Tips to help
create a strong
security culture
within your
small business

The media attention on cyber attacks against large enterprises may create a false sense of security for smaller organizations, according to the small and mid-sized business (SMB) snapshot of the Verizon 2022 Data Breach Investigations Report (DBIR) notes.  Small businesses may think they're flying under the radar with threat actors because there is less to steal. After all, why worry about your security culture when attackers are likely to get more money and more data from larger organizations, right?

Unfortunately, that's not the case for a number of reasons:

• Threat actors may have a "we'll take anything we can get" philosophy.
• Large enterprises have large resources, allowing them to afford leading IT staff and technology as part of their defenses.
• Smaller organizations may have limited resources which may equate to out-of-date technology and untrained staff.
• Cyber incidents may put SMBs out of business.

Of the total incidents and breaches where it was known whether the victim organization was an SMB or a large organization, SMBs were subject to three times as many incidents and breaches as enterprises.

Fortunately, one of the best defenses for SMBs does not require large and expensive investments in personnel and technology but simply a commitment to a strong information security culture.

Information security culture refers to an organization's collective approach to security: the attitudes, assumptions, beliefs, values, and knowledge that employees, leadership, and other stakeholders use in order to interact with the organization's information network systems and information security procedures. However, a strong information security culture doesn't just grow on its own. The creation of a strong information security culture requires effort, planning, and leadership, as well as a realistic idea of the cyber risks threatening SMBs.

In helping to create a strong small business security culture within your own organization, it's important to consider the most common threats facing SMB today:

1. Ransomware. According to the 2022 DBIR SMB snapshot, the most pressing threat is ransomware, which has been on the rise in all sectors. Three-quarters of attacks on small businesses in the last year included ransomware, the report finds. Ransomware, or malicious software that encrypts a company's data so that it cannot be viewed or used until a large ransom is paid to the attacker, has the ability to financially ruin an organization, disrupt business operations, and expose sensitive data.
2. Credential theft. About 70% of attacks on small businesses involved the use of stolen credentials, such as passwords and usernames, according to the DBIR. There is no one way to get a hold of credentials; criminals can steal credentials either by attacking your organization directly through brute-force attacks (using automated tools to guess your password by trying many different combinations of letters and numbers) or by using malware. You can also experience a less direct attack when attackers compromise another site and reuse your password from that site. Attackers can also attempt to trick you using social engineering—sending you a message that appears to be from a trusted source, such as a friend, colleague or organization.
3. Phishing and smishing. Two similar types of social engineering attacks, in which an attacker sends a message pretending to be someone else. Phishing attacks are delivered through email, while smishing attacks are delivered through text message. The goal of both is often to get you to click on a malicious link, download malware, or input credentials. Verizon observed an overall phishing click rate of 2.9% in the 2022 DBIR.
4. Pretexting. A social engineering attack in which the attacker impersonates a business partner, a vendor, or a leader in your company in order to gain information or a transfer of funds.

Just as no two companies are the same, no two security cultures will be the same. The culture you build should mirror your workplace values, your small business security processes, and the attitudes of your employees and leadership. Regardless of size, all strong information security cultures tend to have a few things in common:

• Buy-in starts at the top. If leadership doesn't set a strong example, employees are less likely to buy into the importance of it themselves. Leadership should instill cyber security awareness and best practices into their organizational culture.
• Training and education. Unfortunately, human beings tend to be the weakest link when it comes to information security. 82% of all the cyber incidents studied in the 2022 DBIR contained a human element such as user error or social engineering attacks.
• Consistent messaging. Your employees should receive consistent communication when it comes to cyber security awareness. For example, if personal devices are determined in cybersecurity training to be banned at work, they should not see a manager using a personal mobile phone on the job. 
• Use secure authentication tools like multi-factor authentication (MFA). It's no secret that passwords can be a weak spot in many organizations' cyber security strategies. Most users don't have the best password hygiene, in fact, GitHub's list of common passwords lists the most-used password as "123456." The second most common is "password." To prevent credential-related attacks, implementing MFA by requiring users to use another form of authentication, like a code in a text message or biometrics, can help protect both passwords and networks.
• Implement zero trust. The zero trust security model is an approach to security requiring all devices, users, and applications connected to a network to be continuously verified and authorized. The reason? Even if a device was previously authenticated, it may have been compromised since its last connection. Zero trust is a way to help create safer wireless connections between devices both on site and remotely.