Four measures SMBs can take to avoid common security pitfalls

A digital render of a red, microchip-like pattern with semi-transparent white representations of an open padlock and skull and crossbones overlaid on top, alongside the text DATA LEAK, SECURITY, and EXPLOIT FOUND to represent data theft.
(Image credit: Getty Images)

Many routinely assert that small and medium-sized businesses (SMBs) are less likely to be targeted than their larger counterparts, but this is far from the case. SMBs have limited resources versus their larger counterparts, which can make cyber security a challenge.

But robust security is possible if these companies take a handful of simple steps to avoid the common cyber security pitfalls and ensure they’re resilient if a cyber attack does land. 

1. Plan for the worst-case scenario

It’s true to say cyber attacks are a matter of when rather than if – regardless of the size of your business. One of the biggest traps for SMBs is fixating solely on preventing cyber attacks, says Haris Pylarinos, founder and CEO of security skills company Hack The Box. This can leave firms reeling when a cyber assault does eventually get past your defenses. 

He advises ensuring your business doesn’t have any weak spots through methods such as vulnerability assessments and penetration testing, as well as making sure you have an incident response plan in place.

When a cyber attack happens, one of the biggest pitfalls SMBs face is a lack of preparation, says Jack Peters, customer solutions architect at M247. He cites data from AAG showing that less than a fifth of UK businesses have a formal incident response plan in place. “It’s essential that businesses create, implement and maintain a strategy for how they will handle a cyber attack, as this will allow everyone to correctly identify any weaknesses and vulnerabilities within the IT framework,” he advises.

The plan needs to be implemented before an incident occurs, he says, highlighting that a pre-emptive approach “will be beneficial in the long-term”. 

According to Pylarinos, SMBs should focus on key areas: preparation, detection and analysis, as well as containment, recovery, and post-incident analysis. 

It’s also important the incident response plan is easy to understand. Although the specifics may vary depending on the size of the organization and industry, Peters advises using the five-step cyber security framework developed by the National Institute of Standards and Technology (NIST). “This is a great model to follow.”

2. Get the basics right

As a foundation for all things security, SMBs should ensure they are getting the basics right. As part of this, it’s key to update your devices regularly. Many smaller businesses suffer irreparable damage after falling victim to a cyber attack that could have been prevented if they’d taken the time to update systems. 

One way to ensure you are protected is to update your devices automatically, advises Elliott Wilkes, CTO at consultancy and managed service provider Advanced Cyber Defence Systems. This should include all devices that access company data such as computers, smartphones, servers, virtual machines (VMs), and Internet of Things (IoT) devices, he says. “It sounds simple, but you’d be surprised at how many ransomware events have taken place over the past few years using well-known vulnerabilities that have been fixed, but the organization didn’t deploy the patch.” 

While it might seem obvious, ensuring all devices have an antivirus system and that team members use strong passwords including random words, numbers, and symbols can “provide a first line of defense”, says David Clarke, head of security at IT consultancy Quostar. 

Craig Jones, VP of security operations at security firm Ontinue advises creating and implementing policies around secure internet use and handling sensitive data. “This includes avoiding suspicious emails or links, not sharing passwords, and not using unsecured Wi-Fi networks for work-related tasks. Don’t assume everyone knows the basics – even simple mistakes can lead to significant breaches.” 

3. Use technology like MFA wisely

Technology isn’t everything, but it can help boost security when resources are limited. Cheap and easy to use, one of the best additions to your security strategy is multi-factor authentication (MFA). Adding this extra layer of defense will help avoid your business being caught out by weak passwords and it also reduces the margin for human error.


A close up photo of the side of a dark blue conference booth with a glowing neon IBM sign on the side

(Image credit: Getty)

The Total Economic Impact™ Of Turbonomic Application Resource Management

See how customers are using IBM's Turbonomic Application Resource Management to optimize key application resourcing levels and scale.


Wilkes advises enabling MFA on all accounts where possible, using an app such as Google or Microsoft Authenticator. “If you only have the option to use SMS, that’s ok too – but try to use an app if you can. These store temporary codes that you enter along with your password to login to a website or application.”

For super-robust defenses, especially if your business operates in a high-risk industry vertical, you could consider a physical token to secure your accounts, such as a Yubico YubiKey. “These provide authentication that is much more resistant to phishing emails, which is an increasingly common way criminals gain access to an organization’s systems and data,” says Wilkes.

Additionally, if it’s feasible within your budget, SMBs should consider security information and event management platforms (SIEMs) which feature vulnerability assessments and cyber threat intelligence technology, says Clarke. “Regular cyber security assessments can be critical to protecting firms by helping them identify weaknesses and potential entry points into their networks.”

4. Invest time and effort into cyber security training

It’s often said that employees are a firm’s weakest link, and many cyber attacks are successful due to a simple mistake made by a member of staff. A costly blind spot for any business, particularly SMBs, is failing to invest in cyber security training, says Pylarinos. “With cyber threats on the rise and growing in sophistication, training your staff to combat the latest risks is crucial.”


As part of this, SMBs should ensure they are encouraging cyber awareness among all employees, says Pylarinos. This is often overlooked: In 2022, the UK Government found only one in five businesses (17%) provided awareness sessions for those not directly involved in cyber security. 

This is despite the fact that the majority of breaches (83%) were a result of phishing – seeing employees mistakenly clicking on malicious links or downloading malware-ridden documents. “By consistently training employees of all levels on the basics of cyber awareness, SMBs can spot phishing or social engineering lures and thwart cyber threats across their organization,” says Pylarinos.

Employee training can be performed in a number of ways, using educational platforms and exercises. Experts also agree it should be done regularly to ensure you are up to date with the latest threats.

Lewis West, head of cyber security at recruitment firm Hamilton Barnes, advises SMBs to be focused on building a “strong security culture” and increasing awareness across the entire team. “Training employees to become more aware of security and adversaries’ methods is an effective way to reduce the number of successful cyber attacks.”

Kate O'Flaherty

Kate O'Flaherty is a freelance journalist with well over a decade's experience covering cyber security and privacy for publications including Wired, Forbes, the Guardian, the Observer, Infosecurity Magazine and the Times. Within cyber security and privacy, her specialist areas include critical national infrastructure security, cyber warfare, application security and regulation in the UK and the US amid increasing data collection by big tech firms such as Facebook and Google. You can follow Kate on Twitter.