Skip Navigation
BlackBerry Blog

Protecting the SMB: 3 Misconceptions

(This Cyber Tactics column, “Protecting the SMB: 3 Misconceptions” written by John McClurg of BlackBerry, was originally published August 3, 2022, in Security Magazine. Excerpted with permission – access the full article here).

There are several ways small- to medium-sized businesses can achieve a stronger security posture with limited resources.

I was just leaving my Birds of a Feather roundtable discussion at the recent RSA conference when I saw the following tweet from BlackBerry’s VP of Threat Intelligence about cyberattacks targeting small- and medium-sized businesses (SMBs):

He references a Wall Street Journal article that poses the question: Why do small businesses struggle with an increasing number of cyberattacks? Part of the problem, the article says, is that “they don’t believe they are targets, so they don’t make security a priority.”

Why do many SMBs still believe nation-states and criminal hackers only go after “the big dogs”? There is plenty of evidence to the contrary.

Let’s explore three misconceptions that exist in this area and what we can collectively do to address this challenge. One thing is for sure — if we don’t work together to solve the issue of SMBs being targeted by adversaries, those adversaries will leverage that failing to their advantage.

Misconception #1: “We don’t have anything an adversary would value.”

During my Federal Bureau of Investigation (FBI) career, important lessons were thrust upon me. One of them was that almost no one believes or expects they will be a victim of crime. This misconception places small- and medium-sized organizations in peril when it comes to cyberattacks.

Many SMB leaders believe they have “security by obscurity” or that they can “fly under the radar” of ravening cybercriminals and acquisitive nation-states. “What could we possibly have that is of value to cybercriminals? Why would they want our data when there is a sea of enterprise organizations to attack?”

Here’s one answer: Online extortionists increasingly want your data because you need it. And if they encrypt or steal the information or cripple the systems you need to stay in business, odds are you’ll pay to get it back. This is the motivation behind ransomware attacks.

To cybercriminals, you’re not just a regional advertising firm, a manufacturer in an office park, a grade school, or a group of medical clinics. You are a target and a potential payout.

Misconception #2: “I’m an insignificant player.”

Many smaller organizations fail to realize their critical role in the supply chain.

Consider the following scenario: Your company makes a proprietary part or material for the aviation industry. State-sponsored hackers interested in industrial espionage have several reasons to target your operations:

  • They want to steal your data and designs for their own strategic or financial advantage, imperiling your future success and profits.
  • They want to hijack your legitimate access to the IT network of a major commercial, military, or government partner, which may be their ultimate target.
  • They know you invest very little in security, compared to the “big fish” they’re after. Compromising your organization’s network to get access to the larger organization is easier than going after their target directly.

Cyber threat actors have been using these tactics for years, punctuating the importance of raising awareness among SMBs and mid-market companies. Recent headlines make it almost impossible not to have noticed the supply chain attacks against SolarWinds, Kaseya, and Okta.

All these events should give an SMB pause to consider who they partner with and whether that trusted relationship could make them a potential cyberattack target. I wrote about the importance of cybersecurity across the supply chain in an earlier column this year.

Misconception #3: “As an SMB, I can only afford firewalls.”

Many SMBs have significant financial and talent constraints requiring them to be laser-focused on productivity, growth, and sales. They typically put up a firewall, deploy traditional anti-virus protection, and hope they are covered. In a world where threats are constantly changing and cybercriminals are adopting advanced nation-state tactics, that is no longer a viable approach.

Many SMBs throw up their hands because it is difficult and expensive to attract and retain cybersecurity talent. A lack of in-house expertise and staff can no longer be accepted as a cybersecurity roadblock, regardless of the size of one’s enterprise.

Steps to Better Cybersecurity for SMBs

There are several ways to achieve a stronger security posture, even with limited resources. Here are a few ideas to start:

  • Find out where you stand by benchmarking your security against the five core principles of the NIST Cybersecurity Framework. These principles are: Identify, Protect, Detect, Respond & Recover. You can’t address deficiencies you aren’t aware of.
  • Enable multi-factor authentication (MFA) wherever possible within the organization.
  • Consider a managed extended detection and response (MXDR) subscription. XDR can allow enterprise-wide security awareness and proactive capabilities to repel attacks, but it can be complex and expensive to implement for any size business, let alone an SMB or mid-market player. Managed XDR can be an easy-to-implement option that relies on third-party experts to manage the complexity for you, delivering the benefits without the disadvantages.
  • Consider implementing zero trust network architecture (ZTNA) to harden networks and reduce cyber risk. This is another area that can tax the resources of an SMB, so you may want to call in help and lighten the load on internal teams. Implementing Zero Trust as a Service could be an approach worth looking into.
  • If in doubt, consult a reputable managed security service provider (MSSP) and ask them to do an assessment of current defenses to identify potential risks.

The last thing I’ll stress again is the fact that we are all in this cyber fight together. If you’re in an enterprise organization, help bring SMB vendor partners along the path to better security. That consideration, more than anything else, could keep your own organization from being breached.

Read the full article in Security Magazine

John McClurg

About John McClurg

Sr. Vice President and CISO at BlackBerry.

John McClurg serves as Sr. Vice President and CISO at BlackBerry. McClurg engages the industry around the globe on the risk challenges today and how BlackBerry uniquely mitigates them with the application of machine learning and other AI supported solutions. He champions a move from a historically reactive security posture, to one focused on proactively predicting and mitigating future risks.

Before BlackBerry, McClurg served as the Ambassador-At-Large of Cylance and as Dell's CSO, where his responsibilities included the strategic focus and tactical operations of Dell’s internal global security service. He was also charged with the advocacy of business resilience and security prowess, the seamless integration of Dell’s security offerings, and with improving the effectiveness and efficiency of security initiatives.

Before Dell, McClurg served as the VP of Global Security at Honeywell International; Lucent/Bell Laboratories; and in the U.S. Intel Community, as a twice-decorated member of the FBI, where he held an assignment with the U.S. Dept of Energy (DOE) as a Branch Chief charged with establishing a Cyber-Counterintelligence program within the DOE’s newly created Office of Counterintelligence.

Prior to that, McClurg served as an FBI Supervisory Special Agent, assisting in the establishment of the FBI’s new Computer Investigations and Infrastructure Threat Assessment Center, or what is today known as the National Infrastructure Protection Center within the Dept of Homeland Security.

McClurg also served on assignment as a Deputy Branch Chief with the CIA, helping to establish the new Counterespionage Group, and was responsible for the management of complex counterespionage investigations. He additionally served as a Special Agent for the FBI in the Los Angeles Field Office, where he implemented plans to protect critical U.S. technologies targeted for unlawful acquisition by foreign powers and served on one of the nation’s first Joint Terrorism Task Forces.