The sophistication of cyber-attacks grows every year by leaps and bounds. The sad fact is that many breaches are the result of lax or incorrectly set up security measures. This is especially true when it comes to small and mid-sized businesses (SMBs).

Small business owners often don’t prioritize security measures, as they are typically fully focused on growing the company. They may think they are too small for cybercriminals to bother with (SMBs are the highest target of attacks) and they have a lower data breach risk. Perhaps they think it’s an expense they can’t afford.

The truth is: You can’t afford NOT to have strong network security measures in place. Network protection is not only a concern for large corporations, but also a critical issue for small businesses as well. SMBs are the target of the vast majority of cyber-attacks, due to the fact there are so many more of them than huge conglomerates. They are seen as attractive targets for cybercriminals, due to vulnerabilities.

Over 50% of SMBs have been victims of successful cyberattacks. Over 60% of those attacked go out of business afterward.

Human error is the cause of most data breaches. But don’t let that dishearten you. That means it’s fixable by educating your humans. Improving your office cyber hygiene can reduce the risk of falling victim to an attack.

Are You Making Any of These Mistakes With your Security?

It’s difficult to address a problem until you identify it, so that is your first step. Often the IT services teams at SMBs don’t even realize the mistakes they are making. Here are some of the biggest reasons small businesses fall victim to cyberattacks. Any of them sound familiar?

Not Appreciating the Threat Severity

Complacency is one of the most critical mistakes SMBs make - underestimating the threat landscape. Many business owners assume that their company is too small to be a target, or that they’re fine because they have a firewall and anti-virus (AV) - dangerous misconceptions.

Cybercriminals see small businesses as low hanging fruit, figuring that the company lacks both the resources and expertise to defend against attacks. It's essential to understand that no business is too small for cybercriminals to target.

On the lowest end of the ‘crook spectrum’ unsophisticated criminals hit smart phone users for a few hundred dollars. On the high end, it’s the breaches of huge corporations that make the news. SMBs occupy the roughly 80% of attacks that occupy the middle. Being proactive in digital is crucial.

Lack of Security Awareness Training

This is how you correct the human error factor. When was the last time you had your employees go through Security Awareness Training? Small businesses often neglect this critical training for their staff. Owners assume that they will naturally be cautious online. Not even with the best of intentions.

Stanford University Professor Jeff Hancock and security firm Tessian (now owned by Proofpoint) did a joint study which revealed that 9 out of 10 (88%) data breach incidents are caused by employees' mistakes – like clicking on malicious attachments or links in phishing emails. These happen because employees have not been trained to recognize signs that should put them on high alert.

Security Awareness Training helps employees:

Recognize phishing attempts

Understand and the importance of strong passwords and how to develop them

Be aware of social engineering tactics used by cybercriminals

Weak Passwords

This is true, even though it’s patently absurd: The world’s most common password, and the easiest to crack is: ‘123456’ – for a few years running. It edges out the word ‘password’ as most foolish logon credential to use. Weak passwords are a common security vulnerability everywhere, but especially in small companies. Many employees use easily guessable passwords AND reuse the same weak password for several accounts. This leaves your company's sensitive information exposed to hackers.

Employees reuse passwords 64% of the time.

You should encourage and train your workers in the use of strong, unique passwords. Also consider implementing multi-factor authentication (MFA) wherever possible. This adds an extra layer of security.

Ignored Software Updates

Without a doubt, your employees are your first line of defense, but security patches and updates are the second. Failing to keep software and operating systems up to date is another common mistake. Cybercriminals often exploit known vulnerabilities in outdated software to gain access to systems. Small businesses should regularly update their software to patch known security flaws.

These updates can be set to be done automatically. If you have an internal IT person/team or if you use an outsourced Managed IT Services company like ITFIRM.COMM, this is something they should have set up for you already. This includes operating systems, web browsers, and antivirus programs.

If you don’t have any form of IT support, then just check yourself into an asylum, because you must be crazy.

No Backup & Disaster Recovery Plan

It’s not uncommon for small companies to NOT have a written Backup & Disaster Recovery plan in place, but that is a huge mistake. Perhaps they incorrectly assume that data loss won't happen to them (good luck with that), but data loss can occur due to various reasons, including cyberattacks, hardware failures, or human errors.

Back up your company's critical data on a regular basis and test the backups to ensure they can be successfully restored in case of a data loss incident.

No Formal Security Policies

It’s also not uncommon for small business to operate without clear network security policies and procedures. With no clear and enforceable security policies, employees may not know critical information, like how to handle and protect sensitive data or how to use company devices securely or respond to security incidents.

EVERY business needs to establish formal security policies and procedures – even if you only have 3 or 4 employees. Communicate these to all employees. These policies should cover things like:

  • Password management
  • Data handling
  • Incident reporting
  • Remote work security
  • And other security topics

Overlooking Mobile Security

Security for mobile devices is historically a weak point in a company’s protections. As more employees use mobile devices for work, mobile security is increasingly important. Small companies often overlook this aspect of cybersecurity.

Establish mobile device management (MDM) solutions. These enforce security policies on company- and employee-owned devices used for work-related activities. If we know that mobile security is an Achilles heel, you can bet your bottom dollar that the cyber crooks know it as well.

Not Regularly Monitoring Networks

SMBs usually outsource IT or have one employee who ‘knows some stuff.’ This is most likely insufficient to monitor your networks for suspicious activities. This can result in delayed detection of security breaches. Anyone making this mistake is doomed to learn about threats only after they have already been successful.

It’s easy to install network monitoring tools, or you may consider outsourcing network monitoring services. This can help your business promptly identify and respond to potential threats.

No Incident Response Plan

The Incident Response Plan (IRP) is a smaller part of a Backup & Disaster Recovery. In the face of security incidents, SMBs without an incident response plan may panic. They can also respond ineffectively or do the exact wrong thing.

SMBs need to develop a comprehensive incident response plan that outlines the steps to take when a security incident occurs. This should include communication plans, isolation procedures, and a clear chain of command.

Believing They Don’t Need Managed IT Services

Cyber threats continuously evolve and increase, and new attack techniques emerge regularly. Small businesses often have a hard time keeping up. Yet, they believe they are ‘too small’ to pay for managed IT services.

Managed IT services come in all package sizes, including those designed for SMB budgets. A Managed Services Provider (MSP) can keep your business safe from cyberattacks and save you money at the same time by optimizing your IT.

Spend the Money!

The cost of doing business has risen dramatically over the last three years, but do you know what businesses don’t have to pay those expenses?

The businesses that have folded.

Frequently Asked Questions

What is an example of a strong password?

Try copying the methodology used in creating this password:
ImMLw0&23o&i5Mc

This password is based on the phrase “I married my loving wife (or husband) on August 23 08 in Santa Monica California” – using symbols as substitutes for numbers and letters, and vice versa – such as using $ for S or & for 8 and alternating between upper and lower case letters.

Running the password above through ‘Password Monster’ shows the ‘time to crack password: 9 Trillion Years,’ whereas ‘123456’ takes ZERO seconds.

How do I manage too many passwords?

Juggling dozens of passwords is a pain, so consider using a Password Manager. Every time you enter a password for the first time, it will give a prompt asking if you want saved (say yes). Then, when you return to that login page, it will offer to fill it in for you. This way, you can enjoy complex passwords, and you only need to remember ONE: the one for the Password Manager.

Wired online offers a ‘Best Password Managers’ list to give you some ideas.

How do you create a backup and disaster recovery plan?

Work with a qualified IT person or a firm that provides comprehensive Managed Services to set these up with your input. If you are a one-person operation who wants to do this on your own, download the Cyber Essentials Starter Kit provided free by the Federal Cybersecurity & Infrastructure Security Agency (CISO), but most likely the simplest way to back up your data is with an external hard drive that is ONLY connected to the computer when the backups are performed. If a virus or ransomware infects your computer, it will find its way to your external hard drive if it is connected.

How does automated patching work?

Patch automation tools perform regular scans of an environment—or specific groups of devices—to identify which are missing patches. They can then download missing patches from individual vendors, such as Adobe, Apple, Java, or Windows.

How secure is your network?

As a longstanding, reputable member of the Charlotte IT Support community, ITFIRM.COM offers a FREE, no-risk network and Cybersecurity assessment. We perform a non-intrusive scan that allows us to deliver a comprehensive report of the state of your system and its vulnerabilities that is yours to keep. There are no strings attached, and you are under no obligation to ever use our Managed IT Services.

The two best defenses are next-generation Cybersecurity to protect your data from theft, and a top-notch Managed Services Provider to ensure continued reliability and defenses against newly emerging threats.

We put our 100% Money Back Guarantee in writing, so there is no risk in trying us out. Because we do not require a ‘hard’ contract, our clients can fire us at any time with 30 days’ notice. We have to be good.

Among the Managed IT services we provide:

IT HelpDesk Service
Onsite IT Support
Cybersecurity
Cloud migration and management
Email migration services
Backup and disaster recovery
VoIP phone systems
IT disposition and recycling
Office moves
White label services (IT to IT)

Planning an Office Move?

Contact ITFIRM.COM today! We have the experience to ensure a seamless transition. After the office move, your employees will arrive at the new location to find their IT infrastructure ready and open for business!

For more information on office moves, or to receive your FREE no-risk network and Cybersecurity assessment, just fill out the form on this page or call us at:

704-565-9705