Small and medium-sized businesses (SMBs) are vital to the Icelandic economy. In 2019, a news report on the SA – Confederation of Icelandic Enterprise website stated that approximately 99% of Icelandic companies are classified as small or medium-sized. These companies generate about 73% of all jobs in the country. In a global context, one could say that almost everything in Iceland is small. The Icelandic motto “þetta reddast” (it will all work out) has carried us quite far despite our size, but the downside of this mindset can be a lack of organization and an inability to prepare for the unexpected—such as a cyberattack. We often believe we are too small to attract attention and that nothing will happen to us, right until the worst occurs. In this article, we will examine the three main cybersecurity threats to SMBs.
Thinking you are not a target
This is perhaps the biggest mistake a small business can make: believing they are too small to need to invest in cybersecurity because they assume they aren’t a target.
Life would be much easier if there were a minimum size limit for companies that cybercriminals target, but unfortunately, that is not the case. While there are large cybercrime syndicates that don’t bother with small businesses, for every hunter chasing big fish, there are thousands of others happy to catch minnows. It is estimated that approximately 75% of ransomware victims are small businesses.
Cybercriminals are using artificial intelligence, probably to a greater degree than the rest of us. So chances are good that even the large cybercrime syndicates are starting to attack small businesses because it requires little extra effort on their part.
Believing you can strengthen your company’s security later simply means neglecting the fundamentals of cybersecurity now. This leads to serious errors, such as using old, unsupported versions of Windows and macOS, failing to update third-party apps, granting administrative access to everyone, enabling RDP (Remote Desktop Protocol) unnecessarily (and failing to secure it when you do), leaving unused or insecure ports open on the firewall, reusing passwords, storing them unencrypted, failing to use multi-factor authentication (MFA), and running outdated versions of Exchange within the organization.
It is never too early to tackle cybersecurity. The longer you postpone it, the more expensive and difficult the task becomes. It is like dental hygiene: if you brush at least twice a day and visit the dentist regularly for maintenance and preventative care, you should be able to keep your teeth healthy. If not, it is almost certain that a massive and expensive repair will be needed once you develop a severe toothache.
Make no mistake: cybercriminals will attempt to use your Exchange server to distribute ransomware. They will try to breach your RDP server, they will attempt to inject credit card skimmers into your website, they will try to trick you into downloading malware, they will target you with phishing, and they will send you more malicious attachments than you can imagine (and your employees will click on them).
Waiting for something bad to happen
Another red flag is a lack of preventative security measures. We recognize that in small businesses, everyone often needs to be a jack-of-all-trades. Frequently, IT and technical matters fall to the employee who is most proficient in that area, even if they have no formal education in the field. This is perfectly understandable when staff numbers are low, and there is limited scope to hire specialized personnel. Few Icelandic companies likely have a dedicated security or technical manager. Consequently, cybersecurity is often not a priority, and daily monitoring is especially overlooked.
A “wait and see” approach is often a symptom of not hiring qualified IT staff, having too few IT employees, or a lack of security awareness among the workforce.
What if there were a company that offered cybersecurity consulting? Or a virtual CISO service? Or training to educate your staff? Or even all of the above?
Pssst…. we do 😉
Assuming everything will be fine
Any undetected or unaddressed breach in your computer systems can lead to ransomware being deployed. The criminals’ goal is not just one computer, but the entire company. The whole system. Compromised. This makes ransomware a genuine threat. To put this in perspective, none of us expect a fire every day, but we are obligated to prepare for one, do everything to prevent it, and be ready if one starts. Ransomware is like a fire, and small businesses are often at particular risk.
As the saying goes, “failing to plan is planning to fail.” Symptoms of a lack of security planning include:
- Lack of an incident response plan
- Failing to perform backups
- Not testing whether your backup software actually works
- Not storing backups where criminals cannot reach them
If the worst happens, you will certainly wish you had planned your response in advance. You will wish you had known how to identify and isolate an attack, and that you had decided which data and assets are most critical, which should be restored first, what is required to do so, and who is responsible. You will likely wish you had prepared for it all.
If you simply assume nothing will happen to you, or that you will be fine if it does, you may be forced to pay a ransom to cybercriminals. We assume you would prefer to avoid that. To gain some insight into what it is like to experience such an attack, we recommend this news report:
https://www.mbl.is/frettir/innlent/2021/09/23/fjarhagslegt_tjon_vel_a_annan_tug_milljona
To summarize the advice provided here, it is worth borrowing a slogan from another company: “don’t do nothing.” Start immediately to put yourself, your company, and your staff on the path to cybersecurity for everyone’s sake. Cybersecurity, clear processes, and trusted systems provide employees with peace of mind. When everyone knows what to do, how to react, and how to prevent attacks, everyone is happy. Except, perhaps, the criminals.
At Öruggt Net ehf, we offer education, prevention, training, audits, software subscriptions, consulting, hardware, and virtual CISO services. Contact us today to book a free consultation.
