SMBs can obtain advice about cybersecurity quite easily from a plethora of resources. Getting their hands on practical technology solutions is, on the other hand, more of a problem, as they are often greatly constrained by their budget. Still, there are solutions within their reach.
Extreme risks shouldn’t be left unaddressed, because cyberattacks against SMBs are too common and attackers still successfully exploit human weaknesses, primarily via email.
Attacks via email can escalate into malware infections and other incidents that lead to financial loss, identity threat, and loss of access to IT assets. Security fundamentals will fall into the following buckets (and email security cuts across several):
Trouble is brewing if any of those categories have inadequate controls. A successful attack via email can rapidly lead to compromised access control, exfiltration of protected information, and can adversely impact network stability and mission critical system operations. We know this because it happens every day, despite current SMB cybersecurity strategies.
Risks persist in every inbox. The question is what an SMB can realistically do to adequately identify their risk level and plan for when an incident occurs.
There are a variety of templates and formulas for calculating risks, and they can serve as a guide for assessing whether an SMB’s existing controls are adequate to safeguard the confidentiality, integrity, and availability of its assets.
Take a moment to map your risks according to the chart below.
It’s unlikely that an SMB will get a “green” on all aspects. It’s not for lack of trying or knowledge – it’s just unrealistic for a small organization to be constantly on top of everything or to have that capacity.
It shouldn’t take very long to determine that network security is an extreme risk if it’s not well controlled. You may have an EDR system or basic spam filtering, but threat actors are inventive and are continually developing new methods of attack.
It’s unrealistic to expect SMBs will keep pace to reliably prevent every new line of attack, but it makes sense for IT teams to consider new approaches that provide an affordable defense-in-depth strategy.
Most of what you should be doing involves people and their awareness of security issues, the systems that they use, and how much of a risk inexistent or inadequate controls present.
If you have identified the risks but don’t know where to start, know that there are services customized for SMBs and financially structured to meet tight budgets. One practical and immediate starting point is the Small Business Administration, a centralized information hub that will practically guide you through the whole process.
There are services that can serve as fallbacks to incomplete or missing technical controls or add an additional and effective layer of defense should existing controls fail.
There are two new ways to extend your protection: email security services and cloud service provider (CSP) subscriptions that operate from within the (external) network before threats pass through the enterprise perimeter. These relative newcomers to the cybersecurity marketplace are receiving accolades from industry watchers for taking novel approaches to email security and/or malicious network traffic.
Because malware and other threats pass over the wire through their systems, CSPs are positioned as the ultimate security fallback should all else fail. Network-based protection can detect phishing attempts and block malware activity (such as bots), even if an SMB has inadequate controls within its self-managed systems.
Along with security awareness training, these solutions can reduce the overall likelihood of a security incident. More importantly, they have become accessible to SMBs. These systems are low cost, scalable, and provide centralized security notifications and reporting.
SMBs can’t always do everything that the experts recommend for securing their networks, but a risk-based, deliberative approach that considers the need for fallbacks will increase safety. Partners, including CSPs, have services that are intended for security challenges facing SMBs and can help address shortcomings with proven effectiveness.