SMB Cybersecurity Still Lacking Due to Misperception About Attacks

Written by Edward Gately
October 19, 2020

Many SMBs still think cybercriminals will target larger organizations instead of them.

A new SMB cybersecurity survey shows many SMBs still believe larger companies are more vulnerable to cyberattacks.

Software developer Devolutions polled 182 SMBs from a variety of industries, including IT, health care, education and finance for its SMB cybersecurity survey.

Revenue from global cybercrime is now more than $1.5 trillion per year. Furthermore, the average price tag of a data breach is now $3.9 million per incident, according to IBM.

Despite these staggering figures, there’s a common and inaccurate belief among many SMBs that the greatest security vulnerabilities exist in large companies. However, there is mounting evidence that SMBs are more vulnerable than enterprises to cyberthreats, and the complacency regarding this reality can have disastrous consequences.

Among the most notable SMB cybersecurity survey’s findings, 78% of SMBs said having a privileged access management (PAM) solution in place is important to a cybersecurity program. However, 76% haven’t fully deployed one.

Key SMB cybersecurity findings include:

Sixty-two percent of SMBs do not conduct a security audit at least once a year. Fourteen percent never conduct one.
Fifty-seven percent said they have experienced a phishing attack in the last three years.
Forty-seven percent allow end users to reuse passwords across personal and professional accounts.

Max Trottier is Devolutions’ vice president of sales and marketing. We spoke with him to find out more about what the SMB cybersecurity survey says.

Channel Futures: Has the pandemic impacted SMBs in terms of them being concerned that they could be targeted by cybercriminals?

Devolutions’ Max Trottier

Max Trottier: Yes, the pandemic has increased the cyberattack concern level for many SMBs, particularly when it comes to threats targeting remote workers. While all tactics are in play, eight in particular are proving to be especially profitable for hackers and costly for SMBs. Those are phishing, third-party attacks, XSS attacks, database hacks, endpoint attacks, ransomware, cryptojacking and insider attacks carried out by rogue employees and contractors.

Unfortunately, even when the COVID-19 crisis ends, we do not expect things to get easier for SMBs. On the contrary, we anticipate that cybercriminals will keep increasing their attacks, since SMBs are typically more vulnerable than large enterprises.

CF: What aren’t SMBs doing that they should be doing to protect themselves?

MT: There are a few things that SMBs should be doing to protect themselves but have not done — or at least not done effectively. All SMBs should have a PAM solution in place to monitor and control elevated accounts. In addition, SMBs as a whole need to focus more on good password management policies and practices. Also, SMBs must realize that security audits are not optional — they are essential and should be performed at least twice a year. Lastly, SMBs need to pay much closer attention to their internal users, who may deliberately or accidentally cause a data breach.

CF: Can you give some examples of how MSSPs can help with SMB cybersecurity?

MT: Because SMBs do not typically have huge IT departments like their enterprise counterparts, they often look to outside resources for assistance in a number of areas, including cybersecurity. MSSPs can play a pivotal role in providing cybersecurity solutions, implementation, training and best practices to SMBs.

Here are five key ways that MSSPs can help SMBs improve their security posture:

Implement a PAM solution.
Enforce strong password management policies.
Implement the principle of least privilege (POLP). End users are given only the amount of access they need to carry out their day-to-day jobs.
Implement segregation of duties (SoD) … to prevent conflict of interest, wrongful acts, fraud, abuse and the building of secretive silos around activities.
Provide end users with adequate cybersecurity training.

CF: Can you point to any progress being made by SMBs to better protect themselves?

MT: Yes, there is some progress being made by SMBs to …