The reality of cybersecurity for small- to medium-sized businesses (SMBs)

Everyone in the I.T. business knows of and is concerned about cybersecurity for small businesses. Whether you develop websites, write applications or support business networks, we all know the threat is real. Unfortunately, it seems the concern is not shared by small- to medium-sized businesses (SMBs). I often hear, “I’m not a big fish, I won’t be a target”, but sadly this is not true. Everyone is a target, the hackers do not discriminate, they just go for businesses that have vulnerabilities. The great challenge of our time is, how do you get this information across to businesses that cybersecurity for SMBs is critical as the threat is random, costly, and possibly destructive? 

It saddens me to think about how such a wonderful technology, that primarily was created to share knowledge, has become such a hostile environment. I remember back in the 90’s when the Internet was regarded as being only for nerds and we used a modem, which would dial out to the Internet (at an insanely slow speed compared to today’s speeds). Typically, there would be a specific purpose for “logging on” like checking your email or doing research. 

Flash forward to today and the Internet is ubiquitous. It has quickly become an essential utility like electricity and water. A defining point: When the Internet was built, it was designed with functionality in mind, not security. Enter the bad guys. 

In the not-too-distant past, we (Loyal I.T), as an MSP, were recovering a business from ransomware every second day. Some businesses were hit two or three times because, for example, their receptionist lacked cybersecurity education and clicked on links within spam email. It was only then that they realised what we had been alluding to, that they need to shore up their defences. A good (or terrible) example: not long ago, we inherited a business from another I.T. company. This business had insecure remote access and they didn’t have a backup strategy. About now, you’re thinking “oh no, I know where this is going” and you’d be right. 

For nine months we were advising them about securing themselves, but they wanted easy remote access into their business, and they felt $1,500 AUD for secure remote access and a robust backup solution was not necessary. Sadly, one night they were hacked (on account of their insecure remote access). The hackers deployed ransomware and asked them for payment in Bitcoin to the value of $10,000 AUD. After going back and forth with the hackers, they negotiated the ransom down to $1,000 AUD worth of Bitcoin. As soon as they paid it, the hackers went silent. Not only did this small business lose $1,000 but they lost all their data. This was the reality the business faced. Unfortunately, this meant they had to shut their doors, let the 5 employees go and then attempt to start the business back up again from their garage. 

How do you help SMBs understand the significance of cybercrime, its randomness, and its vulnerabilities? Again, small business cybersecurity is critical. This is a question we have been addressing for over 2 years. 

With the advent of the national awareness campaign by the Federal Government, Loyal I.T. was appointed exclusively to implement this initiative in our region, which has allowed us to expedite our cybersecurity for SMBs awareness and prevention service offering. 

An effective cybersecurity service in these times should be made up of: 

• Awareness and education
• Analysis and assessment
• Implementing fixes and prevention

The benchmark we are using for assessing the effectiveness of a SMB’s cybersecurity is the ‘Essential Eight-strategies to mitigate against cyberthreats’. The mitigation strategies are: 

1. Turn on multi-factor authentication on all supported services and remote access systems.
2. Perform daily backups and test regularly.
3. Patch operating systems.
4. Patch applications.
5. Configure Microsoft Office macro settings.
6. Restrict administrative privileges.
7. User application hardening.
8. Application control.

Couple these mitigation strategies with the ConnectWise Identify “Essentials NIST CSF Assessment”, ConnectWise Fortify vulnerability assessment report, and Fortify Dark Web Scan, suddenly you now can assess businesses and offer real solutions that most business owners will understand. 

These reports and mitigation strategies give you, the MSP, the information about your client’s network, but what does it do for them? Sure, you can give them the reports and let your client sift through them, but this is where your experience as an MSP comes in to help your client prioritise their implementation of security measures. I have found this works best when you distill it down into a custom, summarised, and prioritised report. 

The commitment to this is about one full day per business, however, we have noticed an increase in businesses wanting additional services such as automated patching, backup test recovery services and SentinelOne (i.e. advanced antivirus) which more than makes up for the time commitment. 

As previously mentioned, the need for awareness cannot be understated. We are investing a significant amount of time and effort in education and awareness. As part of our cybersecurity for small businesses awareness campaign, we have started a free podcast series “Cyber Security Business Connect and Protect Central Coast” which talks about cybersecurity issues that affect small and medium businesses in the local region, incorporating the Essential Eight and interviewing business managers who have been impacted by cyber incidents. For most businesses, it’s fair to say, they don’t know what they don’t know, and as some iconic Saturday morning cartoons have taught us “knowing is half the battle”. A simple explanation to this comes across on one of my podcasts. I interviewed a business manager whose Facebook account was hacked, which impacted her employer’s social media. Significant feedback I received from many listeners was “I didn’t realise personal, and business social media could impact each other” and “I didn’t know you could secure Facebook; I’ll do that now”. 

To summarise, to implement a successful awareness campaign, you need to think for your clients. Businesses don’t know where to start and therefore they are reluctant to ask. If you have a low-cost assessment, businesses will respond. Think of it as a loss leader and you will be helping businesses protect themselves from potential disaster, and you’ll likely pick up some additional sales in the process. 

Michael has been in the I.T. industry since 1998 and is currently the General Manager of Loyal I.T. Solutions (https://loyalit.com.au).  Loyal I.T. Solutions has been servicing the region since 2002.  As a Certified Ethical Hacker, Michael was chosen by the Australian Federal Government to run the Cyber Security Business Connect and Protect Central Coast (https://cybersecurity.loyalit.com.au) initiative for the Central Coast region.  Search and subscribe to the “Cyber Security Business Connect and Protect Central Coast” podcast or visit https://loyalit.com.au/podcast.