Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:30 AM
Gustavo Zeidan
Gustavo Zeidan
Connect Directly
E-Mail vvv

The Power of Prevention: What SMBs Need to Know About Cybersecurity

There is no such thing as a company that can't afford security. But where do you start?

Many SMB’s today have the mindset that they are "not big enough” to be targeted by cyber criminals. Having smaller budgets than their enterprise counterparts, SMB’s are also often not willing to invest in adequate protection. As a result, many SMBs fail to both prevent breaches and respond effectively when they are breached.

A successful attack can cost hundreds of thousands, even millions of dollars. For an SMB with limited financial resources, the damage can be catastrophic. There’s no such thing as a company that "can’t afford" security. But where do you begin? Here are four steps to get you started.

Step 1: Understand the real threat – it’s not about compliance
Many SMB’s make two very common errors. First of all, they believe that they are not a target. In years past, the Verizon Data Breach Investigations Report has noted that 60% of all successful attacks were aimed at the SMB -- not the Target and Home Depot’s of the world. Why? SMB’s typically do not have the expertise, resources, or processes required to appropriately monitor and manage security products in their environment. Interestingly, while Verizon didn’t look at the percentage of SMBs successfully attacked in its 2015 report, they did find that the cost of a breach is not necessarily lower for small businesses. However, larger organizations do have higher losses per breach, but really only because they typically lose more records.

Another reason is that many SMB’s believe that if they are compliant, whether it’s HIPPA, GLBSA, SOX, or others, that they are also secure. The reality is that it is possible to be 100 percent compliant yet 100 percent insecure. Compliance does not equal security, or vice versa. Compliance, depending on the regulatory body you are dealing with, can address only those aspects of security required to protect the data in question. Security is a much more holistic strategy, involving multiple data/access sources and threat vectors. Achieving compliance will not make you secure. Being secure may not make you compliant, as there is no such thing as 100 percent security. Focus must be brought to bear on both independently.

Step 2: Security is a business imperative
According to the National Cyber Security Alliance, one in five small businesses falls victim to cybercrime each year. And of those, some 60% go out of business within six months of an attack. You need to protect your business, but a McAfee study showed that almost 90% of SMBs do not adequately protect their data. Often SMB’s believe that security boils down to technology purchases, when in reality, technology products are only part of the equation. Technology tools aid in implementing security policies that protect the business, but without the right people and the right processes behind the technology, an SMB is not fully protected.

As a business you should: know where your business vulnerabilities are (data, bank account access, and operational dependencies); be able to quantify the impact of any business vulnerabilities that are compromised; determine what risk is acceptable and what risk must be eliminated and have implemented the technology, people, and processes that are necessary to eliminate that risk.

At the end of the day, security is a business decision, not a technology decision.

Step 3: Put your investment where the threat is the greatest
An SMB security budget is often an afterthought and, as a result, small. There are numerous vendors that will sell you point products for every attack vector known to man or woman. By understanding your business and its vulnerability points, you can prioritize your investment in technologies and resources that will mitigate that threat.

When investing in your security strategy, it is important to consider the additional expenditures required to make your technology decisions effective. Regardless of the technology tool purchased, you must also have trained resources – people -- who can configure and manage the tool; alerting capability during non-business hours so you know when a threat has been detected; and senior-level, expert practitioners who know how to respond to and remediate threats before damage can be done.

A tool is only as good as the expertise of the person using it.

Step 4: Chose the right partner
SMB’s are focused on growing their business, not building an IT department. Often in a small business, the owner is also the IT manager, and, in many cases, the SMB has a partner that has, in effect, become their outsourced IT department, providing hardware, implementation services, break-fix, and even hands-on management services. Those partners advise SMB owners on what new products to buy, but when it comes to security, you can be left “holding the bag” when an event occurs.

In choosing security partners, consider their level of expertise, resources, and 24x7 infrastructure. They should be knowledgeable about security products, but also have the capability to deliver security services that detect and remediate threats. Putting the right security strategy in place to mitigate threats that can jeopardize your business is not just a good idea – it’s mandatory to sustain and grow your business.

Gustavo has over 17 years of experience across a range of technologies and industries with emphasis on security strategy, management, architecture, and security protocols. Gustavo graduated with an MBA from Cranfield School of Management in the United Kingdom and acquired ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
12/15/2015 | 3:19:28 PM
Re: Scared yet, Bro?
I like your racing analogy, it helps point at what I'm talking about. Only the big boys can afford to play in professional racing, for both safety and performance based reasons. Everyone else is priced out. That's exactly a very real scenario for SMB's to do business with the internet involved.

Unless these insecure operating systems that allow installing a RAT into the o/s when a naive user clicks on wrong email attachment or website link are fixed, everything you say is correct. But you predict that will continue forever because your entire business exists because of this. I work on a system everyday where that is impossible.

Check out the IBM i5 (formally AS400) server o/s and you'll see an example of a system that can't be corrupted at that core level. The issue is that is not a client o/s where email and web browsing takes place. If client o/s had a similar design based on old mainframe security, we wouldn't have these issues. People chose these because they were cheap and you could train a monkey to use GUI. Bill Gates got rich on system where security was an afterthought. Connect those to a network designed to easily connect some colleges together, again where security was not a consideration, and you arrive where we are today.

At some point, someone is going to start over on client o/s and harden it. No more installed RATs and keystroke loggers and encrypting your files for ransom. Period. Yeah, we'll still have DoS attacks and account/password cracking if your server exposed to internet. But it's this covert installation of privileged programs that are doing the real damage. And that can be stopped, no question about it.

Something has to give. I'm sure your business has integrity, as do most of security firms like you. But think about it, who gains the most from this insecure world: The bad guys or security firms? From a pure business point of view, you have no motivation to ever see these holes closed anymore than defense contractors want world peace. The solution has to come from people creating the software and protocols that allow the exploits to work in the first place.
User Rank: Author
12/15/2015 | 2:39:24 PM
Re: treating the symptoms
Security spend is actually increasing 9% CAGR as a result of the high profile breaches that have made the news.  Businesses have always had to make difficult decisions between security spend and the acceptable level of risk.  Many are realizing that the level of risk has increased and therefore their spend must also increase.  

Vendors are constantly improving the security of their products and services.  While 100% secure is the ultimate goal, it is also extremely difficult, if not impossible, to acheive.  Taking on the liability of a breach would result in significant cost increases across the board.  More sensible and cost effective measures can taken to deliver an acceptable level of protection.
User Rank: Author
12/15/2015 | 2:27:08 PM
Re: Scared yet, Bro?
You are accurate that very small businesses, especially startups, run on a very tight budget and typically have a "Best Buy" mentality when it comes to network and security products.  While the risk is still present, they chose to accept that risk, spending minimally on security.  Small (25-200 employees) and medium-sized businesses (200 to 1000 employees) are increasingly a target, both for proprietary and PII data as well as direct bank account access.  Yes, there's additional cost to keep up with the changing threat.  But the game has changed, and continues to change.  I liken it to the racing industry.  As cars get more powerful, faster, lighter, the risk to the drive goes up as well.  New protection features, like the tethering of aero components to limit the debris that can hit another driver in Indy Car racing, results in increased cost, but it's necessary to protect both the driver and racing fans.  Security also parrallels racing in that changes are often not made until disaster happens.  

There are no guarntees in racing or security - except that at some point you will be a target.  There is no 100% in security as, for every new stride made in protection, there's a cyber-criminal creating new ways to get around it.  When that happens, monitoring of those infrastructure devices is critical to detect the threat and remediate it in time before damange occurs.   Does this really happen?  In alarming numbers.  Every customer we've turned up this year has had some ongoing infestation or attack - and they had no idea.   

Should anyone be scared?  No.  That's not the message.  Should they take proper precautions?  Absolutely.  
User Rank: Ninja
12/7/2015 | 2:07:50 PM
Scared yet, Bro?
None of what you say is wrong, just misses the point. Before internet security, new businesses already had a 70-90% fail rate and operated on a shoestring budget, sometimes barely making payroll.

Now there is this added cost of doing business, internet security, which adds as much value to their business as putting a new roof adds to your house appraisal. And it isn't like buying insurance, where you are guaranteed certain benefits if you place burns down. Some small businesses can barely afford that. So now you want to convince them to pay for a service which has absolutely no guarantee it can protect them from anything?

Am I wrong? If someone contracts with your company for security services, is it in the contract that you are liable for any and all costs of a breach? Yeah, I didn't think so. That's why this is such a mess.

As previous poster suggested, until infrastructure is tightened up where these easy to exploit holes exist (think mainframes back in the day before we knew the word hacker, where only an inside job could work), there is no solving this problem. SMB's can slowly bleed to death on this extra cost of doing business or take the risk it may not happen to them. Statistically, they are still in pretty good shape. Not every company has data which can be monetized, leaving ransomware out of it. And you can't fix ransomware, only the Microsoft's of the world who produce o/s which is vulnerable can fix that.

Is there a role for people like you to educate SMB's on best practices? Absolutely. But can most afford to put people like you on retainer to monitor the expensive IDS they bought? Absolutely not.
User Rank: Ninja
12/6/2015 | 8:52:49 AM
treating the symptoms
we spend so much effort treating the symptoms: track down this trojan; close this botnet; and patch this hole.   we are only treating the symptoms and all our efforts will go for naught until we summon the courage to correct the root of the problem: (1) insecure operating software, and (2) a general cavalier approach to authentication .   We have to put Security First -- in a Business Environment -- or get robbed blind .    systems that put ease of use and compatibility ahead of security are always going to be vulnerable.    this is actually a financial issue as in a business environment a lot of costs are involved.   this would strongly suggest it's time to address the question of Product Liability:    software builders need to be responsible for that part of the software that is under their control.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Why Cybersecurity's Silence Matters to Black Lives
Tiffany Ricks, CEO, HacWare,  7/8/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...
PUBLISHED: 2020-07-10
A SQL injection vulnerability in the user and admin web interfaces of Sophos XG Firewall v18.0 MR1 and older potentially allows an attacker to run arbitrary code remotely. The fix is built into the re-release of XG Firewall v18 MR-1 (named MR-1-Build396) and the v17.5 MR13 release. All other version...
PUBLISHED: 2020-07-10
Incorrect file permissions in Citrix ADC and Citrix Gateway before versions 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 allows privilege escalation.
PUBLISHED: 2020-07-10
Improper input validation in Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 and Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7 allows reflected Cross Site Scripting (XSS).