Because they don\u2019t see themselves as targets, small-to-midsize businesses (SMB) have for a long time believed that their security programs are good enough. They have a firewall, antivirus, maybe they even use two-factor authentication.\n\nThe mistake is believing that this is enough because they have nothing of value to an attacker. While they may have a smaller attack surface, they are no less vulnerable than a major enterprise.\n\nNot only are small businesses growing as the favored targets for ransomware attacks, they are also the most impacted, with 60 percent shutting down within six months of a breach, according to the US National Cyber Security Alliance.\n\nThis increase of attacks on SMBs could in part be attributed to a false sense of cybersecurity confidence within small businesses. The reality is, when ransomware comes in, it can ruin a small company.\n\nSam McLane, head of security operations at Arctic Wolf Networks said that a recent survey they conducted showed, \u201c95 percent of IT professionals at small businesses believe their cybersecurity posture is above average. However, 100 percent of the same respondents also said they could improve their systems.\u201d\n\nNot paying attention to the little things can destroy a company in either cost of recovery or loss of reputation. \u201cIf they don\u2019t test their backup and they aren\u2019t sure that they can recover the data, it doesn\u2019t help them,\u201d McLane said.\n\nThat\u2019s why it\u2019s so important to do recovery tests. \u201cTake a critical server on a weekend and recover it. Patch everything you can. If someone mentions the internet is not working a couple of times, something there is not right,\u201d McLane said.\n\nJohn Kronick, director of cybersecurity for the advanced technology group of PCM, Inc., said that in 2016 \u201cHalf of the organizations targeted by cyber attacks fell victim to it. Of those that were victims, a third of those reporting said that their security had been bypassed.\u201d\n\nThe key takeaway for SMBs in those statistics is that, \u201cMany companies need to get back to the basics of security. In most of these cases, they had tools, but they didn\u2019t execute well," Kronick said.\n\nWhether they have the budget and the process, \u201cIf they don\u2019t have the execution, then they get breached,\u201d Kronick said. \n\nGiven that social engineering has a 50 percent success rate, SMBs need to also focus on proper execution as well as incident response and security awareness training. In addition, Kronick said, \u201cMany of the breaches happen because of an insider issue.\u00a0SMBs also need to be attentive to the patching of systems and adequate scanning of their systems depending on criticality."\n\nInstead of following established best practices, so often SMBs, \u201cDon\u2019t patch systems behind the firewall. In one case, a company had all its FTP systems behind the firewall and they didn\u2019t patch them because they assumed they were fine. When they got affected, they were out of business for a couple days.\u201d\n\nThere seems to be a time warp between the Fortune 100 companies and today's SMBs. Casaba Security's Chris Weber said that what SMBs can learn from enterprises can be summed up in one word: Everything.\n\n\u201cEnterprises are the major targets of attack and the ones dealing with the forefront of all issues around cyber security from social engineering to application security,\u201d Weber said.\n\nThis fact matters when it comes to informing the security programs of SMBs because, \u201cThey release information and talk openly about their cybersecurity,\u201d Weber said.\n\nSMBs can then implement some of the same tools and processes to reduce their vulnerability, and they are most vulnerable to phishing campaigns. That means that email is a major vulnerability.\n\n\u201cThey are less often targeted by sophisticated adversaries, but there are a number of attackers with a variety of intentions. An attacker is going to want to extract some sort of value from a company,\u201d Weber said.\n\nIt is well known in security that defenders have the tougher job. All the attackers need to do is find just one crack and they can get in. \u201cEnterprises have lots of different systems, integration with partners, and mobile devices. SMBs have similar stuff on a smaller scale, but they are generally more capacity constrained,\u201d said Weber.\n\nIf there is an IT person, that individual is usually wearing many hats. \u201cIt\u2019s highly unlikely for SMBs to have a full time security staff or person, so their best bet is to outsource to things like Office 365 for business applications or other cloud services,\u201d Weber said.\n\nArchie Agarwal, ThreatModeler's founder and CTO, said, \u201cAlmost all enterprises are now investing a lot of money and resources in protecting their applications." That was not the case a decade ago.\n\nFor major enterprises, the third-party vendors they use are often SMBs, and now those vendors need to provide a guarantee that they are providing some sort of security.\n\nIt used to be that if a small company got hacked, nobody cared about it, said Agarwal, but now they can have a big impact on a large enterprise. It\u2019s incumbent upon those SMBs to be thinking about how to improve their cybersecurity posture.\n\nThen there are those Business-to-Consumer (B2C) SMBs, which are in an even more precarious situation because they cannot withstand a cyber attack, said Agarwal. \u201cThey are going to go out of business. For a hacker who got an automated tool and was able to do a DDoS attack, they need to be thinking about how to protect their brand from that kind of a situation.\u201d\n\nWhether they are a Business-to-Business or B2C, their reputation is a critical factor that should also inform their security programs. \u201cThey need to be taking notice to at least ask questions of what they can do to protect their business from a huge impact,\u201d said Agarwal.\n\nThey also need to protect the intellectual property of their business. \u201cThe trade secrets. We had an SMB that got hacked by China and their IP was stolen. Now the Chinese company has it and is selling it for half the price,\u201d Agarwal said.\n\nMany SMBs accept this truth but don\u2019t have the time and resources to dedicate to building a stronger security posture. \u201cWhat they have started to do is build threat models to understand where the threats lie. That way they can start to prioritize in order to protect only against the threats that are specific to them,\u201d Agarwal said.\n\nThreat modeling helps them look at the big picture and understand the threats and then focus on where to mitigate those threats, Agarwal said. \u201cOnce they understand the big picture, they can look at a list of maybe 100 threats, and see that only 30 of those are critical.\u201d\n\nThe traditional way was to use tools even though they didn\u2019t know what threats the tools were protecting against. \u201cWith threat modeling, they can focus on protecting against the threats applicable to their business and business risk,\u201d Agarwal said.\n\nAssuming that an attacker has nothing to gain from an SMB can be the death of the business. \u201cCybersecurity has to be taken seriously,\u201d Agarwal said.