Overconfidence and 7 Other Deadly SMB Cyber Security Sins

A gap seems to be forming between what businesses believe about their cyber resiliency and the reality of the situation. Actually, calling it a gap may be underselling it. In its report titled Cyber Security: Can Overconfidence Lead to an Extinction Event?, Solar Winds found 87% of businesses rate their cyber security defenses as “average or better.” At the same time, just shy of three-quarters (71%) of those same businesses admitted to suffering at least one breach in the last year, far higher than the 29% who said the same in the previous year’s study. Those points certainly appear to be at odds with each other. However, overconfidence isn’t the only character trait that could lead businesses down a dangerous path.

Organizations of all sizes must not allow bad habits to creep into their approach to cyber security. This becomes even more critical in the SMB space. Attackers look for the path of least resistance. Most will happily take a handful of small, easier wins over fighting tooth and nail to get a big one. Enterprise-sized businesses, with their large Security Operation Centers and innovative security solutions, don’t make for “easy wins.” SMBs, on the other hand, just might.

Overconfidence is just one cyber security “deadly sin” that could make an SMB an attractive target. Let’s look at seven other shortcomings highlighted by Solar Winds’ and see what SMBs can do to avoid them.

• Inconsistency – Cyber security policies can be time-consuming to enforce, they’re often unpopular and they are tempting to put off. In fact, the Solar Winds report found 43% of respondents admitted to enforcing policies only occasionally. To remedy this, SMBs should enlist a partner who can assess their needs and limitations and then help craft a suitable security architecture.
• Negligence – The easiest path into an organization often runs through end users, but few organizations are reinforcing that weakness. Just 16% of businesses have placed an emphasis on increasing user security awareness through regular anti-phishing campaigns, etc. SMB teams struggling to perform end user training should look to an outside organization capable of lending a hand. Particularly, SMBs should look for pre-built, yet customizable, training routines that simulate the types of threats their users are likely to encounter in the wild.
• Shortsightedness – The argument for security investments boils down to “spend more now, save big later.” This lack of immediate ROI can make it tough to wrangle support for security expenditures. In the report, there’s plenty of diversity among the most common security solutions. SMBs can overcome this by projecting the costs of a breach using similar cases for context.
• Complacency – This post has already addressed the notion that “good enough is enough.” Remember those nearly nine-in-ten SMBs that rated their cyber defenses as average? If we drill deeper into the idea of cyber defenses, information is one of the best weapons against attackers. However, 51% of those surveyed described their reporting as merely “adequate.” For some SMBs, the idea of building anything greater, such as a truly “robust” reporting capability, in-house can seem daunting – or out of their price range. On the other hand, this could be another example of functionality best offloaded onto a capable outside organization.
• Inflexibility – A data breach doesn’t have to trigger a total tear down of an organization’s security infrastructure. Instead, it should show organizations where they could stand to improve. Yet, only 44% of organizations took advantage of the learning experience and rolled out a new technology. Meanwhile, just 41% changed their processes. Post-incident is a great time to push for upgrades. SMBs must seize this unfortunate opportunity to understand what went wrong and make a case for improvements.
• Stagnation – Adoption of widely accepted best practice security techniques also left something to be desired according to the report. Of the top nine most common prevention techniques, not even one was being used by more than half of respondents. Strategies like full disk encryption (43%), restriction of admin rights (42%), and user event logging (41%) had the broadest deployments recorded. If it’s a question of resources, some of the techniques included in the top nine are deployable at no cost, leaving little reason to omit them.
• Lethargy – Every second counts during a cyber security incident. Obviously, the sooner security personnel can catch, quarantine, and resolve an issue, the better. Yet, across the board, businesses have seen security reaction times slow. Per the report, detection times rose for 40% of those surveyed, response times increased for 44%, and resolution times went up for 46%. This shows far too many organizations are heading in the wrong direction. In cases where there aren’t enough onsite eyes, an SMB may want to work with a Managed Security partner capable of guaranteeing better times as part of a service level agreement.

Next steps: Raising your game regardless of organizational size

Want more of Arraya’s security insights for SMBs? Check out our new whitepaper Simplifying Cyber Security for Small and Midsize Businesses. This document collects Arraya’s experiences plus those of industry thought leaders. The result is a comprehensive look at the strategies and solutions SMBs can count on to stay safe.

If you’d like to discuss how Arraya’s Cyber Security team can address any of the above “deadly sins,” we can be reached by visiting: https://www.arrayasolutions.com//contact-us/. You can also leave us a comment on this or any of our blogs on social media. We can be found on LinkedIn, Twitter, and Facebook. While you’re there, follow us so you can keep up with our industry insights and learning opportunities.