4 cybersecurity quick wins for SMB business owners

What does ‘good’ look like?

SMB-specific cyber challenges need SMB-focussed solutions. Despite over 90% of the world economy powered by SMBs, much of the cyber protection available is catered towards bigger organizations. This has traditionally made SMB security an expensive and difficult proposition. But it doesn’t have to be this way.

We’re going to look at 4 cybersecurity services that, when taken together, cover the key SMB requirements:

• Increase visibility of cyber risks
• Are highly applicable to SMB security weaknesses
• Easy to procure
• Make an immediate improvement to your security posture

4 quick cybersecurity wins

1. Recon scanning

Hackers begin their path to breaching your organization long before sending a phishing email or exploiting a security flaw. In fact the first step any cyber criminals takes is reconnaissance. Every business leaks a surprising amount of sensitive information that hackers find useful, such as what web assets, domains and ports are exposed, along with risks from web-based third-parties. Recon scans uncover this hidden information, allowing you to see through the eyes of a hacker and help you calculate your cyber risk. Recon scans are quick to run and are included in all Defense.com™ packages, so even the smallest start-up can get visibility of this unseen but important information.

2. Pen testing

No list of quick wins would be complete without penetration testing. It’s simply an essential cybersecurity service that no business, big or small, can afford to ignore. For SMBs in particular, penetration tests are low-touch and high value. It’s no wonder pen testing is mandated or recommended by every security standard and best practice guide you can think of.

SMB infrastructure is usually much less complex than mid-market or enterprise environments, and also tends to use more cloud services. This brings two key benefits to SMBs: it not only makes pen testing easier and quicker to complete, but it also means the remediations are easier to implement. SMBs: 1, Enterprise: 0.

The risk weighting applied to each uncovered vulnerability combined with the threat tracking dashboards in Defense.com™ make it easy to see at-a-glance which remediations need to be prioritized to get quick value – and effective defenses – from your pen tests.

3. Vulnerability scans (VA scanning)

Sometimes SMB business owners and IT managers think that because they’ve done a pen test, their scanning days are done for another year. These people couldn’t be more wrong. This actually ignores one of the biggest attack vectors: that of unpatched software. Missing security patches accounts for up to a third of all critical security vulnerabilities identified in penetration testing, so keeping on top of your patching is vital to keeping hackers at bay. Whilst annual penetration testing is a no-brainer, they’re point-in-time assessments, and new security patches come out each and every week.

The best SMB tactic here is to pen test annually and VA scan on a monthly basis – or weekly for the highest priority systems. This keeps on top of missed patches and shores up any security vulnerabilities until your next penetration test. This is another example of where SMBs have an advantage over larger organizations: scanning and patching is easier to do. And if you implement good patching regimes now, they’ll scale as your business grows.

4. Training

The last item in this list might surprise you. It’s not a technical service, management system or compliance standard. What it is, however, is easy to deliver and mitigates the risk of the largest attack surface in your organization: your workforce. Human error is responsible for more cyberattacks than anything else. And the way to secure the human is through training.

Many cyberattacks start with phishing, and even advanced cyber controls can be compromised by simple human error. This makes training your employees in the direct security consequences of their day-to-day actions a powerful cyber defense. It helps them contextualize and prioritize cybersecurity in their daily work life.

The word ‘training’ can conjure images of boring presenters with enormous PowerPoint decks, but modern security training is much more engaging – it has to be to be effective. Defense.com™ includes a series of online training videos covering key information your staff needs to know. With SMB staff multi-role-ing and stretched thin, online video delivery gives a range of advantages:

• Flexible, 24/7 access from multiple devices
• Easy for staff to fit training around their everyday jobs
• Unlimited access means the training scales with your growth