Seven common causes of SMC cyber vulnerabilities
Our experience, backed by independent research, has helped us identify seven common factors that contribute to cybersecurity challenges for SMCs worldwide.
1. Insufficient employee training
The human factor remains the primary cause of cybersecurity breaches in organisations today. A 2024 Verizon study found that 68% of breaches are ultimately linked to factors such as:
-
Employees clicking on links in phishing emails
-
Staff downloading infected files to company devices
-
People using unsecured networks while working remotely
The solution here is employee training. Staff should be kept up to date on best practices and regularly reminded about cybersecurity risks.
Unfortunately, insufficient training remains a major problem among SMCs. For instance, one 2024 survey in the UK found that 48% of small businesses offer no cybersecurity training at all .
2. Failure to apply patches in a timely manner
Any operating system or business application can contain vulnerabilities. The software publisher will regularly make patches available when weaknesses are identified, and it is then the customer’s responsibility to update their software.
The problem, however, is that as soon as developers release patches, cybercriminals are alerted that there is a weakness in the software. These criminals will then try to find companies using that software and exploit the weakness.
Despite the risk, many companies fail to roll out patches fast enough. Even for critical patches, it took the average company over 200 days to install them in 2024.
3. Absence of systematic data backup
At some point, your business is likely to experience a cybersecurity breach. Microsoft reports that 31% of SMCs have already been victims of attacks, and these numbers are continually rising.
If you ever do fall victim to ransomware, then having backups for your files, data and systems is the difference between mere inconvenience and major disaster. Having backups mean that, even if cyber criminals do manage to lock you out of your environment, you can simply restore your data and allow your employees to continue to work, minimising disruption.
However, worryingly few SMCs perform backups in a systematic fashion (a 2020 survey found that a fifth of SMCs had no backup process in place). In an ideal world, systematic backups should be done weekly or even daily. But few SMCs backup content anywhere near as frequently.
4. Weak authentication procedures
Thanks to advances in consumer technology, most of us are now familiar with using biometric data or e-mail confirmation to approve logins for our devices, banking apps or social media. Yet when it comes to authentication in the workplace, many small and medium sized companies continue to use weak and outdated processes.
If your firm continues to rely on basic usernames and passwords, you run a high risk of being breached. Determined hackers can use brute force attacks to overcome basic password protection (cybercriminals use automated tools to guess passwords). At a very minimum, all SMCs today should be using two-factor authentication.
5. Unprotected devices
At many SMCs, employees use multiple devices to do their work. This includes company-owned desktops, laptops, tablets and mobiles, as well as their own personal devices. Other tech, including printers, TVs, IoT and industrial machines are often internet-connected too.
All this technology can be a boon for productivity. But it must also be monitored, since any connected device can present a back door into your systems. Unfortunately, many SMCs fail to monitor activity on these devices and fail to identify suspicious behaviour.
Suggested eBook:
6. Poorly managed access controls
At many SMCs, the traditional approach to access management remains the norm. Cybersecurity is treated like the walls of a castle. Firewalls and passwords keep most attackers out. But if they manage to get past the ‘castle walls’, they can do almost anything they want. If a hacker is using stolen credentials, or an employee with a grudge decides to steal company files, there is very little you can do when someone has broken past the first layer of defence.
Advanced access controls allow you to build more internal barriers and prevent malicious actors from exploiting your data. Using Zero Trust policies, for instance, you can configure access so that people are only given permission to see certain kinds of content based on their job role, project they are part of, or IP address. So, even if someone does get through your external walls, there's a limited amount of damage they can do once inside.
7. Inadequate security for in-house applications
It is increasingly common for SMCs to build their own in-house applications (either to support employees with specific tasks or for customers). Whether you coded these yourself or used app building platforms, it is incredibly important to keep these apps visible and monitored. These apps should also have robust authentication and access rights. Technology used to build the apps must be patched and updated as attackers often exploit vulnerabilities in common libraries – which can also make your application vulnerable.
These kinds of apps are often a target for cybercriminals precisely because they know that internal teams have less time and resources to keep them secure.
