Cybersecurity vulnerabilities connected to large businesses have received much attention recently, especially the several casinos in Las Vegas that were forced to go offline due to cyberattacks. Casinos are a vital economic engine in Nevada, but it’s not just sprawling enterprises like these that are targets for cybercriminals. SMBs are targeted just as much, especially if they use MSPs to manage their cybersecurity.
A small and medium-sized business is subjective, but the Small Business Administration defines a “small business” as one with less than 500 employees. Of course, if you own a cabinet shop employing five workers, a business with 450 employees hardly seems small. According to the SBA, small businesses make up 99.7 percent of all businesses in the United States. Many small businesses increasingly depend on MSPs for their IT needs, including cybersecurity.
Forbes Magazine wrote earlier this year: “Without managed service providers (MSPs), many small- and medium-sized businesses can’t function.”
MSPs increasingly provide more than basic IT functions, expanding offerings into education, user training, and cybersecurity. The Forbes article also pointed out:
According to JumpCloud’s survey “IT Evolution: How IT Is Securing the Next Stage of SME Workplace Models,” almost 88% of small and medium enterprises use or plan to use MSPs to manage their infrastructure. This statistic is not surprising, given the lack of available IT talent and the significant cost of an in-house IT team.
Cyber insurance isn’t enough
Recent cybersecurity issues in small to medium-sized businesses have proven Forbes’ statement true. To combat these issues, more and more SMBs are buying cyber insurance to protect them from incidents, but that isn’t enough, experts say.
“I see some SMBs with virtually no cybersecurity in place, but they have insurance, and they think that’s enough,” says Tracy Stoddard, a cybersecurity analyst in Pittsburgh. “It isn’t.”
Stoddard points out that insurance won’t pay for lost time and damaged reputations and may not even recoup all the expenses involved in a breach. “SMBs need as robust a cybersecurity plan as a Fortune 500 company,” he advises.
What are some of the top cyber threats that SMBs are facing now?
- Ransomware: Ransomware continues to be a considerable threat to SMBs, which surprises some people. “Some people think only big businesses are targeted by ransomware thieves, but statistics don’t bear that out. Sometimes the defenses of a large business are more robust, and hackers know that an SMB might be an easier soft target,” explains Stoddard.
Also, a larger enterprise is more likely to have system redundancy and backups so that a single attack doesn’t hobble them (as proven in the casino attack, though, not always). “An SMB without adequate backup may just decide to pay up somehow so that they can keep their business running,” Stoddard adds. “And hackers know this, which is why they target SMBs.”
- Lack of knowledge: A large company often needs more money to bring in outside experts to talk to employees about cybersecurity and even host entertaining (but educational) symposiums. But a small business can’t always afford that.
“The IT department might consist of one overworked person or, increasingly, an MSP,” Stoddard says. An MSP should make education at an SMB a top priority, he goes on to share, “It’s simply too easy for hackers to craft a realistic-looking email and send it to an unwitting target.”
- Weak passwords: This is a problem in businesses of all sizes, but Stoddard says it seems worse in small businesses. “The 10-person accounting firm is more likely to have weak passwords which can be guessed or circumvented,” Stoddard warns. He recommends that SMBs hire MSPs with a robust user-training package. “We don’t want passwords named after pets or favorite colors,” he explains.
- Best practices not followed: An SMB may not follow best practices like a publicly traded or regulated enterprise. However, the local accounting office with ten employees can cause many problems by not following best practices.
Best practices are more than a buzzphrase; there are proper protocols regarding onboarding new employees, off-boarding departing ones, and disposal of end-of-life computer equipment so that sensitive data isn’t exposed. “MSPs have experience with this, many SMBs do not,” Stoddard says.
A robust defense for an SMB often begins with an MSP. But even the federal government is increasingly warning small businesses to be on guard, offering tools, advice, and best practices for SMBs.
Photo: mrmohock / Shutterstock