SMB cybersecurity posture weakened by COVID-19, Labs report finds

In August, Malwarebytes Labs analyzed the damage caused by COVID-19 to business cybersecurity. Because of immediate, mandated transitions to working from home (WFH), businesses across the United States suffered more data breaches, lost more dollars, and increased their overall attack surfaces, all while experiencing a worrying lack of cybersecurity awareness on behalf of workers and IT and security directors.

Today, we have parsed the data to understand the pandemic’s effect on, specifically, small- and medium-sized businesses (SMBs).

The data on SMB cybersecurity is troubling.

Despite smart maneuvering by some SMBs—like those that provided cybersecurity trainings focused on WFH threats, or those that refrained from rolling out a new software tool because of its security or privacy risks—28 percent of SMBs still paid unexpected expenses to address a malware attack, and 22 percent suffered a security breach due to a remote worker.

Those numbers are higher than the averages we found for companies of all sizes in August—by a respective 4 percent and 2 percent.

The numbers don’t look good. But perhaps more worrying than the actions that befell our respondents are the actions they might fail to take themselves. For example, while a majority of SMBs said that they planned to install a more permanent WFH model for employees in the future, the same number of SMBs said they did not plan to deploy an antivirus solution that can specifically protect those distributed workforces.

Further, while SMBs widely agreed that they were using more video conferencing, online communication, and cloud storage platforms during WFH—thus expanding their online attack surface—a worrying number of respondents said they did not complete any cybersecurity or online privacy reviews of those software tools before making them available to employees.

The cybersecurity posture of organizations of all sizes, including SMBs, can and should be taken seriously—especially as WFH becomes the new normal.

A closer look at SMB cybersecurity

Today’s data represents a follow-up to our August report, Enduring from Home: COVID-19’s Impact on Business Security, in which we surveyed more than 200 IT and cybersecurity executives, directors, and managers from businesses of all sizes. Our analysis today takes a magnifying glass to the more than 100 respondents who work for companies that have between 100 and 1,249 employees.

We separated the data into three bands according to company size: companies with 100–349 employees; companies with 350–699 employees; and companies with 700–1,249 employees.

At times, certain patterns or unique findings emerged within those bands.

For example, larger SMBs had far greater concerns about the effectiveness of a remote IT workforce. When asked about their biggest cybersecurity concerns with employees now working remotely, 50 percent of respondents working at companies with 700–1,249 employees said “our IT support may not be as effective in supporting remote workers.”

Respondents from smaller organizations, however, were not as concerned. Only 27.3 percent of respondents from the smallest businesses we surveyed (100–349 employees ) and 21.6 percent of midsized companies (350–699 employees) answered the same.

Intuitively, this makes sense—larger companies have more employees and more potential opportunities for ad-hoc cybersecurity and IT issues that should be addressed. But without an office, those issues might be ignored by employees. Similarly, those issues might become so frequent that they overwhelm remote IT workers.

Elsewhere in the data, in at least one situation, we found a potential correlation between company size and pandemic impact.

Like we said above, across all SMBs, 28 percent said they paid unexpected expenses to address a malware attack.

But that percentage increased depending on the size of the company affected. Surprise malware expenses hit 21.2 percent of companies with 100–349 employees, 29.7 percent of companies with 350–699 employees, and 30.4 percent of companies with 700–1,249 employees.

Maybe, then, there is some truth to the age-old saying: They bigger they are, the harder they fall.

Not every discovered trend was worrying, though.

Good trends in SMB cybersecurity

The immediate transition to WFH hit businesses everywhere, no matter their size. With no preparation time and sometimes lacking clarity from local and state governments for what was considered safe, businesses were forced to chart their own paths.

Despite these pressures, many SMBs rose to the occasion to protect their businesses and their employees, while also providing their workers with the tools and software necessary to succeed in their roles.

For example, 58.2 percent of respondents said their business provided work-issued devices as needed, and 41.4 percent said their business deployed previously unused software tools to maintain communication and productivity. Further, 56.9 percent of respondents said their business performed a cybersecurity and online privacy analysis of newly deployed software tools, while 21.6 percent said that those reviews led to a decision to not deploy a software tool.

Finally, 55.2 percent of respondents said their business provided cybersecurity trainings focused on the specific cybersecurity threats of WFH, with information on the importance of secured home networks, strong passwords, and unauthorized device access.

As SMBs showed promising action in the immediate transition to WFH, they also responded with encouraging preparations for the future.

More than half—56.9 percent—of respondents said their business would “develop stronger remote security policies,” 50 percent said their business would “host more cybersecurity trainings tailored for working from home,” and 48.2 percent said their business would “develop cybersecurity and online privacy reviews for new, necessary software in the transition to working from home.”

That last point is a welcome one. Though, as we showed, 56.9 percent of respondents said their business “performed a cybersecurity and online privacy analysis of any newly-deployed software tools,” those reviews may have been ad-hoc. Codifying these types of reviews into a broader set of policies is a good practice.

While all of these are encouraging trends, we cannot neglect some of the more worrying data points. In fact, one of our survey respondents accurately described some of same risks that we uncovered.

“Employees are not as vigilant as they would be working from home about potential cyber attacks,” said a Florida IT director at a company of 100 – 349 employees. “We’ve seen some lax efforts from some of our better more observant employees in the last few months.”

Conflicting postures in SMB cybersecurity

In our main report in August, we found potential cases of security hubris—the simple phenomenon in which a business believes it is more secure than it actually is. In our deeper analysis of SMB cybersecurity, similar trends emerged.

For example, when we asked SMB respondents to rank their preparedness to transition to WFH on a scale from 1–10, a majority ranked themselves highly—62 percent gave their business an 8 or higher, and 74.1 percent gave their business a 7 or higher.

However, our respondents’ actual transition to WFH did not involve the type of preparation and cybersecurity protection that would typically warrant such high evaluations.

Yes, 55.2 percent said they provided cybersecurity trainings focused on the specific cybersecurity threats of WFH, but think about the 44.8 percent who did not respond that way. Yes, 57 percent said they performed a cybersecurity and online privacy analysis of new software tools, but that likely means that more than 40 percent did not. Also, only 34.5 percent of respondents said they deployed a new antivirus tool for devices provided by the organization, which leaves us scratching our heads about the roughly 65 percent who did not say the same. What gives?

Amidst the transition to WFH, our SMB respondents entirely agreed on one aspect—they are using more tools, more frequently.

We found that 81.9 percent of SMB respondents said that their usage of video conferencing platforms, like Zoom, and Microsoft Teams, had increased “slightly more” or “significantly more,” 75 percent said the same about their increased use of online instant messaging platforms, and 69.8 percent said the same about their increased use of cloud storage platforms. Relatedly, 33 percent of respondents said they are using personal devices for work more often than their work-issued device, compared to the time before the pandemic.

Put into perspective, more software tools being used more frequently, with some employees reporting more frequent personal device usage, all points to one big problem—an increased attack surface.

And yet, even with this hard data showing an increased attack surface, 65.5 percent of respondents said their organizations were at least “equally secure” as they were before the pandemic; within those numbers, 35.4 percent went further, saying their business was actually “slightly more” or “significantly more” secure.

On our podcast Lock and Code, security evangelist and Malwarebytes Labs director Adam Kujawa explained why these positions are likely impossible to square.

“For the most part, I don’t see how people can actually say they’re more secure,” Kujawa said about the results from our broader COVID-19 report in August. “There may be an idea that, because folks are distributed—because remote workers are no longer located in a single, physical space—that they are somehow decentralized, and therefor harder to gain access to by cybercriminals.”

Kujawa continued: “The reality is that that is complete baloney.”

The clearest discrepancy between the words and the actions of SMBs came in the responses to their future. When asked about future plans to protect their businesses, 54.3 percent of SMB respondents said they would “install a more permanent work-from-home model for employees who do not need to be in the office every day.” However, just 38.8 percent said they would “deploy an antivirus solution that can better handle a more dispersed, remote workforce.”

This is disappointing because it seems so obvious. Any plans to install a more permanent workforce must include plans to protect that workforce.

Future proof

The advice that we offer to bolster SMB cybersecurity is similar to the advice we had for businesses of all sizes that were hit by the pandemic. Companies can come in many, many sizes, but none of those sizes are too small to care about cybersecurity.

You can read the full report to get a better understanding of those steps. In the meantime, though, if you’re really stumped, seriously, consider an antivirus solution.