6 bad cybersecurity habits that put SMBs at risk

It’s a low-cost, relatively easy attack tool that can be readily deployed against SMBs. “Ransomware as a service (RaaS) can be simply bought or deployed, with little technical know-how,” Milbourne tells CSO. As a result, SMBs are not setting aside sufficient resources, leaving them poorly protected. “Reframing how SMBs think about ransomware and putting policies and technology in place to better protect themselves is critical to avoid falling victim.”

If they do suffer an attack, businesses need to call on expert support to help manage the situation, especially given that making a payout is by no means a guarantee of recovering data.

There are some sobering statistics on the impact of an attack. US small businesses paid over $16,000 in ransoms last year, according to the Hiscox Cyber Readiness 2023 report. “Ransomware is costing small businesses in a big way,” says Christopher Hojnowski, VP and product head of technology and cyber at Hiscox insurers, who works with over 600,000 small businesses across the US.

Only half of surveyed businesses that paid a ransom ended up getting their data back, while half had to rebuild systems. In addition, a staggering 27% were attacked again, and another 27% were asked for more money, the survey found. “It’s certainly not recommended to pay the ransom,” says Hojnowski.

3. Viewing cybersecurity as just a technology problem

Cybersecurity can’t be addressed with technology alone and in many ways it’s a human problem, according to Sage. “Technology enables attacks, technology facilitates preventing attacks, technology helps with cleaning up after an attack, but that technology requires a knowledgeable human to be effective, at least for now,” they say.

This also feeds into other problems, which are a lack of budget and no dedicated responsibility for cybersecurity. “These are significant challenges for SMBs, leaving them without guidance on compliance frameworks and a clear direction, and reliant on providers for support,” says Iqbal.

Iqbal recommends that SMBs always look to government resources for guidelines and best practices and at least start with the basic protections that are recommended. In the US, for example, the Small Business Administration and the Federal Communications Commission both have information and resources, while the UK’s National Cyber Security Centre has guidance and the Global Cyber Alliance (GCA) also has a small business toolkit. The Australian Signals Directorate also have a guide for small business.

Sage adds that as most businesses are using Google Workspace or Microsoft Office 365, the respective knowledge bases are a wealth of information. Outside of these platforms, look to local sources of guidance. “There’s also local community colleges, town and county small business centers or economic development departments, and state commerce departments should also be able to connect you to cybersecurity resources,” Sage tells CSO.

4. Not employing good cyber hygiene

Adopting good cyber hygiene habits should be a no brainer, although it can be a hit and miss. For instance, allowing the use of weak passwords is all too common, according to Iqbal. He’s also found instances where the default password for logins has not been changed or all the passwords for security servers are changed to a single password and there isn’t a separate administrative password. “The admin account is the most lucrative account threat actors are looking to compromise. It just takes one compromise and then the keys to the kingdom are flung open to all your potential threat actors,” he says.

Backups are widely deployed, but SMBs often overlook the importance of backup testing. If the business suffers an attack and the backup fails, it can be catastrophic. “You want to be able to recover and mitigate damage from a threat attack and that means having a reliable backup that’s been checked to ensure it’s not corrupt or doesn’t have any other issues,” Iqbal says.