SMB security: The challenge to secure SMBs (small and medium-sized businesses)
SMBs and the MSPs serving them face a challenge: SMB security needs to be just as effective as enterprise-level software, but the tech needs to be easy enough for one person to implement and manage.
Updated December 24, 2024Small & medium-sized businesses (SMBs) today are under attack from malware, ransomware, external threats and data breaches. But SMB security has a problem: it's a challenge to secure SMB access while balancing easy implementation and lower costs with protection against sophisticated attacks.
Learn how SMBs, and the managed service providers (MSPs) servicing them, can get big business protection in terms of focus and effectiveness, but with SMB sensibilities in terms of implementation and use.
A tour of any modern SMB office highlights how IT security solutions are critical to business success.
Case in point: what would success look like for your organization without email, communication systems, productivity applications, and enterprise tools? Everything from organizing processes to reporting on financial data. And yet despite this, many in the C-suite still see IT security as an unwelcome cost instead of an enabler of business solutions.
The verdict is clear: effective IT security impacts SMBs' bottom line.
Today any SMB can quickly adopt a new technology to gain new capabilities, improve efficiency, and/or reduce costs. However, each new application creates a need to secure SMB users, data, and the environment that the solution integrates into.
SMB teams who treat access security as an onerous requirement that is invoked each time a new technology is contemplated will be slow to adopt — and slow to profit from — new efficiencies.
SMBs that build effective IT security frameworks can move more quickly and surely than their competitors. Environments without effective IT security solutions will have difficulty innovating and are likely to fall behind more nimble competitors.
Firstly this not about spreading FUD (fear, uncertainty and doubt). According to Accenture’s Cost of Cybercrime Study, 43% of cyberattacks are aimed at small businesses, but only 14% are prepared to defend themselves.
SMBs are a lucrative target because most do not have sufficient defenses in place to protect, detect or react to attacks.
The Verizon Data Breach Investigation Report highlights how the attack surfaces at SMBs and enterprises share more in common than ever before, thanks to widespread use of similar services and infrastructure.
It’s not so much these exact reasons: lack of resources, lack of expertise, lack of information, lack of time, lack of training — although they are all very relevant and real. The common issue on why we are seeing SMB as an easy target is because there is a “lack of something.”
SMBs have already made an investment in their existing systems and technology. They want to avoid onboarding a single solution that requires an overhaul to the whole infrastructure, updating storage, or updating the operating system.
The challenges are also becoming more and more complex. Organizations need to deploy security solutions that extend to remote locations and cover roaming and mobile users. For those customers that are located in a distinct geographic region, the problems are often just as complex. They have partners, consultants, supply chains that extend beyond the traditional network perimeter and make things even harder to defend.
Most small and medium sized businesses do not have a sizable IT team. Security solutions with stickiness tend to be simple to implement and intuitive to manage.
Smaller businesses are understandably focusing on being operational from day to day, so they can serve customers to keep the business going and pay the staff working. Medium sized businesses often lack the buy in from management who need to be better educated on the dangers to make this a priority and offer the resources and training for IT to fulfill their security needs. It’s not just about money. Cybersecurity perspectives are available to assist the SMB, but it takes time.
An effective security stance should go beyond merely “raising the shields” around users, data and networks.
But today most SMBs focus on protective security such as antivirus, patch management, email or web filters, application whitelisting and perhaps an intrusion detection system or two-factor authentication (2FA) for your most privileged accounts.
There’s nothing wrong with this. These are obvious protection and prevention steps you should take, but it’s not enough to just put the barriers up.
Despite best efforts, compromise will continue to exist. Attackers improve, look for new ways to take advantage and the problem is no one is detecting this. And if no one is detecting, no one can respond.
In fact, sometimes the challenge with a breach is to know they even happened at all. According to IBM's 2024 Cost of a Data Breach Report, it takes on average 194 days to discover a breach.
The best protective strategy therefore needs to be validated over time. "Detect and react" should be used to ensure preventative measures are working. That is, spotting and reacting to abnormal or suspicious activity.
The “lack of something” in SMB security resources often leaves IT admins to restrict MFA, if present at all, to privileged accounts.
While each organization has a different balance, you’ll reduce risks by extending security down the “non-privileged” path as possible. The real value of MFA is to protect any account with access to critical data, applications and systems.
And that’s perfectly attainable for SMBs. MFA is dogged by common myths, such as its too costly, complex or frustrating for SMBs. But MFA has evolved dramatically. With the right solution, you can implement customized, granular MFA that helps you strike the right balance between employee productivity and security.
But don’t stop with MFA. While spending all your (limited) time trying to monitor every last bit of the network is a failing proposition, there are other ways to automate preventative measures.
Monitoring in and of itself is a pretty costly mode of operation; it requires significant IT time and resources to put proper detection mechanisms in place, will likely raise an initial set of false positives that need to be fine-tuned, and necessitates reports and meetings to ensure the detection is actually working.
All small and medium businesses battle against lack of time and resources. They are far better off running and monitoring solutions that offer automated controls in addition to threat identification and real time response.
In short, should something fall outside a set of established restrictions, your solution should automatically take action before the damage is done (and not only when IT intervenes).
So how does a secure SMB build an approach that safeguards their organization, users and data?
Firstly, security solutions for an SMB and MSPs servicing them, should not be any less effective than it is for an enterprise client. The data is no less sensitive, the disruption no less serious. They need enterprise-caliber defense in terms of focus and effectiveness, but with SMB sensibilities in terms of implementation and use.
Look to add layers, like MFA, to your SMB security strategy. Putting a layered defense in place maximizes your chances of stopping a threat before it starts.
Solutions that just offer information result in the need to hire a watch dog. Choose intelligence and insights that can help spot and stop a breach.
Should something fall outside a set of established restrictions, your solution should automatically take action before the damage is done — not only when IT intervenes.
Most small and medium sized businesses do not have a sizable IT team. Security solutions with stickiness tend to be simple to implement and intuitive to manage.
SMBs cannot take a lot of false positives. There's no time to chase 50 alerts a day.
Solutions that work alongside existing infrastructure don’t frustrate IT teams.
If security overwhelms and stifles productivity, users can’t do their job and the solution is already dead on arrival. Security should be behind the scenes, protecting the users and the environment until the moment the user is truly conflicting with security protocol.
If you agree with the "when" not "if" premise, then you already know your security strategy is incomplete and requires more investment. Security doesn’t have to come at a high cost — but it does have to be effective in relation to its cost.
Logons provide one of the clearest indications of potential compromise. They are the one common activity across nearly all attack patterns and often effortlessly compromised. It only takes a careless employee to share a password or leave a workstation unattended. Even the most careful employee can be exploited and the victim of stolen credentials.
With UserLock MFA and contextual restrictions, IT teams can make sure authenticated users are who they say they are, even when credentials are compromised. Logon attempts that don’t satisfy the second authentication factor along with any established restrictions are automatically blocked, before any damage is done. Risk detection tools alert on other suspicious activity offering IT administrators the chance to instantly react. Working alongside Active Directory, UserLock extends SMB security far beyond group policies and native Windows functionality.
"UserLock is simple to install, easy to configure and offers a level of protection that all small, medium and large business should be implementing as part of their security roadmap."
- Ricky Magalhaes, WindowSecurity.com