Small and medium businesses have it hard when it comes to cybersecurity posture. The cybersecurity gap hits them the hardest because most security experts would rather choose different work environments.

Young information security enthusiasts are in high demand. However, instead of SMBs, they usually prefer to work for specialized security businesses and focus for example on manual penetration testing. Another preferred choice is enterprises, where such enthusiasts can narrow down their tasks, go into specializations such as network security, attack surface and threat landscape analysis, risk assessment, or security framework design and/or have a more promising career path, even all the way to CISO.

Another major problem for SMBs is the budget. An enterprise or a specialized team can usually offer security experts much better wages and extras. And it’s no wonder that young enthusiasts are picky – they are on the winning end, they are the ones being fought for.

In the end, many SMBs end up with administrators or general IT teams taking on the IT security role. Even if they manage to get a security professional onboard, that professional becomes a jack of all trades, often burning out and leaving early, seeking a different career path.

Another major problem associated with the cybersecurity posture for SMBs is the lack of cybersecurity awareness and belief in myths, especially in the case of top managers and executives. This often leads to security being pushed back and being treated as a minor issue with budgets focused on the development and direct profits. Even if SMB owners and top managers realize that there is a major security risk, they are often ready to accept that risk due to the challenges associated with having it mitigated, for example, the challenge of finding personnel, as described above.

Let us try to debunk some major cybersecurity myths that can have a very bad influence on the organization’s cybersecurity posture. Once the train of thought is clearer, it might be easier for SMBs to establish security best practices to efficiently manage their information security status.

1. “We don’t need to know about security because we hired an expert”

This is a very dangerous myth that leads to losing personnel. Cybersecurity is not something that you can simply rest on one person’s shoulders. Just like with physical security, even if you have the best locks and the best alarm system, it only takes one random employee to forget to lock up when leaving work and the entire effort is useless. And if one person is blamed in such a case, you can be sure they will soon find a better place to work.

If you want your business to thrive securely, everyone in the company (or even out of it, if the supply chain includes outsourcing) needs to be aware of cybersecurity. And it’s not just about a single onboarding training or about regularly sending everyone fake phishing emails to check their responses. It’s about making sure that everyone truly cares, all the time.

For employees to truly care about cybersecurity, it’s the managers that need to care about it first. Instead of having expectations, managers should lead by example and make sure that cyber risk is perceived as important. And it’s not difficult, it’s enough that every decision takes security under consideration and every major discussion involves the topic of security if appropriate.

2. “We’re safe because we outsource our security to a professional business”

There is no chance that an outsourced company can be as detailed in managing security as you. A professional security services contractor is a good and easy way out for a small organization that cannot afford dedicated cybersecurity resources. A third-party vendor/contractor may help you select your cybersecurity framework such as NIST, design your cybersecurity strategy, assist you with risk management and threat intelligence, help you set up your security controls, and even take part in incident response. However, they are not able to be everywhere and watch everything in real-time and they will probably have a response time that will be significantly less favorable than that of your own employees.

If you outsource your security, you still need to make sure that everyone in the company is aware of the security impact of all their actions. For example, outsourcing security to a professional contractor won’t stop your developers from introducing SQL injection vulnerabilities into your software. It would be very rare if your contractor actively participated in your SDLC and watched all your IT assets.

3. “We’re safe because we bought a comprehensive security solution”

There is no software that can guarantee your organization’s security. Also, there is no single security tool that covers even half of the potential cyber threats. You may get an office solution that will protect you from malware including ransomware attacks, a firewall to protect your external and internal network from certain network attacks, and still be vulnerable to complete system compromise and loss of all company data as a result of a single SQL injection because none of these tools protect you against such vulnerabilities even in the slightest bit.

Don’t get influenced by empty vendor promises and don’t be afraid to go for specific solutions for specific security threats such as a specialized web vulnerability scanner to protect yourself from web-related threats. Look for manufacturers that are not afraid to tell you the facts instead of using big business language to cloud your eyes. Look for specialized manufacturers because they have the means to protect you effectively. And always remember that software automation is just a tool and it’s the way that you use that tools that really matters.

Another related mistake of many SMBs is the fact that they focus on the security of their offices. In the past, this made sense because most assets were kept in the office, often including servers. Nowadays, SMBs mostly rely on cloud solutions and therefore, cybersecurity controls should focus on cloud data security and web presence because most business assets are based on web technologies (including mobile technologies and IoT).

Maybe back in 2000, an antivirus solution and a network scanner were more important than a web vulnerability scanner but now, in 2020, this is no longer the case. While endpoint anti-malware solutions are still key to protect against threats such as ransomware, protecting the web is at least just as important, and only web vulnerability scanners can do it.

4. “We’re safe because we don’t expose our applications or data to the public”

This is another very dangerous myth that leads to major problems. SMB managers often think that if the company does not work in the public space, it is safe from attacks. However, this could not be farther from the truth.

For example, if you design a B2B application that is used by a limited number of businesses and requires authentication to access, it is just as prone to cybersecurity risks as a public website. A cyberattack may be conducted not only by an employee of your customer’s business. If, for example, your login form has an SQL injection vulnerability, an external attacker may gain access to the application that is designed to be used by specific customers only, not by the general public.

Also, note that many data breaches happen as a result of insider carelessness or malicious intent – for example, one of the most common types of data breaches is unprotected databases which were a result of the carelessness of an employee (the database was never meant to be publicly available).

While having public-facing assets increases the cybersecurity challenges, not having one does not automatically mean you have good data protection. To be secure, you should protect your internal assets and authenticated assets just as well as your external assets.

5. “We’re safe because there is no gain in hacking us”

Cybercrime is not always a result of there being something to gain. It’s just as often a result of opportunity. Some cybercriminals focus on valuable intellectual property or sensitive data (and will do nearly anything to steal it) while some just shoot blind and hope to catch someone off guard. Are you on guard?

When you examine the biggest data breaches in recent years, very few of them were actually the result of a targeted attack. In some cases, such as Equifax, it was indeed a targeted attack by, supposedly, Chinese special forces. However, the big hit of 2019 – the Capital One breach, was caused by a frustrated and emotionally unstable hacker who was looking for popularity in black hat circles. Most other breaches, however, were simply the result of someone scanning public addresses and finding a vulnerable resource.

The way forward

Once your organization gets rid of the above myths, you will have an easier time maintaining security measures without a dire and unsatisfied need for that “magic security guy who will fix everything”. With security perceived as a company-wide issue, with suitable focus and consideration, and with the right automated solutions, such as web vulnerability assessment and management software with a vulnerability scanner engine like Acunetix, your future looks much brighter than that of businesses still living in the past. Congratulations!

Tomasz Andrzej Nidecki
Principal Cybersecurity Writer
Tomasz Andrzej Nidecki (also known as tonid) is a Primary Cybersecurity Writer at Invicti, focusing on Acunetix. A journalist, translator, and technical writer with 25 years of IT experience, Tomasz has been the Managing Editor of the hakin9 IT Security magazine in its early years and used to run a major technical blog dedicated to email security.