blog

Wrong security assumptions leave small firms exposed

Written by Mark Darcy | Jun 24, 2024 7:49:36 AM

At the start of the year, the World Economic Forum warned SMEs that they may be more vulnerable to cyberattacks than larger companies, but its catch-all description of small firms, with no qualification of size or sector, was not particularly helpful. We know from experience at Leacam that a 10-15 people firm will face very different risks to those experienced by a company that employs 30-50 people; we know that a business holding personally identifiable information (PII) is going to need to invest more in protecting data than a firm that doesn’t.

That said, the Forum’s point is worth making, that small firms don’t pay as much attention to cyberthreats as their larger peers because they don’t have the resources or a full appreciation of the risks. You have to start by challenging your own assumptions about what you’ve been doing, or in the case of a firm that relies on low-level tech support from a third-party, questioning their expertise in matching appropriate levels of security to your business need.

 

Missing layers of protection

A common mistake is to assume that potential cracks in cybersecurity are covered because you’ve signed up to a premium package from a market-leading software service, like Microsoft 365. They are not. The onus on every business is to make sure that’s what implemented around security is sufficiently aligned with what your business needs.

The reality is that vendors don’t make this easy. Remember Microsoft 365 is just a shell, a standardised work productivity package available to companies with two employees or 20,000. It’s up to you and your technology partner to configure it correctly for your business, to match the security layers to your business needs.  

A good example of how misplaced assumptions about levels of protection can cost your company money are so-called ‘man-in-the-middle attacks’. This is where a cybercriminal intercepts communications between two parties, a business and a hosted email service, such as Outlook in Microsoft 365. A professional services firm came to us when they discovered a substantial payment from a client had gone astray. It turned out that someone had intercepted an email exchange, assumed the identity of the services firm and provided their own bank account details to the client for the payment.

Losing the money was bad, but the reputational damage was potentially worse and harder to quantify. The client is always likely to take their business elsewhere after falling for such a scam, and many more will follow if word gets out about what happened. In a small country like Ireland, there’s a good chance it will.

What bothered our soon-to-be client was that we implemented a fix that was easy to do and readily available to them as part of their licensing agreement from the outset. They just didn’t know it. In this case, enabling multifactor authentication (MFA) in Microsoft 365 gained them an extra layer of protection, with an additional password or code to verify people are who they say they are. MFA may not prevent more sophisticated phishing attacks, but it’s the base level to start from and it’s often enough to persuade cybercriminals to try their luck elsewhere.

 

Misconfigured antivirus software

Another example of a small firm missing out on rudimentary security, because no-one had explained the solution, came from a company that asked Leacam to do some web development work. A problem came to light when their browser was downloading some documentation for a new release we provided. It flagged a potential security issue. We knew it wasn’t at our end, looked into it and discovered that they didn't have antivirus configured correctly in their Microsoft 365 implementation. It turned out that all their machines and personal devices were open and infected, including a Dropbox account they were using for file sharing.

We found out the scale of the problem when we installed Microsoft Defender for Endpoint, and carried out a scan of all their networked devices. Next, we onboarded every machine to Defender, enabling all its deep protection capabilities to be applied to each endpoint server or device. The solution, complete with Microsoft defender Antivirus, was included in the client’s original Microsoft licensing plan, it just hadn’t been activated.

Both of these episodes highlight how carefully you have to think about your Microsoft 365 implementation. Never assume something is a given. Even if it was when you made your initial purchase, things change because products and licensing terms constantly evolve. We know that small businesses have enough on their plate managing the bottom line without worrying about the small print in Microsoft subscriptions. Among many other things, sweating over licenses is what Leacam does for a living.

 

Please get in touch if you want to make sure Microsoft 365 is giving your business the level of security it needs.