident by almost 50%. The Delinea research shows SMBs have a smaller percentage of employees who, unfortunately, say they know what to do when a security incident occurs. That’s one of the reasons that discovery and incident response take longer for SMBs than for enterprises, increasing the long-term cost and risk of an attack.
SMBs use a stable of partners and vendors to support a small workforce, so it’s particularly critical for SMBs to protect third-party privileged access. They must make sure remote access is removed and passwords are rotated when projects end or roles change.
Which cybersecurity tools are the best fit for SMBs?
SMBs often ask: Where do I find the cybersecurity tools that fit a limited budget and small team? Which investments should I make when I can’t afford everything an enterprise can?
SMBs are very good at prioritizing to survive. With a small budget and few, if any, dedicated security personnel, you need tools that give you the biggest bang for the buck.
Over 80% of cyberattacks involve privileged credentials
Privilege management (aka password management) is one of the most important things you can do to protect your small business from cyberattacks. It’s the top priority for CISOs regardless of organization size or revenue. That’s because over 80% of cyberattacks involve privileged credentials. If you manage passwords and credentials properly, even if your IT environment is breached, cybercriminals won’t be able to do much damage because they won’t have the keys to the kingdom.
The problem with adopting consumer-based password management tools
SMBs are more likely to consider using consumer-based tools for password management. These tools are designed for individual consumers to keep track of passwords and are typically siloed mobile applications people manage on their own.
The model simply delegates the problem to your employees
For businesses—even small businesses—this model doesn’t reduce the risk of poor password management. It simply delegates the problem to your employees. It puts the onus on them to learn and remember to use the tool. When workforce productivity is a prime concern, choosing consumer password tools can backfire. Consumer-oriented password tools actually take more time and add more work to the people you’re trying to keep productive.
Imagine your employees need to get from A to B fast. Rather than calling them an Uber (or buying them a self-driving vehicle) you simply give them a car. But they still need to learn how to drive, remember to keep it gassed up, etc. (You get where I’m going…)
Which password management tools are best for SMBs?
A unified approach with Privileged Access Management (PAM) is more secure and efficient than disconnected personal password managers.
PAM solutions automatically create and rotate passwords, ensuring that when passwords are changed, all dependencies—systems that are connected to those passwords—can still authenticate and connect.
Organizations use PAM software to control who can use a privileged account or access sensitive information with the ability to adjust permissions and change or delete critical data. They treat the privileged account as the object that is being protected, restricting password disclosure and sharing, while providing time-limited access to critical systems. Once a password is no longer required it’s rotated or expired so employees or third parties can’t continue to access sensitive information with old passwords.
PAM solutions offer session recording capabilities to enable forensics and generate compliance reports that satisfy auditor requirements.
What are the Six Key Differences Between Password Management Tools and PAM?
You can also try PAM out for yourself with a free, 30-day trial of Delinea Secret Server.
Free cybersecurity tools for SMBs
Beyond the technology requirements, SMBs are also working hard to improve the skills of employees and create new cybersecurity policies and operational processes. Delinea has a number of free resources to save you time. We hope they’re helpful as you learn more about cyber strategies for SMBs.
Privileged Account Management for Dummies. This free, 24-page book gives you, your IT staff, and business stakeholders a practical understanding of privileged account management and its security implications.
Privileged Access Management Policy Template. This template contains over 40 pre-written policy statements to get you started. The policies are based on compliance requirements outlined by CIS, NIST, PCI, and HIPAA related to best-practice management of privileged accounts.
Free Security Incident Response Plan Template. The template contains a checklist of roles, responsibilities, and details for actionable steps to measure the extent of a cybersecurity incident and contain it before it damages critical systems. You can easily customize the template to match your incident response policies, regulatory requirements, and organizational structure.
