Fact or Fiction? The Truth About Cybersecurity for Small and Mid-Sized Businesses

There are many common perceptions about cybersecurity – but many are misperceptions. For small and mid-sized businesses (SMBs), misinformation about cybersecurity can be confusing – and sometimes risky. It’s time to set the record straight on which statements are fact and which are fiction.

Fiction: Cyber criminals don’t care about SMBs

Modern cyber criminals actually DO care about SMBs – and often use smaller third-party vendors to gain access to larger targets. With fewer budget dollars and expert resources dedicated to cybersecurity than their larger counterparts, small and mid-sized organizations often make easier targets, particularly in today’s increasingly complex and connected cloud environment. In fact, nearly one-third (28%) of data breaches in 2020 involved small businesses, according to the Verizon 2020 Data Breach Investigations Report (DBIR) – 70% of which were perpetrated by external actors.

Fiction: Outsourcing cybersecurity is not a realistic option for SMBs

Outsourcing cybersecurity is a great option for SMBs. Leveraging a managed service rather than buying a security point solution gives your SMB fixed-cost access to enterprise-grade technology and expertise you might otherwise not be able to afford. These seasoned security teams become an extension of your internal IT team, and can help with creating and enhancing your overall cybersecurity program and boosting your security posture.

Fact: Compliant doesn’t mean secure 

While it’s true that cybersecurity and compliance are often intertwined, they are not the same. An organization may meet minimum government or industry security requirements, but that doesn’t mean the organization is secure. Your IT/security team should be aware of the compliance mandates in your industry, but also be ready to play an active role in protecting your organization. Rather than trying to take on these responsibilities alone, a cybersecurity-as-a-service provider with demonstrated industry expertise can help you meet your compliance obligations – and will have the technology and expertise to keep you secure as well.

Fact: Cybersecurity fatigue is a problem 

Forty-one percent of respondents at both SMBs and large enterprises report experiencing fatigue, according to the Cisco Cybersecurity Report Series 2020 for Small and Medium-Sized Business. IT/security teams and business leaders need to be efficient at managing security, especially at organizations where resources are stretched thin. Outsourcing some of the tasks to a managed cybersecurity provider can relieve your IT team of the stress and burnout associated with running your cybersecurity program – and can even help optimize it.

Fiction: Strong passwords are enough

Strong passwords are important, but passwords alone won’t keep your enterprise protected. Other components of a good cybersecurity posture include two-factor authentication and continuous cybersecurity monitoring. Collecting security events from across your IT infrastructure, network, and applications, and reporting threats on a constant basis, are integral to enterprise network safety. The cybersecurity landscape is constantly changing, and the COVID-19 pandemic has introduced a new set of challenges and cybersecurity issues for organizations across industries. The good news is that we’ve seen remarkable improvement in the SMB cybersecurity space in recent years, thanks to growing awareness and maturing managed detection and response (MDR) capabilities. Today SMBs have access to security products and services that were previously only available to large enterprises.

Fiction: Anti-virus is the only endpoint protection you need

Anti-virus solutions are typically signature-based, which means that the malware they detect is already known. Increasingly, attackers are leveraging zero-day vulnerabilities or targeted attacks that traditional signature-based solutions don’t “recognize” and will not pick up. As user devices such as desktops, laptops, and mobile devices now extend beyond your perimeter, visibility into these endpoints is critical. Endpoint detection and response (EDR) solutions deliver this visibility, and also supplement anti-virus protection by leveraging behavior-based signatures, machine learning, and analytics to detect advanced compromises. EDR also can alert, block, remediate, and quarantine suspicious behavior as needed.

Fiction: Monitoring my edge firewall is the only monitoring needed

Your edge firewall will only inspect traffic that is transiting that firewall. Instead, your entire estate needs to be monitored. Network segmentation and monitoring the entire network will provide crucial visibility into compromises that originate inside the network or that are propagating laterally across the network (east to west traffic patterns). In addition, monitoring all application, database, file shares, and authentication sources provide key telemetry for threat detection.

Fiction: SMBs can’t afford a cybersecurity program

To the contrary – you can’t afford NOT to have a cybersecurity program. According to the National Cyber Security Alliance, 60% of small businesses that suffer a cyber attack go out of business within six months of the incident. As enterprise organizations expand their cybersecurity programs, budget, and detection capabilities, they become more difficult targets, which increases the focus of attackers on the often less-protected smaller organizations – for a better ROI.

FACT: Phishing and social engineering are the number one attack vector for SMBs

Humans are the weak link in the cybersecurity chain for companies of all sizes, and the numbers prove it. According to the Verizon 2022 DBIR, 82% of breaches involved the human element, and social attacks such as phishing got attackers in the door. Top motives include financial gain, and your users with access to your organization’s banking and business systems are likely targets. Protection against these tactics include strong email security controls coupled with end-user security awareness training and phishing testing as components of your cybersecurity program.

Don’t believe everything you hear. Knowing the facts about cybersecurity gives you the ability to stand up to attackers and plan your cybersecurity strategy appropriately. For many SMBs, security point solutions, tight budgets, and limited expertise can impact the effectiveness of your security efforts. Consider partnering with a managed services provider who can give you on-demand access to enterprise-grade cybersecurity technologies and the resources to run them – without the complexity or cost of implementing, staffing, and managing everything yourself.

Are you looking to strengthen your security posture by using a managed services provider? Check out SilverSky’s leading security services for cybersecurity that’s simple, affordable, and accessible.