Cybersecurity has become paramount to businesses of all sizes, but SMEs frequently lack the tools and resources to manage the ongoing threat. And with the number of cyber-attacks increasing – 1,351 incidents, affecting 2,241,916,765 breached records, were detected in 2023 – it’s more important than ever for small and medium-sized businesses to access the protection they need.
So, what are the core areas that SMEs should be focusing on to help protect their businesses?
The primary cybersecurity threats faced by SMEs
One of the reasons that managing cybersecurity can be so difficult for SMEs is that attacks can take a variety of different forms, and risks can come from a number of different places. While most companies are aware of the most common cyber threats – phishing, malware, ransomware, spoofing, insider threats, and even code injection – new forms of attack are being developed every day. And employee behaviour and company policies can make their admittance so much easier.
In 2023, 86% of web application attacks arose from compromised login details and poor password protection. Some of this will be due to inadequate training as well as individual laxity. But other problems are derived from changing working habits – while bring-your-own-device policies are considered to be more cost effective for a business, and work from home has become standard policy, they both expose businesses to risk through the use of unsecured networks. And then there’s the issue of third-party legacy access to external SaaS platforms, which is surprisingly overlooked by many businesses even though it can lead to a range of potential problems, including espionage and reputational damage.
Why most businesses overlook the risk of legacy access
In contemporary business, there are a number of operations that are outsourced . Marketing, social media management, IT management, sometimes customer service and administrative tasks – and all of these require third-party access permissions. While access to inhouse systems will typically be tightly managed, it’s the SaaS and social platforms and external channels that tend to be overlooked. Partly because they are not viewed as core operational infrastructure, but also partly because it can be challenging to keep track of who has access to what and when, especially as most social channels force people to use their personal profiles to access ad accounts and pages rather than IT controlled systems and password vaults. So, when an employee leaves or an external agency reaches the end of its contract, there’s no simple way to rescind their access – or even to monitor who is accessing these third-party platforms. And this raises a range of significant problems.
The risk of legacy account access
What happens when a disgruntled ex-employee or a terminated agency realises that they still have access to your business’ social media accounts? In most cases, nothing. But increasingly, access has the ability to be weaponised. Several high-profile cases have hit the headlines in the last few years, from the leaking of Twitter’s source code by a fired employee after Elon Musk took over, to the X-rated name-calling on Burger King’s Twitter account. While these events left room for recovery, for many, the reputational damage can be devastating. There’s also room for sabotage, with those with account management access potentially blocking genuine users from the account, the theft of scheduled content – including the leaking of offers to competitors – and the misappropriation of funds. Social media advertising budgets can be enormous. But when you allow the wrong people to have continued access to your account, you can risk the account being drained.
How can businesses address the most common cybersecurity threats?
In most cases, enhanced cybersecurity comes down to four things:
Training – If your employees know what to do, how to recognise potential threats, the right protocols to follow, then cybersecurity risks are dramatically cut.
Secure networks – When you have strong network security – firewalls, intrusion detection systems, encryption, access controls, and user authentication – in place, it makes it harder for unauthorised people to gain access. This can prevent data breaches, malware, and other cyber threats.
Multi-factor authentication – Passwords are easily lost and stolen. Having multi-factor authentication in place means that there’s always a second or third layer of protection for sensitive accounts.
Controlled access permissions – Marketing channel access permissions are often overlooked because there are so many different platforms, variables, and login types involved. Working with a platform that can provide a clear overview to all of your access permissions and a single point of access to all of your external and SaaS platforms enables simple management.
When a cybersecurity event occurs, it raises masses of questions for a business. Who is to blame? Who should be held accountable? And how can the problem be both fixed and prevented from happening again? In all of these cases, prevention is always better than cure, and it’s time for small businesses to really scrutinise their cybersecurity practices.
