There’s No Such Thing as a Small Lunch: Debunking Myths about Cybersecurity

This article addresses some of the most common myths I’ve heard from SMBs during my experience working in the IT industry. The idea is not to simply conclude something like “cybersecurity is important,” which is a meaningless statement nowadays as it’s almost part of the common knowledge. No, the idea is to support the small business owner who’s primarily concerned about their business, so that they can start becoming more aware of how small steps make a difference in their everyday lives.

“We’re a small business, I highly doubt that we could be a target”

According to Terranova Security, 46% of the cybersecurity incidents are done on companies with 1000 employees or less. In fact, small businesses are often the preferred targets because they typically have weaker cybersecurity measures compared to larger enterprises. Cyber attackers often leverage this by using sophisticated techniques that a regular small business wouldn’t be prepared for. 

Additionally, small businesses are part of supply chains and networks that larger businesses and organizations operate in, making them potential entry points for cyber attacks aiming at larger targets. Ignoring cybersecurity based on the belief that a business is too small to be a target is a dangerous misconception that could lead to devastating consequences.

“Cybersecurity is just too expensive and hard to implement”

In my opinion, there are 2 ways to look at this statement: 

  1. What exactly is expensive?
  2. Is the remedy more expensive than the disease?

Cybersecurity is usually a matter of layers. Of course there are certain controls and tools that are relatively hard to implement and purchase for small businesses, but that doesn’t mean there’s nothing that can be done.

Start taking care of the less expensive – and typically most vulnerable – layer: people. Train yourself and your employees on what measures you should avoid, how you should store your data, and what are typical bad practices.

Let’s talk about the second perspective. While implementing robust cybersecurity measures may require an initial investment, the cost of a cyber attack can be far greater. According to the same study conducted by Terranova Security, 60% of the small businesses that suffer a cyber attack go out of business as a result of it. 

The financial losses due to data breaches, legal liabilities, damage to reputation, and potential loss of customers far outweigh the initial investment in cybersecurity. Moreover, there are cost-effective cybersecurity solutions tailored for small and medium businesses, including cloud-based security services, managed security providers, and open-source security tools. 

Additionally, many governments and industry associations offer resources and guidance to help small businesses improve their cybersecurity posture at minimal or no cost.

“We’re just designing a couple of product ideas, it’s still too early to talk about cybersecurity”

This is something I’ve heard a lot and it makes complete sense from the business standpoint but please be aware of this: It's never too early to consider cybersecurity. Cyber threats can target businesses at any stage of development, including during the product ideation phase. Incorporating cybersecurity best practices early in the design and development process can save time, resources, and potential reputational damage further down the line. 

By integrating security features into product designs from the outset, businesses can build trust with customers, investors, and partners, demonstrating a commitment to protecting sensitive information and ensuring the integrity and reliability of their products.

“We don’t have an internal network, there’s nothing we should worry about”

Typically people mistakenly think that cybersecurity is only something important for IT related companies or companies big enough to have their own internal network.

This is simply not true if your business process involves any type of data transmission and storage (which involves the majority of companies). What’s an example of data transmission? Something as mundane as sending an SMS or WhatsApp message, sending a price quote, storing personal information for marketing purposes, etc.

On the other hand, while not having an internal network may reduce some cybersecurity risks, it doesn't eliminate them entirely. External threats such as phishing attacks, malware, ransomware, and supply chain vulnerabilities can still pose significant risks to businesses without internal networks. Additionally, employees' use of personal devices and access to external networks can introduce security vulnerabilities that need to be addressed. 

Cybersecurity is not solely about protecting internal networks but also about safeguarding all digital assets, systems, and communication channels from potential threats, regardless of whether they are internal or external. Therefore, even businesses without internal networks should prioritize cybersecurity to mitigate the evolving threat landscape.

How can I improve my cybersecurity posture?

Improving cybersecurity posture is an ever-evolving process, and should be thought about as a continuous improvement task. Nevertheless, there are some important basic tenets that you can start working on:

  • Employee Training and Awareness: Invest in cybersecurity training for employees to raise awareness about common cyber threats, such as phishing, social engineering, and malware. Educating staff on how to identify and respond to potential threats can significantly reduce the risk of successful cyber attacks.
  • Implement Strong Password Policies: Enforce the use of complex passwords and multi-factor authentication (MFA) for accessing company systems and accounts. Encourage employees to use unique passwords for each account and consider implementing a password manager to simplify password management.
  • Regular Software Updates and Patch Management: Ensure that all software, operating systems, and applications are regularly updated with the latest security patches. Many cyber attacks exploit known vulnerabilities in outdated software, so staying up-to-date is crucial for mitigating these risks.
  • Backup and Disaster Recovery Planning: Establish regular data backup procedures and implement a disaster recovery plan to ensure business continuity in the event of a cyber attack or data breach. Backing up data to secure, off-site locations can help mitigate the impact of ransomware attacks and other data loss incidents.
  • Engage with Industry Resources and Government Programs: Take advantage of free resources, guidance, and training offered by industry associations, government agencies, and cybersecurity organizations. Many governments have cybersecurity initiatives aimed at supporting small businesses and providing access to educational resources and best practices.
  • Outsource to Managed Security Service Providers (MSSPs): Consider outsourcing some aspects of cybersecurity to MSSPs that specialize in providing affordable security services for small and medium businesses. MSSPs can offer expertise, 24/7 monitoring, and incident response capabilities at a fraction of the cost of maintaining an in-house security team.

Then, as you start growing your business it’s important to consider the following aspects as a natural progression:

  • Use of Security Tools and Solutions: Leverage cost-effective cybersecurity tools and solutions, such as antivirus software, firewalls, intrusion detection systems (IDS), and endpoint protection platforms (EPP). Many reputable vendors offer affordable, or even free, versions of these tools tailored for small businesses.
  • Cloud-Based Security Services: Consider adopting cloud-based security services, such as email filtering, web filtering, and threat intelligence platforms. Cloud-based solutions often offer scalable and cost-effective security features without the need for extensive hardware or infrastructure investments.
  • Establish Security Policies and Procedures: Develop and enforce cybersecurity policies and procedures tailored to the organization's specific needs and risks. Clearly communicate these policies to employees and ensure regular reviews and updates to address evolving threats and regulatory requirements.
  • Regular Security Assessments and Audits: Conduct periodic security assessments and audits to identify vulnerabilities, gaps, and areas for improvement in the organization's cybersecurity posture. This proactive approach can help prioritize investments and ensure continuous improvement over time.

Don't panic if it’s too much information to start with. Here at Red Sentry, we know cybersecurity is not an easy thing but we always try to make it as affordable as possible for companies like yours, delivering quality services and products to let you focus on your business.

Andres Pena
Security engineer, developer and economist

Schedule a Pentest:

Penetration Testing

Start a Free Trial:

Vulnerability Scanner