SMB Cybersecurity Still Lacking Due to Misperception About Attacks
Many SMBs still think cybercriminals will target larger organizations instead of them.
A new SMB cybersecurity survey shows many SMBs still believe larger companies are more vulnerable to cyberattacks.
Software developer Devolutions polled 182 SMBs from a variety of industries, including IT, health care, education and finance for its SMB cybersecurity survey.
Revenue from global cybercrime is now more than $1.5 trillion per year. Furthermore, the average price tag of a data breach is now $3.9 million per incident, according to IBM.
Despite these staggering figures, there’s a common and inaccurate belief among many SMBs that the greatest security vulnerabilities exist in large companies. However, there is mounting evidence that SMBs are more vulnerable than enterprises to cyberthreats, and the complacency regarding this reality can have disastrous consequences.
Among the most notable SMB cybersecurity survey’s findings, 78% of SMBs said having a privileged access management (PAM) solution in place is important to a cybersecurity program. However, 76% haven’t fully deployed one.
Key SMB cybersecurity findings include:
Sixty-two percent of SMBs do not conduct a security audit at least once a year. Fourteen percent never conduct one.
Fifty-seven percent said they have experienced a phishing attack in the last three years.
Forty-seven percent allow end users to reuse passwords across personal and professional accounts.
Max Trottier is Devolutions’ vice president of sales and marketing. We spoke with him to find out more about what the SMB cybersecurity survey says.
Channel Futures: Has the pandemic impacted SMBs in terms of them being concerned that they could be targeted by cybercriminals?
Devolutions’ Max Trottier
Max Trottier: Yes, the pandemic has increased the cyberattack concern level for many SMBs, particularly when it comes to threats targeting remote workers. While all tactics are in play, eight in particular are proving to be especially profitable for hackers and costly for SMBs. Those are phishing, third-party attacks, XSS attacks, database hacks, endpoint attacks, ransomware, cryptojacking and insider attacks carried out by rogue employees and contractors.
Unfortunately, even when the COVID-19 crisis ends, we do not expect things to get easier for SMBs. On the contrary, we anticipate that cybercriminals will keep increasing their attacks, since SMBs are typically more vulnerable than large enterprises.
CF: What aren’t SMBs doing that they should be doing to protect themselves?
MT: There are a few things that SMBs should be doing to protect themselves but have not done — or at least not done effectively. All SMBs should have a PAM solution in place to monitor and control elevated accounts. In addition, SMBs as a whole need to focus more on good password management policies and practices. Also, SMBs must realize that security audits are not optional — they are essential and should be performed at least twice a year. Lastly, SMBs need to pay much closer attention to their internal users, who may deliberately or accidentally cause a data breach.
CF: Can you give some examples of how MSSPs can help with SMB cybersecurity?
MT: Because SMBs do not typically have huge IT departments like their enterprise counterparts, they often look to outside resources for assistance in a number of areas, including cybersecurity. MSSPs can play a pivotal role in providing cybersecurity solutions, implementation, training and best practices to SMBs.
Here are five key ways that MSSPs can help SMBs improve their security posture:
Implement a PAM solution.
Enforce strong password management policies.
Implement the principle of least privilege (POLP). End users are given only the amount of access they need to carry out their day-to-day jobs.
Implement segregation of duties (SoD) … to prevent conflict of interest, wrongful acts, fraud, abuse and the building of secretive silos around activities.
Provide end users with adequate cybersecurity training.
CF: Can you point to any progress being made by SMBs to better protect themselves?
MT: Yes, there is some progress being made by SMBs to …
… better protect themselves in a few key areas. Our survey found that 88% of SMBs are providing some form of cybersecurity education to their end users. While this is encouraging, it is also true that some SMBs are not providing comprehensive or updated information. With this being said, 100% of SMBs should be training end users in good cybersecurity hygiene. It only takes one careless person to open the door to hackers. There is also growing awareness of the importance of password management tools. Our survey found that 76% of SMBs believe that password managers are best suited to validate and monitor good
password practices.
Our survey also found that 88% of SMBs are more concerned about the privacy and security of their online data now than they were five years ago. This is a kind of good news-bad news scenario. The bad news is that, obviously, it means that things are getting worse for SMBs. But the good news is that more SMBs are aware of the risks — although … many are still not doing enough to protect their data, their customers and their reputations.
CF: Are budget constraints due the pandemic impacting SMB cybersecurity decisions? If so, how?
MT: Budget constraints have always been a factor for SMBs regarding cybersecurity spending. But our opinion is that this obstacle is largely in place because most cybersecurity vendors do not provide solutions that SMBs can afford.
As for how the pandemic is impacting SMB cybersecurity spending, a new survey from Kapersky found that among SMBs – even though IT budgets are shrinking due to COVID-19 – the proportion of IT budgets dedicated to IT security is projected to continue growing year over year, with the majority of SMBs expecting a 12% uptick in the next three years.
Another and simpler way to look at this is that while the majority of SMBs are planning to spend less on IT in terms of total dollars, they are planning to spend more of those dollars on cybersecurity products and services. This will hopefully translate into more robust security protection and fewer victimized SMBs.
Businesses Still Not Protecting Remote Workers
Businesses across the United States experienced a significant and correlating spike in cyberattacks since remote work began in early 2020.
That’s according to a new report sponsored by Keeper Security and conducted by the Ponemon Institute. It collected responses from more than 2,200 IT and IT security personnel in the United States and numerous other countries. All respondents work for organizations that have furloughed or directed their employees to work remotely as a result of COVID-19.
Challenges brought about by remote work have increased this risk. These include lack of training, an ill-equipped IT security workforce and new technologies.
According to the survey:
Nearly one in four (24%) feel their organization has not provided any or adequate education regarding the security risks brought about by remote work.
Nearly half of IT administrators expressed worry over the lack of physical security in remote workspaces.
Most U.S. IT security pros believe remote employees’ use of their own mobile devices to access business-critical applications and IT infrastructure has had a negative impact on their organization’s security posture.
One in four (24%) are concerned about the prospect of criminals gaining control of personal devices and stealing sensitive information.
A striking 63% of U.S. companies have seen an increase in phishing/social engineering during the pandemic. Furthermore, more than half (52%) noted a jump in credential theft and one-half (50%) reported a rise in incidences of account takeover.
Damages or theft to IT infrastructure caused 41% of U.S. businesses to lose $5 million-$10 million or more in the last year.
Darren Guccione is Keeper Security‘s CEO and co-founder.
Keeper Security’s Darren Guccione
“One of the most surprising findings is how organizations have fallen somewhat short of protecting their remote workforce during this time,” he said.
Authentication methods – particularly multifactor authentication (MFA) – are vital for remote employees to maintain heightened security, Guccione said. This is especially important during this time of increased remote work.
“With attacks becoming more sophisticated and targeted every day, organizations across the board need to prioritize and implement these security measures to protect the organization and workforce,” he said.
Cybersecurity providers need differentiated solutions that …
… protect their customers’ and their own passwords and sensitive data in a secure manner.
“During COVID-19, the types of attacks organizations have experienced most are credential theft and phishing/social engineering, with 60% of respondents saying they have experienced a cyberattack,” Guccione said. “As we continue to see these threats increase, businesses will be looking to MSSPs for guidance.”
Many companies are beginning to understand the ramifications of not having proper security protocols in place, he said. They are looking for guidance and best practices.
“Cybersecurity providers and MSSPs can provide this cybersecurity support, education and guidance to ensure the remote working environments are protected from cyberattacks moving forward,” Guccione said. “Also, financial repercussions represent a growing challenge. Fifty-eight percent of respondents say their organizations experienced a compromise that damaged IT infrastructure or stole IT assets. The average cost to deal with these compromises over the past 12 months is $2.7 million.”
Many businesses can’t afford a cyberattack, so they are looking to increase their remote working security through external providers.
McAfee Solution Protects Schools from Cybercriminals
McAfee‘s latest offering aims to help schools fight cybersecurity threats associated with remote learning.
Secure School Suites and McAfee MVision Mobile Advanced ensures all devices are protected from ransomware and fileless attacks, the company said.
According to the McAfee Labs Threat Report, the education community experienced a more than 1,000% increase in cloud threats due to COVID-19.
The solution detects threats and vulnerabilities on devices used by students and teachers; networks students connect to; websites they visit; and applications they download.
The product helps schools easily restore files that ransomware affects, McAfee said. It also protects against drive-by-downloads and phishing attacks from malicious websites.
Ken Kartsen is McAfee’s senior vice president of public sector.
McAfee’s Ken Kartsen