A guide to cybersecurity for SMBs

A guide to cybersecurity for SMBs A guide to cybersecurity for SMBs A guide to cybersecurity for SMBs
Photo of Brian Wagner

Brian Wagner

Chief Technology Officer

1st October 2021

Why cybersecurity is important

Cybersecurity will always remain a pressing issue for businesses around the world, particularly so when you put factors such as the 2020 pandemic and it’s turbulence for businesses into perspective. Not forgetting the ever changing cyber landscape and various new attack methods from hackers. 57% of SMBs have admitted to a breach, and 86% of organizations expect attacks to increase going forward, so you can never predict what will happen to your business landscape. Which makes it important to be prepared and have all the necessary security tools in place to stay secure.

Whilst we appreciate many businesses push their efforts onto their revenue streams and boosting growth, the importance of cybersecurity in managing both of those goals can’t be overlooked. The risks of cyberattacks, data breaches and fines are acute as ever. Which makes getting cybersecurity basics and best practices in place essential for your SMB and its growth.

Stories from the frontline of SMB cybersecurity

Our consultants have been trusted advisors to businesses of all sizes. In the process of getting businesses to take their cybersecurity seriously, they’ve heard a range of objections and opinions on the matter. We present and fact-check the most common myths that our consultants have heard to help you understand the potential consequences of passing off strong security measures. Some of the myths might have passed through your mind too, so take a read to see why cybersecurity really is essential for SMBs.

Myth: “I’m too small to be a target”

Fact: Every business is at risk of cyberattack

This is a common misconception about SMB security. Many SMBs think that their smaller size or business sector means they’re less likely to be a target for hackers. However you’re never too small to be a target to bad actors.

You don’t have to be specifically targeted either to be hacked, you could simply be collateral damage of a wider attack. One tactic that hackers use is to send out widespread attacks, and without cybersecurity basics in place, your business could be caught out. To put it in perspective, this is how the the NHS was caught out back in 2017 in what we now know as the WannaCry ransomware attack. It wasn’t directly targeted towards them, but yet the NHS was still left crippled because of some out-of-date IT security. Unfortunately the same could very easily happen to your business.

Hackers constantly scan the internet for attack possibilities. Our own honeypot data showed that new systems put online can be found by malicious actors within just 0.3 seconds, it takes more time than that for you to blink. So a hacker won’t care what kind of business you are, just whether you’re easily hackable.

Myth: “My employees are remote so security isn’t an issue”

Fact: Remote working creates new security vulnerabilities

This myth is unfortunately heard by our consultants increasingly more often. But remote working opens your business up to new cyber risks. Your staff are working outside the perimeters of standard practices, which means you have reduced oversight. No longer are your staff working from your office premises, but now in their own homes, with their own Wi-Fi and limited access to reassurance from peers.

This is particularly prevalent when it comes to phishing attacks, an attack style that jumped by 350% in 2020. Remote working means staff aren’t able to check suspicious emails with the person next to them before clicking, which ultimately leads to more security breaches.

Remote workers also rely more heavily on the cloud, but worryingly businesses don’t verify that their cloud services are securely configured. There is also often a gray area over who is responsible for what, known as a ‘shared responsibility model’, so this creates dangerous vulnerabilities in itself because it’s unknown and untested.

Myth: “I want to focus on growth right now”

Fact: Good cybersecurity practices helps to power growth

Cybersecurity doesn’t have to be disruptive to your business practices, in fact implementing security basics can be done without any impact to your operations.

Two key defense tools are penetration testing and VA scanning. Both are low-touch and are carried out by a third party provider, meaning there’s no impact to your business activities. Likewise, training your staff is a basic but highly effective tool to securing your business, and only takes a few hours.

It’s also important to note that cybersecurity can actually help power your growth. It helps build your reputation amongst customers and suppliers through increased credibility. Consumers are increasingly aware of the importance of cybersecurity thanks to the GDPR and headline-hitting breaches which is a key reason for making cybersecurity a priority for your SMB business.

Myth: “I don’t have budget for this – my revenue is down right now”

Fact: Cybersecurity is accessible for all businesses, even start-ups

Despite the benefits of good cybersecurity and the risks of ignoring it, our consultants regularly hear that budget is the biggest concern for SMBs. But key cybersecurity measures don’t have to be extortionate. Even on the Essentials package of Defense.com™, you can pay as little as £60 per month for a host of security tools, including VA scanning, staff training and a Cyber Eessentials.

VA scans can make a huge impact on your security posture by quickly identifying your security weaknesses before a hacker does. Training your staff is also a great secret weapon to have as your best defense against cyber threats is your staff. Staff that are proactively aware of security risks helps you to prevent most opportunistic attacks.

SMB businesses can also certify with the Government-backed security standard, Cyber Essentials, as part of their Defense.com™ package. The certification covers 5 fundamental security controls that apply to businesses of any size.

Myth: “It doesn’t matter if I’m breached because I’m insured”

Fact: Cyber insurance is no substitute for strong cyber defenses

Insurance isn’t an excuse for not having security measures in place. Particularly as it’s unlikely that your insurance would reimburse the entire cost of a cyber breach. A pay out of any kind isn’t ever guaranteed either, there are instances where insurance providers haven’t actually paid out at all. The NCSC advises that insurance companies don’t pay out for “monies lost through business email compromise fraud”. Which you guessed it, is a clear description of the biggest form of cyberattack, phishing emails.

So although insurance might help you out with a small data breach, do you really want to spend your time and resources remediating the breach, not to mention any potential reputational damage. 33% of businesses have lost customers following a breach. So preventing the breach in the first place is better than counting on insurance to fix it, surely?

Myth: “Cybersecurity seems so complicated”

Fact: Getting started with security basics is simple enough

It’s actually simpler for SMBs to put cyber defenses in place because of their smaller infrastructure. For instance, increased use of cloud services, no legacy systems and fewer employees, means adopting security measures is far less complex than it would be for a large enterprise.

Cybersecurity basics, such as a penetration test, don’t have to be complicated either. They are a great way to give you a clear overview of your security position and prevent malicious cyberattacks. For instance, the British Airways and easyJet breaches in 2020 that lead to multi-million pound fines could have been avoided with a penetration test.

Why SMBs can’t ignore cybersecurity

There are various forms of cyber threats that could easily wreak havoc for an SMB. Such as phishing emails, DDoS attacks, malware and ransomware. So putting it simply, if you haven’t got basic cybersecurity measures in place, then it’s not a case of ‘if’ you get breached, it’s down to when.

Plus, as we’ve covered already in this guide, the costs of a breach far outweigh the costs of putting basic security measures in place. Aside from the headline grabbing fines such as those for BA and easyJet, the ICO regularly fines both SMBs and enterprises alike for breaches involving personal data. And don’t forget a breach goes beyond financial repercussions. It can also devastate your reputation and lose you business. Not to mention the possibility of having to close off parts of your business thanks to the disruption and investigation efforts. 57% of businesses who were hit by a ransomware attack didn’t have a business left to salvage, so post-breach havoc isn’t always temporary either.

How can you protect your SMB business?

For a modest investment of £60 a month with Defense.com™, you can cover all of the basics of your cybersecurity, as our Essentials package includes VA scanning, a Cyber Essentials certification and staff training. This will help prevent a significant amount of opportunistic attacks against your business. All in all, the best way you can protect your business is with the following guide:

1. Carry out an annual penetration test and a monthly VA scan

Pen testing and VA scanning aren’t time consuming or gruelling for your business. Plus, they help you discover your security flaws before a hacker does.! They’re more affordable than you might have thought, but the most important tip for your business is to make sure you carry out the remediation advice offered. You wouldn’t ignore an audible warning in your office such as a fire alarm, so don’t ignore your consultants advice for protecting your infrastructure.

2. Train your staff

As we mentioned earlier on in this guide, don’t look past the fact that your staff are your secret weapon. Training is a quick and cheap way of immediately boosting your security posture. You could have on-site or virtual training, but then end result is the same – vigilant staff!

3. Become Cyber Essentials certified

Having a reputable certification under your belt, such as Cyber Essentials, is a great way to highlight your credibility and build trust with customers, partners, suppliers and staff. It can also help you win new business, as you’ll be eligible to tender on government contracts. The scheme is backed by the UK Government, and is a great first step for securing your SMB business.

4. Invest in endpoint

With increased remote working and staff using their own devices, the chance that a device’s security isn’t up to scratch is high. Which means having up-to-date endpoint security is a must. It’s a basic but highly beneficially step in securing your business as it will protect you against a variety of cyberattacks.

5. Manage your GDPR compliance

Enforcing basic cyber controls within your business is also a great way to help your GDPR compliance. The GDPR is a legal basis for processing data, so it can’t be ignored. The remediation efforts following a breach don’t just include that of business disruption, but financial losses, fines, reputational damage, and even the loss of customers.


Hopefully this guide has helped you see that with cybersecurity, there are real risks out there. But getting the right security measures in place can help your SMB business to no end. You’ll be in a better position to keep your business running smoothly and focus on growth. Plus the reputational benefits of ensuring a good security foundation will show in increased business and trust. Which is why it’s key that you care about your SMB cybersecurity.

Start securing your business today

Get in touch today to start your free trial of Defense.com™ and discover how we can help you take the stress out of your cybersecurity.