Plaintext: Small Businesses, Big Security Challenges

Welcome to Dark Reading in Plaintext, brought to your inbox this week by Wiz. In this issue of Plaintext, we look at cybersecurity challenges facing small businesses. We also share highlights from this week's Black Hat Europe. If you enjoy Plaintext, please share with friends and colleagues!

Never Too Small: Attacks against large hospitals, universities, large conglomerates, and governments dominate headlines, but if there's one thing we've learned over the last few years, it's that size doesn't matter when it comes to cyberattacks. Ransomware gangs collect their money, BEC [business-email compromise] scammers take advantage of human nature, and phishing campaigns target the unsuspecting. Small companies with personal identifiable information (PII), protected health information (PHI), or any sensitive information are just as valuable to attackers harvesting data. And let's not forget third-party attacks, where threat actors target larger organizations by going after (usually smaller) partners and suppliers, by siphoning off corporate data the smaller company has on its servers, or stealing partner credentials to access the larger entity's environment.

Unfortunately for the SMB, cybersecurity can be expensive and difficult to manage. Many security products are designed for enterprise-sized IT and security teams. This makes it difficult to defend small businesses, Ross Haleliuk wrote in a Dark Reading column earlier this year. "The problem is that to access an endpoint detection and response (EDR), asset management, or cloud security posture management solution, they [SMBs] are required to sign multiyear agreements and predict, and even commit to, minimum spending. For obvious reasons, asking someone who hasn't even proven they can make the model work for a multiyear commitment is not reasonable," Haleliuk wrote. Open source security tools may not be an option if the organization does not have the necessary knowledge and skills to use them (and open source documentation is not always the most accessible).

In a recent study on SMBs, 69% of respondents said cybersecurity is part of their company culture. However, only 4 in 10 said their company regularly discuss cybersecurity. (Cybersecurity for SMBs, Sage)

A dedicated security team is often out of reach (and not a high priority) for SMBs and micro companies such as early-stage startups. For these organizations, the focus should be on improving security hygiene and training, identifying their biggest risks to allocate their resources, and utilizing features available from their existing IT and security products. There are more SMB-focused managed security service providers and vendors have programs specifically for smaller companies. For example, Dragos recently expanded its program to provide small water, electric, and gas utilities with access to its Dragos Platform software and other resources. Insurance carriers are partnering with companies to provide cyber insurance products for this market, such as eSecure.ai's latest offering specifically targeting micro businesses and independent contractors.

Dark Reading in Plaintext is brought to you by Wiz

The 2023 Cloud Vulnerability Report

Cracking the code to vulnerability management. Vulnerability management in the cloud is no longer just about patches and fixes. In this latest report, the Wiz Security Research team put vulnerability management theory into practice using recently identified vulnerabilities as examples. Download the 2023 Cloud Vulnerability Report today.

Latest Research from Black Hat Europe 2023: During Black Hat Europe in London this week, security researchers discussed vulnerabilities and security weaknesses in a variety of technologies, including large language models, and firmware. A vulnerability in Android's WebView autofill capabilities could result in password managers leaking passwords. A project automates the discovery of insecure cryptographic algorithms in open source software. There were keynotes from the CTO of the United Kingdom's National Cyber Security Centre (NCSC) and the former CISO of Uber.

What We Are Reading

• Wiz: The Cloud Security Model Cheat Sheet
• Municipalities Face a Constant Battle as Ransomware Snowballs
• The SAT is all-digital, and school districts need to lock down their networks.
• Middle East CISOs Fear Disruptive Cloud Breach
• Here are 10 gift ideas for the security professional in your life.

What We Heard On-Air

Tune in to our on-demand webinar?"Cyber Risk Assessment Tips From the Pros" to hear experts discuss best practices in risk assessment.

“One thing I see a lot in this industry is an obsession with confidentiality at the expense of other risks.” Matt Kunkel, manager, Mandiant

From Our Library

Check out some of the latest reports from our Dark Reading Library.

• Wiz: The 2023 Cloud Threat Report
• Tech Insight: Using Threat Intelligence to Transform Security Programs
• Dark Reading Report: The State of Supply Chain Threats
• Tech Insight: Key Elements Enterprises Need to Include in Modern SecOps

On That Note

With 2024 on the horizon, we are thinking about new and evolving threats we expect to see next year, as well as emerging products and technologies to help mitigate those threats. Black Hat , Dark Reading , and Omdia will explore threats and technology trends as part of a full-day virtual event on Dec. 14. Tune in to hear Omdia's Maxine Holt give her 2024 outlook and stick around for panel discussions on cloud threats to worry about and New Year's resolutions for the security teams. See you Dec. 14!

Dark Reading in Plaintext is brought to you by Wiz