Many small and mid-sized businesses (SMBs) are still making some basic mistakes when it comes to securing their organizations. Here are three of them.

In the past decade, the number of known malware programs has risen from 65 million to 1.1 billion. The ways in which cybercriminals deploy the malware have also increased in number and sophistication.

While advanced security technologies are available to defend against these cyberthreats, many can be thwarted with basic security practices. However, research is showing that many small and mid-sized businesses (SMBs) are still making some basic mistakes when it comes to securing their organizations. Here are three of them:

  1. Believing That It Won’t Happen Them

Many SMB owners have a false sense of security when it comes to cyberattacks. Nearly 60% of them believe that their companies won’t be targeted by cybercriminals, according to a 2020 BullGuard study. They often think that their business is too small to be of interest to cybercriminals. This “it won’t happen to me” mindset can get small businesses into big trouble.

Although large companies typically have more money and more data to steal, they also have more security solutions and in-house IT administrators to guard those assets. Most SMBs do not even have an IT administrator on staff. The BullGuard study found that 65% of SMBs manage their cybersecurity efforts in-house, but less than 10% have a dedicated IT staff member. As a result, they are typically easy targets. Plus, there are far more SMBs to attack than large companies.

Rather than spending a lot of time and effort going after the large fruit at the top, hackers often target the smaller, low-hanging fruit because it is plentiful and easier to pick. For proof, all SMBs need to do is look to the past. In 2019, 76% of the SMBs in the United States reported being attacked, according to the Ponemon Institute’s “2019 Global State of Cybersecurity in Small and Medium-Sized Businesses” report.

  1. Having Bad Password Habits

Every year researchers analyze millions of passwords that have been exposed through data breaches and leaks in order to show people the types of passwords not to use — and every year weak passwords like “123456”, “password”, and “qwerty” keep topping those lists. It would take a cybercriminal only one second to crack each of these passwords using a brute-force password-cracking tool, which is why using weak passwords is so risky.

Reusing passwords is also dangerous. Hackers know people frequently reuse passwords, so they try compromised passwords on multiple accounts using credential stuffing and other types of attacks. Despite this danger, more than 99% of people reuse their passwords, either across work accounts or between work and personal accounts, according to a 2020 Balbix study. On average, every password is shared across 2.7 accounts.

While having easy-to-crack passwords for user accounts is bad, a much worse situation is having service account credentials that are easy to hack. Cybercriminals like to hack service accounts because they can easily elevate the accounts’ privileges and gain access to sensitive data. Much to their delight, hackers often find that companies haven’t changed the default passwords for their service accounts, according to the “Black Hat 2019 Hacker Survey Report“. While a few vendors design their software or hardware to create a unique default password when it is installed by a customer, most vendors simply use the same default password (e.g., “admin”, “password”, “guest”) for every installation. Although vendors typically recommend that customers change the default password before using the software or hardware in business operations, many SMBs fail to do so. This makes it easy for cybercriminals to hack into those service accounts, as the default passwords used by vendors are easy to find on the Internet.

Furthermore, changing a service account password is not a one-time event. It needs to be changed periodically. However, even some security pros fail to do so. The Black Hat report revealed that 36% of them don’t follow this practice. If the pros fail to regularly change their service account passwords, odds are that most SMBs won’t either.

  1. Not Adequately Securing Mobile Devices

In 2019, more than 60% percent of employees at SMBs used smartphones for work, according to an IDC survey. This percentage is now likely higher due to more employees working from home because of the Coronavirus Disease 2019 (COVID-19) pandemic.

Using smartphones and other mobile devices is popular in SMBs for good reason. With mobile devices, employees can access business apps and systems at any time from almost anywhere, which is key to their productivity and the SMBs’ profitability, according to Verizon’s “Mobile Security Index 2020: SMB Spotlight” report. Thanks to both mobile and cloud technologies, SMBs are better able to compete with larger companies.

However, the mobile technologies that are helping SMBs become more competitive could also cause them harm. Mobile devices are often the target of phishing, ransomware, and other types of attacks. The SMBs that participated in the Verizon study said they are aware of these threats, with 81% indicating that the risk to their business is moderate to significant. Yet, many of these SMBs are not implementing basic security measures such as changing all default passwords (done by only 41% of the SMBs) and restricting access to company data on a “need to know” basis (done by only 50% of the SMBs). Equally troublesome is that 66% of the study participants said they have personally used public Wi-Fi for work tasks, even though 25% said it is explicitly prohibited by company policy.

Given the lax security, it is not surprising that more than a quarter of the SMBs admitted they suffered a security compromise involving a mobile device in 2019. And if they do not take steps to better secure their mobile devices, they could significantly damage their reputation and bottom line, according to the report.

wocintech (microsoft) – 44 flickr photo by wocintechchat.com shared under a Creative Commons (BY) license