It’s not surprising that small and medium businesses (SMBs) are becoming more aware of cyber threats. High profile breaches make the headlines every day and “small time” incidents are becoming more and more successful against SMBs.

Even so, a recent survey shows that 60 percent of SMBs do not consider cyber-attacks to be a big risk to their organizations and 44 percent don’t consider strong security to be a priority. Yet, a recent study shows that over 50 percent of SMBs surveyed (sized 100-1,000 employees) reported a cyber-attack or data breach in the past year.

Cyber-attacks can cause considerable financial damage to a business since the average cost of a cyber-attack for an SMB was over $8,000 in 2015. However, that cost does not include intangibles, such as down time, loss of business, remediation and so forth, meaning that the actual cost to an SMB is possibly far greater – some even estimate it at an additional $10,000.

With the rise in accessibility for hackers to start using malware and ransomware services, businesses need to be aware of the risk they face. While SMBs are not necessarily at any higher risk of attack than larger enterprises, the concern lies in the availability of resources as well as employee education.

SMBs must make themselves completely aware of risks at hand. With this understanding, businesses can ensure that the correct focus is being placed on the areas in which they are most at risk.

With limited IT budgets and a shortage of skilled resources, SMBs should concentrate their spending on systems featuring as much automation possible or move to systems managed by others. This decreases the need for in-house human intervention and specialized training, allowing for higher levels of security without spending the money on large cumbersome systems.

The last thing an SMB needs is a complex security solution that draws heavily on its limited manpower, which could still result in sub-par security due to the vast majority of IT staffers lacking cybersecurity knowledge.

But even with an automated and managed security system, a business is still not risk free. To ensure the business has a lower risk level, education is key. SMBs must educate their employees about the possible risks they will face, an increasing difficult task as hackers make their scams more and more realistic.

The best place to start is email safety, since email is the place an employee is most likely to receive an attack. Employees should be taught to be wary of emails from unknown senders, as well as odd requests from known senders.

Hackers are able to create increasingly realistic looking email address and messages, so if the employees feel unsure about an email, they should not be opening it at all. Next, employees should be careful as to which links and attachments they interact with. Hackers often take advantage of links and attachments to spread their malware. One wrong click and the company is infected.

In 2015, Microsoft Office documents were the most popular attachments to leverage, accounting for over 70% of the Malicious File Attachments in email according to a Symantec report. This is not surprising given the popularity of Office within the SMB and corporate world.

There are also several other popular entryways for attackers. Unsecure websites are often used for attacks. These sites possess similar threats as do email attacks, especially through links or downloads.

Another popular attack comes through USB devices. Employees should be taught to carefully monitor their own USB drives and to keep an eye out for any new or unfamiliar USB drives. Another less known way attackers work is through notification pop ups disguised as updates. Updates should be regulated through IT and employees should be skeptical of update notifications they receive on their computers, especially from non-authorized applications.

If an employee believes that their computer or device is compromised, they should immediately bring it to IT’s attention so they can evaluate the situation. If an employee has any suspicion, even a small one, they should immediately stop work on the computer and bring it to be evaluated. It is better to have a false positive than an actual outbreak on the computer or within the organization.

SMBs face many challenges that larger enterprises will not, especially in regards to security, but that doesn’t mean that they deserve any less protection. Following these steps will ensure that SMB employees are educated and that SMBs are protected.

(About the author: Dotan Bar Noy is the co-founder and chief executive officer of ReSec Technologies. He has more than 10 years of management experience in technology and software companies. Prior to founding ReSec, he served as director at Issta, CEO of G.F.A. Systems, and CEO of "STUDENTS", as well as owning a strategic management and consulting company. He is a retired lt. commander in the Israel Navy)

Register or login for access to this item and much more

All Information Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access