Protecting the SMB: 3 Misconceptions

I was just leaving my Birds of a Feather roundtable discussion at the recent RSA conference when I saw the following tweet from BlackBerry’s VP of Threat Intelligence about cyberattacks targeting small- and medium-sized businesses (SMBs):

He references a Wall Street Journal article that poses the question: Why do small businesses struggle with an increasing number of cyberattacks? Part of the problem, the article says, is that “they don’t believe they are targets, so they don’t make security a priority.”

Why do many SMBs still believe nation-states and criminal hackers only go after “the big dogs”? There is plenty of evidence to the contrary.

Let’s explore three misconceptions that exist in this area and what we can collectively do to address this challenge. One thing is for sure — if we don’t work together to solve the issue of SMBs being targeted by adversaries, those adversaries will leverage that failing to their advantage.

Misconception #1: “We don’t have anything an adversary would value.”

During my Federal Bureau of Investigation (FBI) career, important lessons were thrust upon me. One of them was that almost no one believes or expects they will be a victim of crime. This misconception places small- and medium-sized organizations in peril when it comes to cyberattacks.

Many SMB leaders believe they have “security by obscurity” or that they can “fly under the radar” of ravening cybercriminals and acquisitive nation-states. “What could we possibly have that is of value to cybercriminals? Why would they want our data when there is a sea of enterprise organizations to attack?”

Here’s one answer: Online extortionists increasingly want your data because you need it. And if they encrypt or steal the information or cripple the systems you need to stay in business, odds are you’ll pay to get it back. This is the motivation behind ransomware attacks.

To cybercriminals, you’re not just a regional advertising firm, a manufacturer in an office park, a grade school, or a group of medical clinics. You are a target and a potential payout.

Misconception #2: “I’m an insignificant player.”

Many smaller organizations fail to realize their critical role in the supply chain.

Consider the following scenario: Your company makes a proprietary part or material for the aviation industry. State-sponsored hackers interested in industrial espionage have several reasons to target your operations:

• They want to steal your data and designs for their own strategic or financial advantage, imperiling your future success and profits.
• They want to hijack your legitimate access to the IT network of a major commercial, military or government partner, which may be their ultimate target.
• They know you invest very little in security, compared to the “big fish” they’re after. Compromising your organization’s network to get access to the larger organization is easier than going after their target directly.

Cyber threat actors have been using these tactics for years, punctuating the importance of raising awareness among SMBs and mid-market companies. Recent headlines make it almost impossible not to have noticed the supply chain attacks against SolarWinds, Kaseya and Okta.

All these events should give an SMB pause to consider who they partner with and whether that trusted relationship could make them a potential cyberattack target. I wrote about the importance of cybersecurity across the supply chain in an earlier column this year.

Misconception #3: “As an SMB, I can only afford firewalls.”

Many SMBs have significant financial and talent constraints requiring them to be laser-focused on productivity, growth and sales. They typically put up a firewall, deploy traditional anti-virus protection, and hope they are covered. In a world where threats are constantly changing and cybercriminals are adopting advanced nation-state tactics, that is no longer a viable approach.

Many SMBs throw up their hands because it is difficult and expensive to attract and retain cybersecurity talent. A lack of in-house expertise and staff can no longer be accepted as a cybersecurity roadblock, regardless of the size of one’s enterprise.

Steps to Better Cybersecurity for SMBs

There are several ways to achieve a stronger security posture, even with limited resources. Here are a few ideas to start:

• Find out where you stand by benchmarking your security against the five core principles of the NIST Cybersecurity Framework. These principles are: Identify, Protect, Detect, Respond & Recover. You can’t address deficiencies you aren’t aware of.
• Enable multi-factor authentication (MFA) wherever possible within the organization.
• Consider a managed extended detection and response (MXDR) subscription. XDR can allow enterprise-wide security awareness and proactive capabilities to repel attacks, but it can be complex and expensive to implement for any size business, let alone an SMB or mid-market player. Managed XDR can be an easy-to-implement option that relies on third-party experts to manage the complexity for you, delivering the benefits without the disadvantages.
• Consider implementing zero trust network architecture (ZTNA) to harden networks and reduce cyber risk. This is another area that can tax the resources of an SMB, so you may want to call in help and lighten the load on internal teams. Implementing Zero Trust as a Service could be an approach worth looking into.
• If in doubt, consult a reputable managed security service provider (MSSP) and ask them to do an assessment of current defenses to identify potential risks.

The last thing I’ll stress again is the fact that we are all in this cyber fight together. If you’re in an enterprise organization, help bring SMB vendor partners along the path to better security. That consideration, more than anything else, could keep your own organization from being breached.