Why small and mid-sized businesses are a huge target for cyber attacks

Small and mid-sized businesses (SMBs) need to do more about cybersecurity and especially the password practices of their employees.

Hacker typing on keyboard with binary numbers
Kasper Pempel/Reuters

Cybersecurity at small and mid-sized businesses (SMBs) have faced mounting threats, escalating attack damages and the rapid emergence of new types of attacks this year. Yet, despite clear evidence that the overwhelming majority of SMB cyber attacks result from poor password management, SMBs are doing very little to boost visibility into the password practices of their employees.

Password protection is key

Cyber attacks are becoming more targeted, sophisticated and even more severe in terms of consequences. It’s often found that employee negligence is the top root cause of successful data breaches. Clearly, an ongoing lack of attention to password usage underlies much of the cybersecurity woes at SMBs. A major study earlier this year by Verizon noted that 81 percent of all cyber attacks result from poor password management practices.

Surprisingly, a majority of employers have no visibility into their employees’ password practices. Among the top bad practices include: using the same passwords for access to multiple accounts and services, sharing passwords in highly unsecure ways and failing to use strong passwords. “Password” was among the top 10 passwords in 2016, alongside the alarmingly amount of people who still use “123456” or other very easily compromised ones. Employers need to enforce a password policy in place to keep vital data secure.

Affordable, effective solutions

An easy solution for SMBs to respond to these types of compromising situations is to quickly establish mobile device and BYOD internal control policies and implement software that controls the information being protected and transacted via these and other devices. The combination of password management software and enterprise mobility management tools can mitigate up to 80 percent of the cyber risk those devices pose.

What is holding SMBs back?

Clearly greater data protection beyond the “traditional” protection tools is needed. So why don’t more SMBs take such steps to protect their most sensitive data assets? Companies cite that the lack of trained security staff and inadequate budgets are top barriers. However, given the enormous costs associated with a data breach, failing to protect against today’s dynamic threat environment could prove disastrous. And, the costs associated with doing so may not be as high as imagined.

Today, there is greater protection software targeting SMBs than ever before. The cost-to-benefit spread in terms of value to what the real risks are and in consideration to how productivity can actually be enhanced with the right software solutions puts better protection well within reach of SMBs, from an ROI perspective. For example, with a comprehensive password management system, many organizations have experienced a marked decline in help desk calls related to lost or forgotten passwords.

Companies should teach their employees what to be wary of, especially with phishing or other social engineering attacks, most notably burying harmless looking clickable URLs into a scam email. A prime defense against this can be ongoing phishing simulations to try to “catch” negligent employees, thereby helping educate them. Employers would be surprised how many people in their own organizations fall victim to such a test.

Beware the Internet of Things

Organizations have high levels of concern over security breaches caused by Internet of Things (IoT) devices, which today number in the billions with millions more being deployed every month. They are notoriously non-secure, arriving from overseas factories as de facto network end points. They come with no mandate or set of requirements regarding password length or strength or whether they should have single or two-factor authorization.

It’s alarming the amount of small and mid-sized businesses that are becoming huge targets for hackers. With a few simple measures, businesses can significantly reduce the amount and size of these attacks. Improving cyber-security doesn’t have to cost a ton of money, but it’s imperative for companies to invest time and effort to educate employees about password protection and keeping up with the latest company software updates.

This article is published as part of the IDG Contributor Network. Want to Join?

Related:
NEW! Download the Winter 2018 issue of Security Smart