Essential Cybersecurity for Small Businesses

In an increasingly interconnected business world, many small companies underestimate their dependence on IT systems and the associated security risks. While medium and large companies often have specialized IT departments and comprehensive security strategies, small businesses often lack the resources and awareness for cybersecurity. This leads to insecure, pragmatic solutions that pose significant risks. Our mission as security experts is to raise awareness of IT security and work with company owners to develop practical, affordable, and efficient security concepts.

Medium and Large Companies Are in a Relatively Comfortable Position

When we talk about security in companies, we often refer to medium-sized or even large enterprises. This is understandable because their IT systems are more complex, and complexity fascinates and challenges. These companies have often grown over decades and may have increased in size and structure through acquisitions or mergers. These expansions have made the IT infrastructure more versatile and complex, thus multiplying the challenges in cybersecurity.

In such companies, there are usually dedicated IT departments that manage and secure networks, systems, and databases. These departments are often well-equipped and offer dedicated jobs focused on cybersecurity, such as Security Analysts, IT Security Managers, or Cybersecurity Engineers, all aimed at protecting the company’s digital resources.

Because medium-sized and large companies are aware of their presence and the associated risks, they generally have a deep understanding of the factors that could affect their existence and success. This insight allows them to take targeted and preventive measures to ensure their survival. These measures often include comprehensive cybersecurity strategies, ranging from regular security audits and penetration tests to implementing advanced technologies like Artificial Intelligence and Machine Learning to detect and counter potential threats early.

Additionally, such companies invest in training and sensitizing their employees to cybersecurity issues. Awareness programs and regular training are crucial to ensure that all employees follow best practices and can recognize potential threats.

Even though there is still much room for improvement, medium and large companies, through their structured approach to cybersecurity, are able to create a robust shield against the diverse threats of the digital world, thereby securing their business processes and data.

The Daily Survival Struggle of Small Businesses Leaves Little Room for Cybersecurity

The situation is quite different for micro and small enterprises (MSEs). These companies face the daily challenge of surviving financially for the next month, quarter, or year. Their primary goal is to secure their existence and keep their business operations running continuously. Their focus is mainly on procuring materials, manufacturing products, or providing services. These processes are often dependent on a delicate financial balance. Even a late payment from customers can force a small company to dip into their painstakingly built financial buffer to cover ongoing costs.

Therefore, micro and small enterprises concentrate all their efforts directly on their customers. The key business elements in these companies are typically customers, suppliers, invoices, rent, fleet (such as machinery and vehicles), and payroll. These core elements dictate the daily operations of the companies. Compliance with tax laws, various regulations, and guidelines poses an additional challenge, as these are often associated with significant bureaucracy that must also be managed.

Processes and formalized procedures almost do not exist in these companies. Due to the small number of employees, tasks are often handed over and executed spontaneously and informally. There is a lack of structured processes and documented workflows, leading to varying efficiency and consistency in operations.

A common observation in countless conversations with small business owners or service providers is that they underestimate their dependency on IT systems. Despite the fact that even small companies increasingly rely on digital technologies—be it for communication, accounting, order processing, or inventory management—many do not recognize the potential risks associated with using these systems.

This underestimation leads to a near absence of engagement with cybersecurity. Priorities lie elsewhere, namely on the immediately business-relevant activities. The importance of IT security is often only recognized too late when an incident like a cyberattack or data loss occurs.

Micro and small enterprises often operate in a constant survival mode, with immediate business challenges and a focus on customers and finances pushing necessary attention to IT security into the background. This poses a significant risk, as cyberattacks or technical disruptions can have severe consequences for the business operations and financial stability of these small companies.

Small Businesses Underestimate Their Own IT Infrastructure

In my conversations with small business owners about their IT infrastructure, I repeatedly notice how much they underestimate the penetration of IT within their company. Many also fail to see how much business and personal device usage is intertwined. Their business is inseparably linked to their (private) life.

As mentioned earlier, small businesses are much more focused on their customers. Any engagement with additional topics would consume resources that the company cannot afford. The concentration on core business and immediate customer care is of the highest priority, while dealing with IT security is often neglected.

Consider the following statements:

  • I only have a smartphone as an always-with-me device, especially for customer contact and scheduling.
  • I usually use a program from ExampleCompany for invoicing on weekends, installed on the home PC.
  • There is a surveillance camera installed in my business, and I can check it anytime via an app.
  • My POS system is connected to the office wifi.
  • The card payment terminal uses the same wifi as my other devices.
  • I control the scrolling text and the monitor in the shop window from the office PC. I can also update the latest offers from home.
  • My router in the office of the shop is the only device between my network and the Internet.
  • There are also machines or devices of my partners in my network. They come by once a month to service them.
  • Each of my employees is allowed to use the Internet and install the software they need.
  • I have a separate wifi for my customers.
  • Over there in the box are a few old but functional hard drives that I wanted to give away.
  • Some of the sales representatives, especially those I’ve worked with for years, have access to my network.
  • My nephew, who is good with computers, takes care of my network.
  • I do the bookkeeping at home.
  • I back up the cash register data on a USB stick that I take home. There, I transfer the data to an external hard drive via my PC.

These statements illustrate how intertwined IT and personal devices are in small businesses and how often business operations rely on pragmatic but insecure solutions. For the owners, it is often difficult to say exactly how many devices and services they actually use and for what purposes. Even in a one-person business, there can be ten or more devices; with increasing employee numbers, this number grows rapidly.

They usually know little to nothing about the configuration or patch level of their IT systems. Passwords are reused, antivirus software on PCs are expired trial versions, and backups (if available) have never been tested. They often rely on “specialists in their circle of acquaintances” for IT matters. This is not a reproach, as their focus is primarily on their own field of expertise, which they, in turn, sell to their customers.

Security Experts as the Key to Effective Protection for Small Businesses

Here lies the leverage for us security experts: We need to focus on raising awareness for security and work together with business owners to develop tailored concepts and practical solutions. It is crucial that security is not seen as a hindrance but as an advantage for the company and its customers. The solutions must be simple, straightforward, and affordable. Company owners must become aware of their responsibility in terms of cybersecurity—for themselves, their employees, and their customers.

Although the media focus is mostly on the spectacular cases of the major players in the market, the potential damage from the sheer number of small businesses is enormous. We can and must do our part to effectively and sustainably improve security in small businesses.