Historically, small and medium-sized businesses (SMBs) have assumed that they are too insignificant for threat actors to care about. This is an increasingly dangerous assumption. The latest government figures suggest that 58% of small businesses and 70% of medium-sized businesses suffered a breach or cyber attack over the past year. Many more may have been compromised but not yet discovered.
However, this doesn't mean it's game over for UK SMEs. They may be short on money and resources, but there are many options available, particularly the growing number of channel companies that now specialize in managed security services (MSSP). The key will be finding the right one.
UK Channel Director at Trend Micro.
Misconceptions and misjudgments
SMB security strategy is often based on a common set of misconceptions about the threat landscape. The first is that your data is not valuable to hackers. In fact, there are several ways threat actors attack and monetize data held by smaller organizations. Ransomware groups regularly mine intellectual property and customer/employee information to sell on the dark web and use as leverage to extort their victims. The research reveals that in the first quarter of 2024, almost a third (31%) of corporate ransomware victims were companies with fewer than 100 employees, and three quarters (74%) had fewer than 1,000.
Threat actors could also target SMBs in specific industries, such as legal, for the highly sensitive data they possess on customers. Or break into a smaller company in a springboard attack to reach a higher-value customer or partner. The threat comes not only from financially motivated cybercriminals, but also from agents of nation states. The result? UK SMEs saw a 37% increase in cyber threat alerts in 2023 compared to 2022. And almost four in 10 lost data.
SMB owners might also mistakenly assume that insider threats are something that happens to larger organizations. They would be wrong if they did. Almost a third (30%) of UK SMEs lost data due to user error in the last 12 months, and 27% due to disgruntled employees. The problem of user negligence and error is exacerbated by the lack of regular security training. According to the government, only 30% of small businesses and 52% of medium-sized businesses have held sessions in the last 12 months.
Beyond AV
Another common misconception is that a simple endpoint AV is enough to protect modern SMBs. Indeed, the world of cybercrime is an increasingly sophisticated place, with packaged service offerings that give would-be hackers all the tools they need to carry out large-scale phishing and ransomware campaigns, bypass multi-factor authentication, launch brute force attacks and more. There is an endless stream of stolen credentials reaching underground markets to fuel account takeovers. And specialized initial access brokers (IABs) sell ready-made access to corporate networks.
All of which means that SMBs need defense in depth that covers all layers of their IT infrastructure, from the email inbox and endpoint to networks, identity systems and cloud environments. They not only need protection tools to block as many threats as possible, but also detection and response to detect and contain threats that slip through defenses. And they need to manage risk in extended supply chains.
Unfortunately, as the government's breach survey reveals, adoption of such tools and approaches is not yet where it should be. Supply chain security was adopted by just 29% of UK medium-sized businesses last year, while incident management (69%) and vulnerability management (59%) should ideally also be higher.
Choose the right partner
One final misconception that could impact SMB security is that a small generalist IT team can handle everything on its own. The truth is, as long as threat levels remain high and small businesses continue to invest in digital systems to become more agile and competitive, they will need help with cybersecurity. The challenge for those with fewer resources, at a time of pronounced global skills shortage, is finding the right talent.
This is where the IT channel comes into play. The market is full of MSPs and MSSPs that can help smaller businesses bridge skills and capabilities gaps with value-added services. In fact, it is a rapidly growing global market. According to one estimate, SMB cybersecurity will be worth $90 billion by 2025, with managed security services accounting for a third. But having more options arguably makes it even more difficult to find the right partner.
SMEs should carefully consider their requirements and budget before evaluating the market. As always, it pays to turn to reputable providers with good customer testimonials. It may be helpful to talk to your customer base proactively rather than reading references provided by the MSSP. A potential vendor should also have strong partnerships with reputable security providers.
Managed detection and response (MDR) is an increasingly popular option, and with good reason. Provides proactive detection and response to detect and contain threats before they have a chance to cause harm. All the heavy lifting is done by the vendor or MSSP, allowing SMBs to benefit from enterprise-grade security operations (SecOps) capabilities without paying enterprise prices. Look for vendor partnerships backed by global threat intelligence, meaning zero-day vulnerabilities can be quickly patched before anyone else.
Today's SMEs are firmly in the crosshairs of global threat actors. But help is at hand, if you know where to look.
We have introduced the best server for small businesses.
This article was produced as part of TechRadarPro's Expert Insights channel, where we feature the best and brightest minds in today's tech industry. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing, find out more here:
