Over the past year, Adversis has helped dozens of small businesses recover from compromise, assess their cyber exposure, and gain independent, long-term guidance on becoming more resilient.

The Montana Department of Commerce earmarked two million dollars through the American Rescue Plan Act for small businesses to receive reimbursement for cybersecurity efforts in its (now expired) Montana Cybersecurity Grant Program.

These projects have led to a number of insights that doubtless apply to the 98% of American businesses with fewer than 100 employees.

Key Takeaways

• Business owners and leaders who have been most interested in cybersecurity investment are forward-thinking and seem to understand that managing their cybersecurity risk with professional support is simply a new cost of doing business that gives a competitive advantage.
• Business owners often worry about data theft and loss of control, but scams and payment diversions after email compromises are most likely to affect them. Very few prepare for these events.
• Most businesses assume their technical service providers do much more than technical support including keeping them compliant with legal data security obligations and providing holistic business protection.
• Virtually every business suffers from online account protection challenges. Everyone has a passwords.xlsx file on the desktop with passwords like BusinessName2024, reused passwords, and missing two-step verification.

‍The following is a brief list of insights we’ve learned. If you're among the 98% of businesses with fewer than 100 employees, we hope you can apply some of these in your own firms to become more resilient to cyber incidents.

If you're among the 2%, consider how you can use your resources to help the rest of the ecosystem - some of your data is likely held by these firms.

A Proactive Culture is Happier

Companies with forward-thinking approaches to cybersecurity seem to have fewer breaches and, anecdotally, more satisfied employees. Proactive measures build a resilient security culture and keep people safer in their personal lives.

Passwords Reuse, Spreadsheets, and Missing Two-Step Verification Abound

A lack of account controls and poor password practices are the start of many a compromise. Virtually every business has a passwords.xlsx file on the desktop with passwords like BusinessName2024!. Passwords reused across personal and work accounts are common, and missing two-step verification is widespread. Microsoft’s secure defaults help here, but many security controls are locked behind their Premium licensing. Whether industry-specific practice management software even supports two-step verification is another question. Even healthcare SaaS products aren’t guaranteed to support it!

These lapses can lead to significant breaches. Simple fixes that go a long way:

1. Use a password manager to create and store passwords (free).
2. Enable two-step verification on email, file share, and other important sites (free).
3. Sign up for Have I Been Pwned (free) for your domain and change hacked passwords.

Never Have So Many Fallen to So Many Scams

No employee handbooks or onboarding documentation tells employees that their bosses won’t email or call them to urgently go out and buy gift cards. Simple education on recognizing phishing and social engineering scams can prevent many cyber incidents. Very rarely is there guidance for those with payment authority that people may try to trick them into diverting payments to fraudsters' accounts.

Simple fix:

• Instruct employees never to purchase gift cards and provide sensible technology safety guidance.

Lack of Robust Payment & Verification Processes

As mentioned about the lack of scam awareness training, we rarely see businesses instituting procedures such as two-person approvals for payments over certain thresholds or verifying payment changes out-of-band. These are both simple fixes that can prevent fraudulent activities.

Simple fix:

• Require that financial account changes be verified through multiple methods.

Interactive Training is Much More Effective

No one enjoys forced online webinars and technical training about cybersecurity, especially if it’s irrelevant to one’s job. But virtually everyone finds some value in in-person technology safety training relevant to their job and daily lives. Ad phishing tests continue to show limited value—just as we no longer do surprise fire drills, pre-announced phishing drills are better tools. Some people will always open, click, and respond: you must have strong endpoint configurations and resilient processes to protect against those inevitabilities.

Simple fix:

• You could pay for dry and of-questionable-value phishing training or bring in a live interactive session tailored to the business for the same amount per year.

A Firewall Does Not Do What People Think it Does

For most SMBs, a firewall does not protect against their likely threats and, in some cases, even increases their risk of attack. Especially those in unregulated businesses that primarily use SaaS services and have no internal infrastructure. Since firewalls need to be configured, managed, updated, and secured, the room for error increases with their added complexity. Licensing costs are not cheap, and they give vendors an intimate look at a business’s internet traffic. A firewall arguably brings little value if the rest of the organization isn’t considered - including employee scam training, secure payment processes, and secure endpoint configurations.

Simple fix:

• Ask whether you truly need a hardware firewall and how it will be configured, updated, and supported?
• Are you running before crawling? Are your computers up to date? Do you have robust processes? Have you considered what technology or vendors are critical?

Who Holds Vendor Accountable?

We’ve worked with some great technology providers and seen some less-than-stellar providers. IT vendors often sell solutions that may not be in their client’s best interest, provide limited value, or could be obtained freely elsewhere. This isn't a knock on the value-added reseller business model, but those running an organization should understand what they’re being sold and ask their vendors to justify solutions.

We’ve helped more than a few teams understand what their vendor was providing them, translated technical language into understandable terms, and saved them significant expenses in the process.

Simple fix:

• Ask your vendors what they’re doing (and not doing) and press that it be clearly articulated. Require them to take precautions with access to your systems, data, and configurations.

Post-Breach Regrets

Without fail, organizations that have experienced breaches wish they had invested in cybersecurity earlier. Oftentimes, common business liability insurance has exclusions for hacking events and fraud. And even for those with insurance, the stress and uncertainty, not to mention the cost of assurance after a breach, far outweighed the expense of preventative measures.

Simple fix:

• Bring in professional support before you need it, just as you would with a retained attorney or fractional CFO.
• If you can’t stomach the average price of a ransomware event or payment diversion scam (hovering around $50,000), make sure you have cyber insurance.

Experience Brings Resilience

Ironically, getting hacked can strengthen a business's resilience if it’s forward-thinking and realizes that investment needs to be made in strengthening technology, processes, and training. Those who bring in professionals with deep cybersecurity expertise implement stronger security measures and uncover risks the business wasn’t previously aware of, reducing future issues while becoming more resilient in the process.

Simple fix:

• Have someone hack you. In all seriousness, test your technology and security controls to verify they’re doing what you expect.

Data Security Obligations are the Business’s Responsibility

Many small businesses struggle with compliance, i.e., are not remotely compliant with numerous data security acronyms. For example, the complexity, cost, and lack of clear answers regarding PCI compliance for SMBs are quite burdensome. Some vendors (like Square) take on the burden of PCI for their customers, whereas most other card solutions and payment providers expect token checkbox efforts but officially "require" full compliance. Then, if a breach occurs affecting card data, the business is held liable.

Very few know their obligations under the FTC Safeguards Rule if they maintain financial records. And many small health practices assume IT takes care of their HIPAA Security Rule obligations. Most often, they do not comprehensively do so.

Simple fix:

• Bring in professional support to ensure satisfaction of your data security obligations. And don’t just be compliant; truly protect your data and systems.

Conclusion

As the pace of technology races on, small and medium organizations will more and more need to rely on secure defaults in technology and expert support by professional services to help guide decisions, translate technology needs, and educate employees. Fortunately, an increasing number of business leaders understand that cybersecurity is an integral cost of doing business and can be a competitive advantage as they’re more likely to bounce back after an incident and can showcase to potential customers a commitment to protecting their information.

Resources

In our efforts to support these SMBs, Adversis has created several free resources to help organizations understand what should be done, how to secure things, and what costs to expect.

• cyberpolicies.io
• securemyapps.io
• cyberprices.io

Stay safe out there!

‍