A study analyzing millions of emails across thousands of companies found that, on average, employees in small businesses with less than 100 employees experience 350% more social engineering attacks than employees in large enterprises . 57% of them are phishing attacks – the most prevalent social engineering attack in 2021.
Add to that that the global average cost of a data breach for businesses has skyrocketed. According to IBM Security’s annual Cost of a Data Breach report, the average global cost is now a staggering $4.35 million.
Generally, larger companies tend to have larger security budgets, making them less targeted than smaller companies with lower budgets, and as such more attractive to cybercriminals. This means that for small and medium-sized businesses (SMBs) – with fewer resources and less money – protecting against cyberattacks is now a matter of survival.
Ease of attack isn’t the only reason criminals attack SMBs either. SMEs are often an entry point to target larger organizations within the same supply chain. These large companies can be crucial partners, suppliers or customers, making SMEs prime targets.
But with effective cybersecurity measures, every business, regardless of size, can protect itself and its network.
Foster the culture of safety
One of the easiest ways to start protecting a business from bad actors is through training, but that alone isn’t enough. Organizations must go beyond training to instill a security mindset that transforms their largest attack surface into a vital defense force.
The hybrid workplace has changed the corporate security landscape, with the ONS reporting that nearly half (42%) of employees work primarily from home. This means that many now use their devices and internet connection at home or over an open network, such as in a coffee shop. Essentially, the cyberattack surface has increased, creating a prime environment for phishing and ransomware attacks.
SMEs must ensure that employees everything all levels of the company are aware of the security measures necessary to ensure the security of the company. A good starting point for security managers is to use the resources provided by the National Cyber Security Center (NCSC) to implement general phishing and security awareness training, for example helping employees stay safe on their own devices or VPNs.
However, this is not a general email asking employees to take training. Training should be engaging and relevant to employee roles. In fact, a Fujitsu report – Building a Cyber Smart Culture – found that 74% of non-technical staff say they don’t find their training interesting enough, with 35% saying their training is too technical or boring.
Implement effective technology as a business strategy
The Fujitsu report also revealed that 54% of senior executives struggle to keep their security policies in step with the changing threat landscape due to remote and hybrid working, exposing businesses to cybercriminals.
Therefore, the response to growing risks cannot rely solely on proper training, as we all know: no human is infallible. As such, a modern security plan for an organization must also incorporate technical safeguards and procedures that act as a barrier against cyber threats.
This means that SMEs should consider implementing a layered technology approach as part of their business strategy. An example of this is multi-factor authentication (MFA), which is essential for companies whose employees work from anywhere.
MFA is a key part of Zero Trust – the idea that companies should assume there will be a breach and as such should constantly verify that a user and their device are authorized to access sensitive data.
This form of authentication is advantageous because if a hacker or unauthorized user can guess or buy a password on the dark web, it is very unlikely that they can gain access to it through an authentication factor. It’s an investment – IBM’s report also found that companies that don’t deploy Zero Trust incur an average of $1 million in additional breach costs compared to companies that have deployed Zero Trust.
Another way to take the security strategy a step further is to add another layer of technology. By implementing Conditional Access (CA), SMBs can make it even more difficult to breach the security perimeter. A powerful security technique by which an organization can configure and fine-tune access policies with contextual factors such as user, device, location, and real-time risk information to control what a user specific can access, and how and when there is access.
CA is a more robust system that can compare a current connection request to past connections to determine if the new connection request is genuine. For example, if someone logs in from London and then logs in from New York an hour later, conditional logic can establish that this is physically impossible and flag the login as suspicious. Then, depending on the rule, the attempt can either be blocked or the user is prompted for an additional authentication request before access is granted.
Everyone has a role to play
The disruptions of recent years, combined with the rising cost of living, will lead to a rapid increase in cybercrime. That’s why SMEs can’t afford to choose between a multi-layered technology approach or training to ensure business security. They must protect assets by taking advanced (technological) and proactive (training) measures, bringing everyone in the company together in a unified security strategy.
This strategy also requires cybersecurity leaders to work more closely with other parts of the business to understand their unique pain points and potential misunderstandings. Because a business, no matter how small, can only keep cybercriminals at bay when it adopts a collective security posture.