Cyberattacks and data breaches are a major risk for almost all small and medium-sized companies (SMCs). Studies show that over 40% of cyberattacks target SMCs, and the effects can be devastating. Up to 60% of SMCs that become victims of cyberattacks go out of business within six months.
To reduce your risk of being breached, it is vital to identify weak points in your security posture. At SoftwareOne, we help SMCs around the world to shore up their defenses. Through our work, we have identified seven causes of security vulnerabilities that we see over and again.
In this article, you’ll learn:
- What we mean by ‘cybersecurity vulnerabilities’
- The seven most common causes of SMC security vulnerabilities
- Why it’s a myth that SMCs can’t be as secure as big firms
Defining cybersecurity vulnerabilities
A cybersecurity vulnerability is any weakness in your defenses that malicious actors can exploit. These weaknesses can come in a variety of forms – and fall into three broad categories:
- The human factor: Attackers will use a variety of methods to manipulate your employees and get access to your systems.
- Configuration issues/technical problems: Attackers will exploit poorly configured systems to gain access in various ways.
- Physical access: Less common but still important, malicious actors can physically enter your facilities and steal information.
7 common causes of SME cyber vulnerabilities
Drawing on independent research and our own experience of working with SMCs worldwide, we’ve identified seven of the most common underlying causes of cybersecurity vulnerabilities.
1. Insufficient employee training
The human factor remains the primary cause of cybersecurity breaches in organizations today. A 2024 Verizon study found that 68% of breaches are ultimately linked to things like:
- Employees clicking on links in phishing emails
- Staff downloading infected files to company devices
- People using unsecured networks while working remotely
The solution here is employee training. Staff should be kept up to date on best practices and regularly reminded about cybersecurity risks.
Unfortunately, insufficient training remains a major problem among SMCs. For instance, one 2024 survey in the UK found that 48% of small businesses offer no cybersecurity training at all.
2. Failure to apply patches in a timely manner
Any operating system or business application can contain vulnerabilities. The publishers of this software will regularly make patches available when weaknesses are identified. It is then the responsibility of their customers to update their software with these patches.
The problem, however, is that as soon as developers release patches, cybercriminals are alerted that there is a weakness in the software. These criminals will then try to find companies using that software and exploit the weakness.
Despite the risk, many companies fail to roll out patches fast enough. Even for critical patches, it took the average company over 200 days to install them in 2024.
3. Absence of systematic data backup
At some point, your business is likely to experience a cybersecurity breach. Microsoft reports that 31% of SMCs have already been victims of attacks, and these numbers are continually rising.
If you ever do fall victim to ransomware, then having backups for your files, data and systems is the difference between mere inconvenience and major disaster. Backups mean that, even if cyber criminals do manage to lock you out of your environment, you can simply restore your data to an earlier date. That means employees can continue to work, and disruption is minimized.
However, worryingly few SMCs perform backups in a systematic fashion (a 2020 survey found that a fifth of SMCs had no backup process in place). In an ideal world, systematic backups should be done weekly or even daily. But few SMCs backup content anywhere near as frequently.
4. Weak authentication procedures
Thanks to advances in consumer technology, most of us are now familiar with using biometric data or e-mail confirmation to approve logins for our devices, banking apps or social media. Yet when it comes to authentication in the workplace, many small and medium sized companies continue to use weak and outdated processes.
If your firm continues to rely on basic usernames and passwords, you run a high risk of being breached. Determined hackers can use brute force attacks to overcome basic password protection (cybercriminals use automated tools to guess passwords). At a very minimum, all SMCs today should be using two-factor authentication.
5. Unprotected devices
At many SMCs, employees use multiple devices to do their work. This includes company-owned desktops, laptops, tablets and mobiles, as well as their own personal devices. Other tech, including printers, TVs, IoT and industrial machines are often internet-connected too.
All this technology can be a boon for productivity. But it must also be monitored, since any connected device can present a back door into your systems. Unfortunately, many SMCs fail to monitor activity on these devices and fail to identify suspicious behavior.
eBook: Using Endpoint Detection and Response (EDR) to monitor devices
6. Poorly managed access controls
At many SMCs, the traditional approach to access management remains the norm. Cybersecurity is treated like the walls of a castle. Firewalls and passwords keep most attackers out. But if they manage to get past the ‘castle walls’, they can do almost anything they want. If a hacker is using stolen credentials, or an employee with a grudge decides to steal company files, there is very little you can do when someone has broken past the first layer of defense.
Advanced access controls allow you to build more internal barriers and prevent malicious actors from exploiting your data. Using Zero Trust policies, for instance, you can configure access so that people are only given permission to see certain kinds of content based on things like their job role or IP address. So, even if someone does get through your external walls, there's a limited amount of damage they can do once inside.
7. Inadequate security for in-house applications
It is increasingly common for SMCs to build their own in-house applications (either to support employees with specific tasks or for customers). But whether you coded these yourself or used app building platforms, it is incredibly important to keep these apps patched and protected.
These kinds of apps are often a target for cybercriminals precisely because they know that internal teams have less time and resources to keep them secure.
The myth that cybersecurity is only for big businesses
“SMBs have got the same [cybersecurity] issues, and the same needs as the bigger companies” - Peter Glenstrup, Artic Wolf, speaking on a SoftwareOne Cybersecurity Panel Discussion.
There is a common misconception that only large companies with big budgets can achieve high standards of cybersecurity.
But is this really true? In a 2024 survey by Cisco, large companies were indeed more likely to be identified as ‘mature’ or ‘progressive’ in terms of their cybersecurity posture. But not by much. The study found 37% of large companies had a good posture, as did 34% of mid-size companies, and 20% of small businesses.
So, if you run a small or medium-sized business, it is absolutely possible for you to have a world-class standard of security.
Small and medium-size companies’ cybersecurity advantage
Through our work with SMCs, we know it is very common for them to have significant cybersecurity vulnerabilities. However, while these risks should not be downplayed, SMCs also have a serious advantage when it comes to addressing them.
Since SMCs tend to have a smaller IT footprint, use fewer applications, and rely less on legacy technology, it is often much simpler and more affordable for them to upgrade and modernize their security to the highest standards.
And with SoftwareOne’s Cybersecurity Managed Service for Microsoft, we can help your business transform its security posture and address its vulnerabilities for the long term. Learn more about our Cybersecurity Managed Service for Microsoft here.
Author
