The Dos and Don’ts for SMB Cybersecurity in 2021

It’s no secret that the COVID-19 pandemic has severely impacted small and medium-sized businesses (SMBs). While dealing with decreased foot traffic, greater local regulations, and growing expenses, cybersecurity has undoubtedly become a lesser priority for SMBs struggling to get back on their feet.

In the midst of all this, cyberattacks have increased significantly throughout the pandemic. With more remote work and businesses letting their guard down, hackers have been targeting them with domain spoofing and spam-based attacks. Knowing the hit SMBs have taken and the possibility of cybersecurity cuts, malicious actors have leveraged the pandemic as an opportunity to pounce. Recent data shows that nearly 50 percent of SMBs have fallen victim to ransomware attacks, and approximately three-quarter of those have had to pay up.

With limited financial resources and overburdened IT teams, it’s likely that a SMB may not recover if it were to be hit by a costly cyberattack. To protect against all possibilities, these businesses must understand the dos and don’ts of implementing a strong cyber resilience strategy.

Don’t: Assume All Threats Are Malicious or From Outside the Organization

Threats aren’t always from outside the business. The biggest threat to an organization often comes from within its own walls. While occasionally there are the threats of rogue, disgruntled employees looking to seek revenge, approximately 90 percent of insider threats actually come simply from non-tech-savvy employees. In fact, cyber incidents are often the result of employees not having the appropriate training or know-how to catch a potential attack. Without the ability to identify malicious activity, it's much more likely they will accidentally click on dangerous attachments or links, forward a damaging email, or respond to an impersonation attack. The result of such a distraction can be far reaching and potentially take down an entire organization’s systems.

Do: Provide Awareness Training for Employees

With insider threats accounting for the largest majority of cyberattacks, SMBs need to get to the root of the problem — human behavior. Inspiring change begins with raising awareness. To do this effectively, SMBs must first reflect on their business as a whole. This means identifying every “weak point” and addressing every potential impact the business could suffer if those weak points were targeted. For instance, many SMBs operate across supply chains, which include various virtual and physical touchpoints. Because of this, if one section of the supply chain were to get hit by a cyberattack, the entire system could come crumbling down. By gathering and sharing this information in consistent organizationwide training sessions that inform and entertain, SMBs can empower their staff with deeper threat awareness and help improve their individual security posture.

Don’t: Make Assumptions About What You Have and What You Know

Many small business owners don’t have a cybersecurity background. As a result, they may be unaware that the security solutions they implement aren't equipped to handle their business needs. This can be detrimental, leaving their business riddled with holes open to malicious activity.

Leadership might also hold the incorrect assumption that training will break their tight budget. What they may not realize, though, is that a small investment in virtual training programs, such as video modules and phishing simulations, is far cheaper than it would be to pay a ransom or revive lost data. Investing now can help SMBs save later.

Do: Couple External and Internal Analyses

SMBs should consider bringing on external experts to regularly analyze their IT infrastructure. This will ensure that they have an unbiased opinion to the business’ needs and the strongest protection possible.

Coupled with this, SMBs should regularly conduct internal security audits to better understand where hidden back doors exist across their organization. For instance, given that employees are likely working remotely, SMBs should take the time to review their network infrastructure to ensure all connected devices meet security standards with regular software updates in place. With an internal and external check, businesses can better understand their pain points and focus their cybersecurity spend where it’s really needed.

Don’t: Wait to Invest in Cybersecurity

SMBs have a lot on the line in 2021. Coming out of 2020’s economic hardships will be both expensive and time consuming, but cybersecurity should not be an added burden. Rather, it should be a helpful addition to their business strategy. Investing in cyber resilience practices like employee training and SMB audits are long-term investments that need to be made for the future success of the organization.

Garrett O’Hara is the principal technical consultant for Mimecast, a cybersecurity provider that helps thousands of organizations worldwide make email safer, restore trust and bolster cyber resilience.