Seven of the most common SMC cybersecurity vulnerabilities

Many people assume that cyberattacks and data breaches are only really an issue for large enterprises. But while it is true that cyber criminals tend to target bigger organisations, almost all small and medium-sized companies (SMCs) are also at risk.

Studies show that over 40% of cyberattacks target SMCs, and the effects can be devastating. Up to 60% of SMCs that become victims of cyberattacks go out of business within six months.

Strengthening your security posture starts with identifying potential weak points before they can be exploited. At SoftwareOne, we help SMCs around the world to shore up their defences. Through our work, we have identified seven common security challenges that organisations frequently encounter.

In this article, we discuss:

• What is meant by a ‘cybersecurity vulnerability’
• The seven most common causes of SMC security vulnerabilities
• The myth that SMCs can’t be as secure as big firms

Defining cybersecurity vulnerabilities

A cybersecurity vulnerability is any weakness in your defences that malicious actors can exploit. These weaknesses can come in a variety of forms – and fall into three broad categories:

• The human factor: Attackers will use a variety of methods to manipulate your employees and get access to your systems.
• Configuration issues: Attackers will exploit poorly configured systems to gain access in various ways.
• Physical access: Less common but still important, malicious actors can physically enter your facilities and steal information.

Seven common causes of SMC cyber vulnerabilities

Our experience, backed by independent research, has helped us identify seven common factors that contribute to cybersecurity challenges for SMCs worldwide.

1. Insufficient employee training

The human factor remains the primary cause of cybersecurity breaches in organisations today. A 2024 Verizon study found that 68% of breaches are ultimately linked to factors such as:

• Employees clicking on links in phishing emails
• Staff downloading infected files to company devices
• People using unsecured networks while working remotely

The solution here is employee training. Staff should be kept up to date on best practices and regularly reminded about cybersecurity risks.

Unfortunately, insufficient training remains a major problem among SMCs. For instance, one 2024 survey in the UK found that 48% of small businesses offer no cybersecurity training at all .

2. Failure to apply patches in a timely manner

Any operating system or business application can contain vulnerabilities. The software publisher will regularly make patches available when weaknesses are identified, and it is then the customer’s responsibility to update their software.

The problem, however, is that as soon as developers release patches, cybercriminals are alerted that there is a weakness in the software. These criminals will then try to find companies using that software and exploit the weakness.

Despite the risk, many companies fail to roll out patches fast enough. Even for critical patches, it took the average company over 200 days to install them in 2024.

3. Absence of systematic data backup

At some point, your business is likely to experience a cybersecurity breach. Microsoft reports that 31% of SMCs have already been victims of attacks, and these numbers are continually rising.

If you ever do fall victim to ransomware, then having backups for your files, data and systems is the difference between mere inconvenience and major disaster. Having backups mean that, even if cyber criminals do manage to lock you out of your environment, you can simply restore your data and allow your employees to continue to work, minimising disruption.

However, worryingly few SMCs perform backups in a systematic fashion (a 2020 survey found that a fifth of SMCs had no backup process in place). In an ideal world, systematic backups should be done weekly or even daily. But few SMCs backup content anywhere near as frequently.

4. Weak authentication procedures

Thanks to advances in consumer technology, most of us are now familiar with using biometric data or e-mail confirmation to approve logins for our devices, banking apps or social media. Yet when it comes to authentication in the workplace, many small and medium sized companies continue to use weak and outdated processes.

If your firm continues to rely on basic usernames and passwords, you run a high risk of being breached. Determined hackers can use brute force attacks to overcome basic password protection (cybercriminals use automated tools to guess passwords). At a very minimum, all SMCs today should be using two-factor authentication.

5. Unprotected devices

At many SMCs, employees use multiple devices to do their work. This includes company-owned desktops, laptops, tablets and mobiles, as well as their own personal devices. Other tech, including printers, TVs, IoT and industrial machines are often internet-connected too.

All this technology can be a boon for productivity. But it must also be monitored, since any connected device can present a back door into your systems. Unfortunately, many SMCs fail to monitor activity on these devices and fail to identify suspicious behaviour.

Suggested eBook: Your Complete Guide to Endpoint Detection and Response

6. Poorly managed access controls

At many SMCs, the traditional approach to access management remains the norm. Cybersecurity is treated like the walls of a castle. Firewalls and passwords keep most attackers out. But if they manage to get past the ‘castle walls’, they can do almost anything they want. If a hacker is using stolen credentials, or an employee with a grudge decides to steal company files, there is very little you can do when someone has broken past the first layer of defence.

Advanced access controls allow you to build more internal barriers and prevent malicious actors from exploiting your data. Using Zero Trust policies, for instance, you can configure access so that people are only given permission to see certain kinds of content based on their job role, project they are part of, or IP address. So, even if someone does get through your external walls, there's a limited amount of damage they can do once inside.

7. Inadequate security for in-house applications

It is increasingly common for SMCs to build their own in-house applications (either to support employees with specific tasks or for customers). Whether you coded these yourself or used app building platforms, it is incredibly important to keep these apps visible and monitored. These apps should also have robust authentication and access rights. Technology used to build the apps must be patched and updated as attackers often exploit vulnerabilities in common libraries – which can also make your application vulnerable.

These kinds of apps are often a target for cybercriminals precisely because they know that internal teams have less time and resources to keep them secure.

The myth that cybersecurity is only for big businesses

There is a common misconception that only large companies with big budgets can achieve high standards of cybersecurity.

But is this really true? In a 2024 survey by Cisco, large companies were indeed more likely to be identified as ‘mature’ or ‘progressive’ in terms of their cybersecurity posture. But not by much. The study found 37% of large companies had a good posture, as did 34% of mid-size companies, and 20% of small businesses.

So, if you run a small or medium-sized business, it is absolutely possible for you to have a world-class standard of security.

Suggested blog: Why security is a value driver