7 Security risks every SMB faces – and how to overcome them

SMBs are prone to security threats due to attackers deploying devious approaches, and a lack of visibility on resources needed to combat them. Check out our 2019 list of what risks you need to be aware of in your small to medium-sized business, and easy solutions for how you can overcome them.

In March 2019, Sophos commissioned a survey of 3,100 IT managers across the globe to understand the realities of endpoint security. The results surfaced some uncomfortable truths about the state of security today:

  • More than two-thirds (68%) of organizations say they were hit by a cyberattack in the last year
  • 63% of all attacks were on SMBs of 100-1000 employees.

At Konica Minolta, we take SMBs seriously. So here’s a simple guide to tell you the 7 biggest IT security risks you need to be aware of, and how you can stay on top of them to make sure your business isn’t compromised.

7 Security Risks for 2019

1. Happy Clickers: Your employees are your biggest challenge

Internal threats (whether inadvertent or deliberate) are the #1 risk to your business. Last year in the US alone, they made up 80% of all business cyber security incidents.

Why? Unfortunately in today’s digital world, people are the weakest link. Against our better judgement we can’t help click on email attachments even if we don’t know who they’re from, visit websites that have a good deal even though it all sounds too good to be true, and constantly use terribly weak passwords over and over because really, who has the time to remember different ones for every site and system!

But it’s this basic human nature that cyber criminals prey on, and if employees don’t always have proper training on IT security issues, that’s a flaw in your security armour that can easily be exploited.

The solution: staff training

It’s as simple as taking the time to make sure your employees are aware of what security risks look like: for example how to recognise a phishing email, or how to flag a suspicious website. Continue to raise awareness within your business by implementing regular communications around the latest cybersecurity threats – if resource is limited, set up a Google Alert or subscribe to your favourite media outlet to get automatic notifications.

2. Phishing: The most common type of cyber attack

Phishing is when cyber criminals impersonate brands, banks, vendors, even your own colleagues, to obtain sensitive information such as usernames, passwords, and banking details, or manipulate you into downloading malware or ransomware.

With over 135 million phishing attacks attempted every single day, it’s unlikely your business won’t be targeted. So how do you keep safe from these sophisticated attacks?

The solution: review your digital footprint

Attackers often use different sources available online to build up a profile of their targets – whether it be an individual or a business. They can take data from social media accounts, company websites, press releases and even company registration details.

Take a look at what information you have available online, reduce it where you can, and always be wary of a seemingly ‘out-of-the-blue’ request. There’s no shame in reconfirming details from your side before agreeing to share anything – just remember to check it with your own sources rather than responding directly to an email or calling back the same number.

3. Ransomware: The naughty child of phishing

We’ve just told you the dangers of phishing. But what happens when you do click a link or download a file from the wayward email? Chances are your computer will be infected with ransomware - malicious software that can infiltrate your whole company’s computer system, blocks access to it and all your data, and threatens you with harm.  The attacker then demands a ransom, with the promise that access is restored under payment, and the threat of otherwise losing that data for good, or having it published in public.

Ransomware became mainstream news in 2017, when in May the WannaCry ransomware rapidly infected hundreds of thousands of computers around the world, including many used by the NHS.

The solution: back up or pay up

Have a full offline backup of your system that is up-to-date and separate from the main network, so you can still access data should it be blocked.  If your system then becomes infected, you can reboot to safe mode, use anti-malware software to remove the malicious software, and restore your computer to a previous state.

PS – backing up once a year won’t cut it – have it scheduled regularly, and most importantly test it regularly. Otherwise it might be that your only option is to pay up.

4. Under-staffed and overworked: Expecting too much from your small team

A survey by the SANS Institute found that 55% of respondents only have one dedicated IT employee, and one dedicated cybersecurity employee. Around 40% of those SMBs report security events verbally, another 30% have a regularly scheduled formal meeting, and nearly 30% of them do not report events at all. Their staffing numbers are about half of what they consider to be ideal. But we know that you do what you can with the staff you have.

The solution: take the pressure off with AI

It can be hard to keep up with constant security threats without a large, dedicated, team, and whilst there’s no end in sight for threats to disappear, AI and machine learning can help level the playing field. Invest in tools that automatically detect and deal with low-priority cases, so that your valued resources can deal with the risks that matter.

5. Hidden attacks: How do you know you’ve been hit until it happens?

In the same SANS Institute survey, nearly 64% of respondents said they are unaware if they have actually been attacked. So one of the most significant challenges an SMB faces is recognising that you have been, or are being, targeted for a cyberattack.

A key element of an effective security strategy is to stop threats from getting into the business in the first place. Yet according to Sophos’ report, one in five IT managers are unaware how their most significant cyberattack entered their organizations. As a result they are unable to protect these entry points.

The solution: illuminate your company’s security blind spots

Choose security tools that proactively identify suspicious events - the focus should be on prevention rather than repair when it comes to security for your business. Not only does this minimise risk, it will show you where the attacks are getting in so you can make sure they’re plugged for the next time a criminal tries their luck!

6. Attacker dwell time: Fear of the unknown

Ok, so you don’t have proactive identification set up yet, but there’s no signs that you’ve been attacked so you should be fine, right? Well, on average it takes at least 13 hours before the most significant threat in an organisations environment is detected. In this amount of time, a cybercriminal can inflict significant damage, including extracting sensitive data, stealing credentials, installing money-stealing Trojans and ransomware, and more.

And that 13 hours? It’s the best-case scenario. In 17% of attacks, Sophos found that organisations don’t actually know how long it was in their environment before being discovered – and what damage was therefore done.

The solution: make security a part of your regular maintenance

You’re probably sensing a recurring theme now. Yes, invest in proactive tools, yes, get your employees up to speed, and yes, have a back-up ready. But none of this matters if your business doesn’t take security seriously.

That means it needs to be a part of processes, with regular scans, updates and consideration of the risks that new vendors, systems and tools may bring.

7. Cutting costs: It’s not cheap to be protected

Most security solutions are excessively expensive to purchase and maintain – and often work on a model more suited to enterprises, than SMBs. But, the costs of a security breach can be even higher (think about the costs of downtime, financial loss, legal repercussions, even your reputation).

The solution: find a vendor that understands your needs

For example Konica Minolta’s Workplace Hub is an all-in-one scalable solution designed for SMBs. Aimed at tackling the challenge of IT being a pain, rather than an asset, for businesses like you the Hub looks to simplify IT and only give you the tools you need, in one easily managed package.

For security, that means you get:

  • An anti-virus at network level, plus email anti-spam and virus protection
  • The inclusion of Sophos XG Firewall for Unified Threat Management
  • A world-leading secure server from HPE
  • 24/7 proactive management tools and remote monitoring of your entire infrastructure
  • Full data storage and back-up management tools

Sounds good? Sign up to speak to a sales representative today: SIGN UP HERE

Or if you’d like to find out how else you can maximise your IT, read our free whitepaper here