After a bitter year-plus of struggling with seismic, pandemic-driven changes, IT leaders at small-to-medium businesses (SMBs) are looking ahead with hope for a return to relative normalcy. The past year forced jarring changes on their staffs, between surging remote work, helter-skelter adoption of software-as-a-service (SaaS) applications, and cybercriminals churning out attacks at a previously unseen scale.
Vaccinations are rolling out -- happy days are here again, right? Not so fast: The new normal promises little relief on the fronts that worsened a tough year for SMBs: not enough money for infrastructure and services, a cybersecurity talent shortage, and nastier cyberattacks. Nearly 40% of SMBs are still investing less than $1,000 per year on IT security. That's a paltry sum now that cybercriminals have evolved from a motley collection of independent operators to cogs in a highly profitable industry, with increasing support from state-actors armed with bottomless purses and patience.
Based on recent discussions with SMB IT managers, tech industry analysts, and cybersecurity experts, here are some tactical mistakes that SMB IT leaders are still tripping over:
- Not enough focus on patching known vulnerabilities. Like the weather, everyone talks about it, yet nobody seems to do anything about it. Average patch times are estimated at over 102 days (per Ponemon Institute).
- Inadequate vulnerability scanning. To quote Randy George, senior director of tech operations for the Boston Red Sox, "You can't force-rank the cyber issues that you need to remediate unless you know about them."
- Continued reliance on aging tools that can't address modern cyberthreats. The low-hanging fruit here is signature-based antivirus. When malware attacks are churned out with today's frequency -- Acronis counts 600,000 new samples every day -- nearly every attack is a zero-day that legacy antivirus products will not catch.
- Lack of investment in countermeasures driven by automation and artificial intelligence (AI). That 600,000-a-day number shows that cybercriminals have invested in those technologies with the goal of overwhelming your defenses. If you're not countering with analogous weapons, you're going to get swamped.
- Inexperience at managing and protecting new SaaS applications and their data stores — a juicy target for the bad guys.
- Inattention to rudimentary cybersecurity best practices, most embarrassingly: password strength. Last year's highly destructive SolarWinds software supply chain attack was enabled, in part, by the use of feeble user and administrator passwords. Nobody with career aspirations in cybersecurity wants their name on that forensics report.
Some good news exists in skills SMB tech staffs acquired during the pandemic, including:
- Managing and protecting a much larger population of remote workers, even when they rely on cruddy, consumer-grade home computing and network gear.
- Securing and providing adequate remote-access capacity for ubiquitous collaboration apps like Zoom and Microsoft Teams.
- Insisting on multifactor authentication, at least for the most sensitive corporate apps, e.g., those used by senior leaders with the power to transfer large sums of money.
- Prioritizing ransomware as the most pervasive and costly malware threat out there, though the quality of response strategies, notably whether and when to pay, varies widely among smaller businesses.
These skills are important, as the carefree days of 2019 are long gone. For the foreseeable future, we'll wrestle with larger remote workforces, more apps and data in the cloud, and more sophisticated adversaries. If you're an SMB IT pro who can actually spare some time to look ahead, here are a few tactics to consider:
- Find ways to close the tech gap with adversaries that has widened during the pandemic. Seek tools that add AI, automation, and tighter integration to your cybersecurity toolkit. Alternatively, partner with a managed service provider that has that the tech and skills to deploy and manage them on your behalf.
- Focus on the ransomware threat, as it's likely to remain the meanest dog in the yard for the next year or so. Invest in modern, behavior-based anti-malware tools that can handle zero-day attacks. Shore up your data protection regimen as a last line of defense. Consider how you might respond if your defenses fail: know where to draw the line between paying and attempting recovery.
- Cultivate a cyber-aware culture across your organization from the top down. Phishing remains the most common attack vector, so just a small increase in "think before you click" acumen can yield big dividends.
The rest of 2021 won't be a cybersecurity cakewalk, but SMB IT pros that revisit their tools and processes now will have a better shot at enjoying the relative normalcy that lies ahead. If you'd like to see this discussion continue among some really smart tech operations and security folks, check out Acronis' "Playbook to Protect Your Users from Cyberthreats in 2021.” For a complimentary e-book on defending against software supply-chain attacks like the SolarWinds breach, click here.
James R. Slaby is the Director of Cyber Protection at Acronis. He has also worked as an industry analyst covering cybersecurity, cloud services and networking at research firms like Forrester and the Yankee Group. With over 300 published tech research reports, he has been quoted in The Economist, The Wall Street Journal, and hundreds of tech publications. Slaby has also held product and solutions marketing roles at tech vendors including Sonus, Acme Packet, Bay Networks, and Motorola. Email: [email protected], Twitter: @jrslaby