Cybersecurity Challenges for SMBs in 2021

Cyberattacks are a daily threat that organizations have to face, and 2021 is lining up to be a year like no other for the cybersecurity industry. The Covid-19 pandemic has turned the world on its head, and the security landscape for tech firms has changed dramatically in the last 12 months.

Small and midsize businesses are facing a turbulent year with the rise of 5G connectivity, increases in Network Edge technology, and with working from home quickly becoming the new normal, cybersecurity teams have their hands full going into 2021.

High Demand for SecOps Professionals

The lack of skilled cybersecurity professionals is a serious concern to the industry. The risk of a data breach or successful cyberattack has never been higher with cybercrime estimated to be worth $10.5 trillion by 2025.

Yet the number of unfilled cybersecurity job vacancies has jumped significantly in recent years. This is good news for employee wages, but the limited availability of professional workers will create a skills gap in the industry and could result in SMBs struggling to match the high salary demands.

Secure Home Worker Devices

The surge in working from home caused by Covid-19 has created serious concerns for cybersecurity professionals. In the United States, it is estimated that 71% of employees worked from home during the peak of the pandemic. Employees have enjoyed a better work-life balance, but it does mean that huge numbers of personal devices are now used for business purposes.

It is expected that workers are provided with digital company assets in the enterprise, and it is much easier for a larger organization to procure additional equipment on demand. SMBs may have little or no budget to purchase equipment for employees.

Due to these constraints, personal cell devices, tablets, and computer equipment may routinely be used at home, but devices that are not company-sanctioned pose a cybersecurity risk.

Data theft, unauthorized access, and accidental exposure of confidential information are very real. Security teams must ‘reign in’ the culture of ‘bring your own device’, businesses must invest in technology for home workers, and end-user device controls need to be introduced.

Enhanced cybersecurity toolsets can control BYOD security. These tools can wipe data remotely, ensure security patching and updates are enforced upon the user, as well as enforcing encryption of sensitive company data.

Intelligent Cyberattacks

There is little doubt that cyberattacks are becoming much more sophisticated. The recent SolarWinds attack of December 2020 highlights this changing trend, and this will no doubt increase in 2021. Ransomware will remain a huge concern, Coveware reported 55% of successful ransomware attacks were targeted against SMB’s, and 75% of attacks we targeted at businesses with less than $50 Million in revenue. This suggests that SMBs are seen as an easier target and a target that is more likely to pay up.

New waves of ransomware are expected in 2021. Sophisticated attackers are starting to specifically target business data to up the ante, so if the victim fails to pay the ransom, threats are made to release sensitive business data. This new wave may see the type of business targeted change. Healthcare and financial services will be obvious targets and it will be interesting to see how this emerging threat will play out in 2021.

The threat to public-facing servers that use the remote desktop protocol (RDP) has always been high. 2021 will see this threat grow and grow. The pandemic has accelerated many businesses’ cloud strategy, and the risk of rushing to the cloud and leaving the front door left open is very real. Intelligent, machine learning “bot farms” are scanning the internet searching for weak RDP connections right now. Bots are data mining websites like GitHub looking for cloud access keys and shared secrets. It only takes one mistake or one lazy system administrator to let in a cybercriminal.

AI-Powered Targeted Phishing

AI routines are also being used to drive the emerging trend of Business Email Compromise (BEC) fraud. In technical terms, it is very easy to spoof an email to make it look like it has come from a genuine source, but BEC takes this to the next level. At its core, it is still a targeted phishing campaign but AI significantly increases the accuracy of the scam. Data mining is used to accurately understand the inner workings of a business, commonly the executive teams, finance, and suppliers.

The attack targets high valued employees, either bulk emailing the business masquerading as the CEO or senior management to extract sensitive data, or targeting finance teams with fake invoice demands, balance transfers, or supplier requests. It just takes one employee having a momentary lapse in concentration for the attack to be successful.

Taking Training Seriously

There is one common synergy between all of the threats expected to take precedence in 2021, that an employee is the weakest link who inadvertently opens the door to a cyberattack. In most circumstances, the employee has acted in good faith, but questions must be asked about whether the employee has been adequately trained?

Security awareness training is essential for every business, it is something found in the Enterprise, but often overlooked by smaller businesses. This may be due to cost constraints or maybe a lack of security expertise. It might be due to the increases in home working seen in 2020 and 2021, when it may have proven much more difficult to enforce training on the workforce if the appropriate systems were not in place.

Training is essential because the data held by any business is valuable, and because cybercriminals are on the lookout for an “easy target”, SMB’s are in the direct firing line. Having a workforce that is security-conscious will help the business to attract and retain the best employees as well as create confidence for partners and associates to work with you.