When it comes to cybersecurity a company is only ever as strong as its weakest password or its worst security habit. But while the case for cyber resilience has never been stronger many of us still slip into bad habits and remain in denial about the true state of exposure to cyber-attacks. As hack attacks of large enterprises grab the headlines, it’s easy to see why SMBs might fall into the trap of thinking they are far removed from the hackers’ radar or even immune completely. However, there is an all too real and startling disconnect between this lackadaisical thinking and the true state of play, Robin Martin, Vice President, EMEA at LastPass examiners the issues.
1.3 million or one-quarter of SMBs in the UK, are facing a very serious risk of financial ruin, totally unequipped and unable to contend with the average cost of a cyber-attack. Although the pandemic proved to be an eye opener, prompting many more SMBs to build in defences amid the overnight necessity of remote working needs, many still remain complacent and show no signs of walking the urgent walk towards robust cybersecurity practice. In new IDC research, commissioned by LastPass, 98% of businesses surveyed revealed that remote working has affected their security operations, while the Department for Culture, Media and Sport reports that only a third of SMB’s have led a cyber risk evaluation.
The truth is, the threat to SMBs isn’t on the horizon, it’s here now. Lisa Ventura, the CEO and founder of the UK Cyber Security Association recently warned that cybercriminals are increasingly targeting SMBs because they are becoming aware to the widening gaps in smaller organisations’ IT protection, spawned by a “head in the sand” culture.
Coronavirus gave rise to a new digital pandemic, with cybercriminals taking advantage to launch huge offensives against mass targets – large and small. And with the world tentatively taking steps into a post-COVID future, the attacks show no signs of slowing down. In the post-pandemic security landscape, SMBs are increasingly at risk of cyber breaches. They also continue to face challenges in managing a higher volume of remote employees. Leaders can no longer rely on pre-pandemic protocols, policies, and infrastructures to keep data secure.
Bad hygiene promotes dirty tactics
While many cybercriminals can launch highly sophisticated attacks that can outfox security professionals, many rely on striking unprepared targets easily using low-effort, tried-and-tested methods. As described in LastPass’ latest research, 83% of organisations have suffered security breaches resulting from compromised passwords or identity compromise tactics, such as phishing. This is made possible by inadequate security on home networks, employees accessing corporate data/applications on inadequately protected devices, and poor password hygiene.
As the Infosec Institute puts it, “Attackers don’t hack in: They log in with your credentials.”
Poor password hygiene is a seemingly perpetual issue that not only pervades personal internet habits but also seeps into employees’ working lives, putting their wider organisation at risk. Employees struggle to remember upwards of the 50 plus passwords they require to do their jobs. This inevitably leads to employees reusing passwords for multiple accounts – a 2019 Google survey found that 65% of people do just this and hackers are ready to take full advantage of this shortcut. Similarly, LastPass found that 32% of small businesses say their employees struggle with too many passwords. It’s clear we know that a strong password is at least 16 characters long and includes a mix of capital and lowercase letters as well as numbers and symbols, but there is a disconnect between awareness and action. A password management solution can help create and store strong passwords, and can automatically enter credentials when you return to a website to log in.
With the rise of dark web password marketplaces cybercriminals can purchase lists of usernames and passwords, which they can then use to automate login attempts to popular services such as Microsoft 365 or Google, which are increasingly powering remote working models. This ‘spray and pray’ approach means that when criminals successfully hit a target, they can access accounts easily, often with no trace. Putting a stop to password reuse is, therefore, a foundation stone of any security policy. Ensuring you have a dark web monitoring service doesn’t hurt either.
This doesn’t mean that blame should be levelled at employees who do reuse logins. They do so for speed and ease, needing to access different tools and systems outside of a traditional office, and expecting them to manage dozens of credentials is a tall ask. This challenge highlights a greater need for organisations to adopt identity and access management solutions that work with all employees, are capable of securing every credential in the company and promote the right security behaviours supported by easy-to-use tools.
Better Safe than Sorry
When it comes to cybersecurity, prevention is always better than cure. With the average cost of a cyberattack on an SMB standing at around £20k, investing in security makes more than just financial sense. The impact of a breach on day-to-day operations and long-term reputation can prove fatal. In recognition of this, SMBs will increase spending on cybersecurity by more than $30 billion in the next four years.
Among these preventative measures, the most popular small business cybersecurity steps include limiting employee access to user data (46%), data encryption (44%), requiring strong user passwords (34%), and training employees on data safety and best practices (34%). Ideally, these core steps should already be implemented by businesses, but as these figures show, take-up is still worryingly low.
Considering the ease by which hackers take advantage of lax password hygiene, it is especially concerning that nearly a third of businesses say their organisation is too small to need solutions such as Single-Sign On (SSO) and Multifactor Authentication (MFA). As has been proven, no organisation is too small to be a target for cybercriminals and therefore no organisation is too small to require strong password and access security.
Single sign-on grants authorised employees or users access to applications with one set of login credentials, based on a users’ identity and permissions rather than memorising multiple, strong passwords. With SSO, IT admins have visibility into which users have access to each application and can simply authorize or remove user access to an application when required.
MFA also makes accounts more secure, for example using an app to generate a code or get a notification on your device helps to prove the person logging into the account is who they say they are. Any unauthorised access gets shut down in real-time.
Employee security is vital
With hackers primed to take advantage of the remote work revolution, expert in finding the weak links in any security strategy, the fact remains that the biggest threat to an enterprise’s security is people. It doesn’t matter how robust everything else is, when 85% of breaches involve human intervention, proper password management solutions are essential to keep cyber risks low. Businesses, therefore, need to make it easy so employees can focus their time and efforts on the things that really matter. Education of best password hygiene practices and incorporating technology to enforce those practices with password managers, SSO and MFA can provide a robust approach for SMBs.
Enabling a password manager creates a universal and user-friendly solution to allow employees to securely access the tools they need to effectively do their job. Adopting a password management solution puts the employee in control, helping to drive security awareness and transforming users into one of the strongest defences against potential security threats.
Although cost makes it impractical for every SMB to afford an in-house security expert, offering round the clock best practice support, the simple fact of not having resource to everything doesn’t mean that you should do nothing. As the interim CEO at the UK Cyber Security Council, Don Macintyre, says: “It only takes one conversation with a security expert and some very simple measures put in place, then they can adequately protect themselves and their customers from threats, and go back to fully concentrating on running their business.”
The new hybrid working world opens up a host of dynamic and agile ways to do business today. However, access and identity controls are at the heart of getting ahead of the many and varied future of work security risks. An all-inclusive user-friendly solution needs to be implemented by companies of all sizes so employees can work efficiently and get on with the day-to-day job at hand.