Home > Blog > Top 10 Cybersecurity Mistakes SMB’s Make

Top 10 Cybersecurity Mistakes SMB’s Make

In the early days of the COVID-19 pandemic, INTERPOL released a report acknowledging that due to the changing nature of the world—a bigger push for remote work, contactless business, and further internet growth—cybercriminals shifted their targets from small businesses and individuals to major corporations. Even though the primary goals of cybercriminals have shifted during the pandemic, this does not mean that small to medium businesses (SMBs) should feel as though they are safe from cyber-attacks. In addition, with the global effort to vaccinate as many people as fast as possible, we are already seeing the landscape of the pandemic shift. In places that have close to 75% of their population vaccinated, many things are returning to pre-pandemic levels. This indication is important for SMBs to understand that they may soon be the primary target of cybercriminals once again.

While we already know that most SMBs lack the resources to implement a rigorous cybersecurity program, there are some steps that could be taken to reduce the risk of a cyber incident. After all, the average cost of a cyber incident for a SMB is nearly $2.64 million according to IBM’s Cost of Insider Threats Report. It is crucial for every SMB to take proper measures against looming threats. To understand where SMB stand right now, it is necessary to see where they make their pitfalls. This post will highlight the Top 10 Cybersecurity Mistakes SMBs make.

1. Lack of Multifactor Authentication

We break down authentication into 3 main “factors”: (1) something you know—a password—(2) something you have (authenticator app, hardware token, security ID badge), and (3) something you are (biometrics). With MFA enabled, you have to have at least two of these factors to properly authenticate. Not only would a hacker need to somehow get their passwordbut then also find a way into a person’s phone. 

2. Lack of a Dedicated Cybersecurity Team 

Without having your own designated cyber team or an outsourced team (MSSP), you risk not putting enough emphasis on security. If you do not put enough emphasis on your own security, it becomes impossible to respond to cybersecurity incidents as they occur. In addition, if you contract out your IT work and then that company gets targeted, you may be a victim of another company’s consequence.

3. Cloud Security Challenges  

Having a cloud service provider (CSP) can be enticing to SMBs because they then do not have to host their own servers. However, if the CSP were to be breached, then the SMB may not have any visibility or control over the issue at hand. Moreover, the SMB would not have an incident response plan because it is not their own IT infrastructure.

4. No recovery plan in place 

Just like businesses need to be prepared for any number of disasters, IT disasters should be no different. Without a firm plan in place, things can get out of hand far quicker than they may be if there was an SOP for a cyber incident. Recovery plans and strategies are easy to access for SMBs as the National Institute of Standards and Technology gives guidance and resources for free.

5. The Principle of Least Privilege

Out of necessity, employees at smaller companies generally take on many different roles and responsibilities. If this is the case, that means they have a bigger data set, list of contacts, market analysis, than other companies would in the grand scheme of things. If you can separate individuals and their potential for risk, it is far better than the alternative. For example, a standard retail worker at a small business should not have admin privileges on a computer. They should only be granted access into what is necessary for them to complete their jobs—in this case, retail.

6. Reliant on Legacy Software

While it may be appealing to small companies that do not have the infrastructure or capital to invest a lot into their own IT—spending less on security has its own pitfalls. Legacy and deprecated software are easier to hack and have already been figured out. In the long run, the cost vs. benefit of having better security might be cheaper than having to make up for a cyber incident caused by outdated software.

7. No penetration testing

Simply put, if you do not know your weaknesses, you will never see threats coming. Finding out loopholes and cracks before a breach happens prepares you for any real life circumstance that may happen eventually. This is why it is increasingly important to do penetration testing on your own resources to see just how far you can get. Knowing your own system’s ins and outs can provide you with a better view into how someone else may try to infiltrate it.

8. Employees aren’t trained to identify phishing attacks

91% of cyber attacks start with a phishing email. The earlier you can train your employees on how to spot phishing emails the better. In this day in age, a phishing attack may look as inconspicuous as signing up for a COVID vaccine appointment—something everyone is trying to get a hold of. People may put their emotions before realizing something is a fraudulent link because they are so excited for the opportunity.

9. Reusing old passwords

In combination with 2FA, this is another step to minimize risk of an unknown hacker or threat. Without the need for changing passwords every so often, a hacked account may not even be known to the company because they do not require you to change passwords. For example, if your company mandated a password change every 30 days, the longest time period a hacker could be in the system is 30 days. It is not only important to keep cyber threats out of a system, but it can prevent existing ones to continue working.

10. Think they are too small to be a target

Any company of any size has to be aware that they can always be a target of cyberthreat. Whether or not it is assets, data, or users, every company has something a hacker could take advantage of. At the end of the day, size does not matter to automated tools used for hacking and cyberthreats. As cybercriminals cast out large emails to thousands of different addresses, it is really not a pick and choose moment for them, it is entirely a numbers game. Criminals do not care what company their victim is a part of as long as they get what they want.


CnSight can help your company understand where your weaknesses are when it comes to cyber protection. It does this by utilizing Cybersecurity Performance Indicators (CPIs) that track important metrics that align with organizational goalsTo improve your organization’s cybersecurity performance, contact us to learn more. 

Related Content

SVG sprite

Watch an on-demand demo

Fill out the form below to watch a brief overview video of CnSight®



Contact Us

Learn more about CnSight.



Contact us

Contact us to learn more about CnSight and starting a free trial.



Schedule a demo

Fill out the form below to schedule a demo of our cyber risk, effectiveness, and performance management platform.



Schedule a demo

Fill out the form below to schedule a demo of our cyber risk, effectiveness, and performance management platform.