How to prepare SMBs for a cyberattack

Despite an increase in attacks, many small businesses still think they are safe.

Chris Crellin, senior director of product management, Barracuda MSP

Ransomware continues to be one of the fastest-growing areas of cybercrime. In 2022, the number of ransomware threats spiking at a rate as high as more than 1.2 million per month, according to research from Barracuda. Additionally, the expanding attack surface resulting from an increasing number of connected devices and growth in cloud services deployments, is also driving an increase in zero-day vulnerabilities found in third-party software and applications, which is leading to more supply chain attacks.

While these attacks have received much attention in the media and among cybersecurity professionals, many small and medium businesses (SMBs) remain unprepared. For MSPs, this represents a critical opportunity to help safeguard existing clients and win new business.

No business is too small to be vulnerable

According to a survey in 2022, more than half of small businesses did not have cybersecurity measures in place, even though at least 1 in 5 SMBs had been the victim of a cyberattack. When asked why, 59 percent of those defenseless SMBs said their businesses were too small to be a target. The survey also found that 36 percent of SMB owners were not concerned about cyberattacks at all.

But these attacks are increasing rapidly, particularly in verticals like healthcare, education, finance, municipalities, and infrastructure. Service providers of all types are also increasingly becoming a target, as they can provide a launching pad for attacks against those companies’ clients.

Misconceptions drive resistance to cybersecurity investments

Many of these attacks are also targeted toward smaller organizations less likely to have the resources to protect themselves successfully – local school systems, small healthcare practices, etc. SMBs need to invest in cybersecurity, but many are resistant because of several misconceptions and financial considerations.

SMBs think they are too small to bother with or that their online business is too limited to pose a risk. While the most high-profile ransomware attacks are against large companies, no one is safe anymore. Although potential ransomware payouts from SMBs are smaller, these companies are more likely to pay because the business disruption is sufficient to cause permanent damage if they cannot access files or applications. As noted above, small service providers are also a rich target, even if they are not conducting a lot of online business, since they can provide hooks into other, larger companies. This is especially true in case of supply chain attacks, where SMBs can provide an entry point for attackers to the larger companies they do business with.

Some SMBs feel the cybersecurity threat is overblown. For those lucky enough to have not been a victim of an attack, it can be easy to assume that the risk is not that high. For MSPs, using actual attack data (and information about the costs of those attacks) should be leveraged to help educate these clients about the real risk to their businesses.

No one on their staff understands cybersecurity. SMBs have been acutely affected by the industry-wide shortage of qualified cybersecurity professionals – many may not have an IT department or rely on a single staff member. MSPs already helping support these companies need to offer themselves as security experts.

They may not have time to implement security measures. But, again, MSPs are in a solid position to explain how their managed security services can augment existing IT services and provide protection at a reasonable monthly cost.

SMBs think cybersecurity is too expensive. IT budgets at smaller companies have not kept pace with the rising risk of more frequent and complex attacks. Price resistance is a common challenge for MSPs working with smaller clients. Education, again, is vital to convincing price-conscious customers that the cost of a successful attack is much, much higher than the price of a solid security infrastructure.

A single ransomware attack that disrupts business for several days or a week (which is typical), even if the ransom is not paid, can effectively put many smaller firms out of business – particularly if their clients are also affected by the attack. 

The role MSPs play in improving security postures

To help their SMB clients improve their security posture, MSPs should first focus on enabling them to maintain basic cybersecurity hygiene, and then go from there. 

Achieving this baseline means determining what needs to be protected, establishing a multi-layered security approach, putting continuous monitoring in place, reducing response times, and implementing a framework to protect people, processes, and technologies. 

Just a few tactical examples of actions MSPs should take include:

  1. Removing unused or unauthorized applications that may indicate the network has been compromised and enabling Zero Trust access to applications and data.
  2. Enhancing web-based application and API protection services.
  3. Regularly backing up essential files using cloud-based and offline resources, with special credentials for access.
  4. Setting up robust password management practices for employees and use a role-based system to limit access to data and applications based on specific employee requirements.
  5. Creating clear security rules around mobile device use, including multifactor authentication (MFA), restricting access to only company-approved applications, and other techniques.

MSPs can also help their SMB clients by providing regular education for managers and employees about current and ongoing security threats, how to recognize phishing emails, and how to respond to a potential malicious message. 

SMBs can no longer afford to assume that they are under the radar when it comes to cyberattacks. MSPs can help these companies overcome staffing, budget, and resource constraints by providing holistic security training and technology that can help mitigate costly ransomware and other attacks.

Chris Crellin is Senior Director of Product Management for Barracuda MSP, a provider of security and data protection solutions for managed services providers, where he is responsible for leading product strategy and management.