Small and medium-sized businesses (SMBs) have historically been assumed to be too insignificant for threat actors to care about them. This is an increasingly dangerous assumption. The latest government figures show that 58% of small businesses and 70% of their medium-sized counterparts have been affected by a data breach or cyber attack in the past year. Many more may have been compromised but not yet discovered.
However, this does not mean it is game over for British SMEs. They may have less money and resources, but there are plenty of options available – especially the growing number of channel companies that now specialize in managed security services (MSSPs). The key will be finding the right one.
Channel Director for the UK at Trend Micro.
Misconceptions and misjudgments
SMB security strategy is often based on a series of common misconceptions about the threat landscape. The first is that their data is not valuable to hackers. In fact, there are several ways threat actors target and monetize data held by smaller organizations. Ransomware groups regularly exfiltrate IP and customer/employee information to sell on the dark web and use as leverage to extort their victims. Research shows that in the first quarter of 2024, nearly a third (31%) of corporate ransomware victims were businesses with fewer than 100 employees, and three-quarters (74%) had fewer than 1,000 employees.
Threat actors may also target SMBs in specific industries, such as legal, because of the highly sensitive data they hold about customers. Or breach a smaller company through a springboard attack, to reach a higher value customer or partner. The threat comes not only from financially motivated cybercriminals, but also from national state agents. The result? UK SMEs recorded a 37% increase in cyber threat alerts in 2023 compared to 2022. And almost four in ten lost data.
SMB owners may also wrongly assume that insider threats are something common to larger organizations. It would be wrong for them to do that. Nearly a third (30%) of UK SMEs lost data due to user error in the last 12 months, and 27% due to disgruntled employees. The problem of user negligence and error is exacerbated by a lack of regular security awareness training. According to the government, only 30% of small and 52% of medium-sized businesses have organized sessions in the past 12 months.
Beyond AV
Another common misconception is that simple endpoint AV is enough to protect modern SMBs. In fact, cybercrime has become an increasingly sophisticated place, with package services offering would-be hackers all the tools they need to carry out large-scale phishing and ransomware campaigns, bypass multi-factor authentication, launch brute-force attacks and more. There is an endless pipeline of stolen credentials making their way into underground markets to encourage account takeovers. And specialized initial access brokers (IABs) sell turnkey access to corporate networks.
All this means that SMBs need defense-in-depth that spans all layers of their IT infrastructure – from the email inbox and endpoint to networks, identity systems and cloud environments. They need not only defenses to block as many threats as possible, but also detection and response to detect and manage threats that sneak through defenses. And they must manage risks across extended supply chains.
Unfortunately, government research shows that such tools and approaches are still not being applied appropriately. Supply chain security was adopted by just 29% of mid-sized UK businesses last year, while incident management (69%) and vulnerability management (59%) should ideally also be higher.
Choosing the right partner
A final misconception that may impact SMB security is that a small generalist IT team can handle everything themselves. The truth is that as long as threat levels remain high and small businesses continue to invest in digital systems to become more agile and competitive, they will need help with cybersecurity. The challenge for those with fewer resources, at a time of pronounced global skills shortages, is finding the right talent.
This is where the IT channel comes into its own. The market is full of MSPs and MSSPs that can help smaller businesses bridge skills and capability gaps with value-added services. In fact, it is a fast-growing global market. According to one estimate, SMB cybersecurity will be worth $90 billion by 2025, with managed security services accounting for a third. But more options may make finding the right partner even more difficult.
SMEs should carefully consider their requirements and budget before assessing the market. As always, it pays to stay loyal to reputable providers with good customer reviews. It may be worth proactively talking to their customer base rather than reading the references provided by the MSSP. A potential provider should also have solid partnerships with reputable security vendors.
Managed Detection and Response (MDR) is becoming increasingly popular, and for good reason. It provides proactive detection and response to detect and contain threats before they have a chance to cause damage. All the heavy lifting is done by the vendor or MSSP, allowing SMBs to take advantage of the capabilities of Enterprise-grade Security Operations (SecOps) without incurring operating costs. Look for vendor partnerships backed by global threat intelligence, meaning zero-day vulnerabilities can be quickly patched first.
Today’s SMEs find themselves firmly in the crosshairs of global threat actors. But help is at hand, if they know where to look.
We recommended the best server for small businesses.
This article was produced as part of Ny BreakingPro’s Expert Insights channel, where we profile the best and brightest minds in today’s technology industry. The views expressed here are those of the author and are not necessarily those of Ny BreakingPro or Future plc. If you are interested in contributing, you can read more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro