SMB

One Size Does Not Fit All

How Small and Mid-Sized Businesses are Faring in the Cybersecurity Landscape

When threat actors are on the prowl for lucrative plans, they search for many types of data. Some focus on bank details or credit card numbers, while others zero in on medical information or other personal details. But according to the Verizon Data Breach Investigations Report (DBIR), credentials—typically pairs of usernames and passwords—are one of the most sought-after targets.

Many large organizations have financial resources and IT teams to help protect their networks. But, for small and mid-sized businesses, the time and money needed for cybersecurity initiatives don’t exist on the same scale. As data breaches continue to rise and new types of cyberattacks seem to be around every corner, what should SMBs be doing to stay safe?

Mike Greene writes that in terms of priorities, there are a couple of challenges that SMBs consistently face.

Aged Password Habits

One issue is password policies. The vast majority of people regularly re-use passwords. When users have many accounts to juggle, they typically choose passwords that are easy for them to remember. This means that users choose one root password that they favor, and then make slight variations on it for other accounts (personal and professional). For example, they might choose an initial password like “MovieLover” and then make changes to “M0vieL0ver” or “movielover2021”. This makes it easier for a user to remember, but it also makes it easier for threat actors to guess. If any credentials have been exposed in a previous breach, it’s practically marking a shortcut to cybercriminals.

Stuck Using Default Passwords

Small and mid-sized businesses are well-positioned to be the first real adopters of IoT devices. Many pieces of technology within that category can help SMBs reduce internal costs, increase their productivity, and streamline customer service. However, as the number of connected IoT devices climbs, security conversations must evolve. At the moment, many IoT devices are shipped with a ‘default password’ that users can then manually change before deploying—and unfortunately, very few actually do change the credentials. This is an easy way to leave your professional devices completely unsecured.

Not Knowing Which Authentication Method to Use

  • Multifactor Authentication (MFA) can be an excellent defensive strategy in an SMB’s cybersecurity policy, as it provides a layer of authentication completely separate from the password layer. In MFA/2FA, there are three categories of authentication: something you know (like a password), something you have (like a one-time code on a smartphone or a fob to scan something), and something you are (like your fingerprint or retina scan). If you set up MFA in addition to an existing password-based login, make sure you’re establishing something from a separate category. However, bear in mind that it can make the login process cumbersome. Considering the user experience is important because you don’t want additional layers of security to backfire.
  • Adaptive Authentication refers to a process where the system cross-references data about the employee trying to log in. This often includes checking the details of one’s IP address, the location of the devices, and previous login habits (for example time of day). However, to increase efficacy, these systems are typically hyper-sensitive, so they run on a ‘better safe than sorry’ policy. This means that users are often left feeling annoyed by what seems like an unwarranted security check.
  • Biometrics have an undeniable sparkle to them. Though biometrics like fingerprint and retina scans have been lauded for their potential for personal security, most sectors, especially the SMB sector, aren’t able to adopt such technology in any noteworthy capacity. Many devices, buildings, and systems are not equipped with biometric capabilities, and it would mean a complete sea-change if that were to happen. There are other reasons why biometrics are not the most efficient way forward in cybersecurity: they can’t be updated by the users (what happens if you injure your hand?), and the backup for many biometric systems is passwords, so the security is right back where it started.

In examining these common habits within the SMB sector, there is one point that stands out: there is no substitution for securing the password layer. As much as additional authentication strategies and re-written policies are welcome, if businesses aren’t locking their metaphorical front doors, they’re still at a massive risk for a break-in. 

Businesses need to move quickly and establish good password security because passwords are here to stay. Referring to the high standards indicated by NIST is a great place to start. A quick glance through the guidelines will show that one of the most transformative strategies is to screen for compromised credentials.

Screening for compromised credentials is a defensive strategy that addresses the issue directly. Accessing an automated screening service that continually checks passwords—at the moment when a new password is created as well as on an ongoing basis—is also one of the most cost-effective strategies. It takes the pressure off employees to create massively complex, unique passwords for each account, and the automated service means that it’s not draining time and resources away from other important aspects of the business.

Depending on both the size of your business and how integrated your services are into the digital landscape, it’s important to find solutions that fit your company and team. With a dynamic, customizable credential screening service like Enzoic, you’re off to a strong start.