Security Guidance

Assessing the Cyber Risk to Small Business 2019

December 15, 2019

Assessing the Cyber Risk to Small Business 2019

Having a cyber security plan or strategy is something that haslong been associated with larger enterprise organisations, but with the continuedrapid increase of online threats and weekly reports of data breaches, this isno longer the case.

In the last few years Small and Medium businesses havebecome common targets for hackers and cyber criminals. As large enterprises spendbig money on securing the organisation, SMB’s are the opposite often having nothoughts, plan, or budget for security, making them easy targets for attackers.

The main issue why smaller companies don’t prepare andsecure their business is that they don’t think it will ever happen to them. Theyfeel that:

  • They are too small to be of interest toattackers.
  • They have nothing of value worth stealing.
  • If they do get attacked, they don’t believe itwill impact their business or its reputation.

The reality is small businesses simply do not understand therisk and impact of a cyber-attack. According to a report by Hiscox 47% ofSmall businesses (1-49 employees) and 63% of Medium businesses (50-250employees) across the UK, Europe and the US, have been impacted by a cyber-attackin 2019 and this is only getting worse each year.

In an effort to stem this continued downward slide, Ironsharework with UK based SMB’s to assess and improve their cyber maturity, with anultimate goal of reducing the risk of cyber-attack for each organisation.

Key Assessment Findings

During 2019 Ironshare have performed numerous CyberAssessments for Small and Medium businesses, with some unsurprising results. Belowwe share with you some of the key findings from our assessments.

IT System & Application Updates

Keeping systems up to date with the latest versions is oneof the leading core fundamentals in Cyber Security. This significantly reduces boththe number of vulnerabilities in your systems and the likelihood of successful attack.

Unfortunately, 53% of those assessed did not have aregular patching process to update their IT systems or software applications.

Those that did have a patching process, mostly focused onWindows patching and neglected software applications and network devices. Rememberthat your patching process must include all IT systems and software not just Windows.

Patching Stats
User Education                 

Another cyber fundamental is User Awareness training. Byeducating your users, who are typically the weakest link in your organisation’ssecurity, you can prepare them to spot signs of malicious activity.

Our assessments show that 51% failed to provide theirusers with fundamental security awareness training.

Even the most basic of user education is better than none. Tryto provide awareness into the most common threats, such as phishing attacks,social engineering and online fraud to better prepare your users.

If your budget can reach, then we also recommend implementingphishing simulation campaigns, to enhance education and provide insight into theusers that may prevent the biggest risk to your company. Evidence shows that companydirectors / VIPs often present the biggest risk.

Default Passwords

Default passwords are configured by the vendors of new hardwareand software. They are readily available from the internet, giving attackers aneasy way to gain access to devices on your network.

We found that 42% of customers had Default Passwordspresent on one or more network connected devices.

Like with patching above you need to ensure that all defaultcredentials are replaced during the deployment of new hardware and software,including network, printer and IoT devices, not just Windows systems.

System & Data Backups

Backups are essential in today’s world that relies oninformation and data to succeed. Backups ensure that in the event of a disasteror cyber attack you can quickly recovery your data with reduced impact tobusiness.

Unsurprisingly 65% did not have an Offline Backup solutionin place. This is a common gap in the security of organisations and is as commonin large enterprises as it is in small business.               

We recommend implementing an offline backup solution toensure that your organisation’s data is safe. Malware infections such asRansomware can delete or encrypt your files; which makes performing offlinebackups vital to retaining your data in these situations.

Don’t fall into the trap of thinking that because your datais in the cloud that it is backed up, this is often not the case. A separatesolution is normally required. Also be sure that your backup is truly offlineand away from the systems you want to protect. Storing backups on network sharesor storage, or always available USB drives is not an offline backup.

Web and Email Security

Web and Email are the two biggest methods for deliveringthreats on the internet today. Over 95% of successful attacks start withan email, which can deliver malware as an attachment or direct users to a maliciousweb site that can then deliver malware or steal your data.

83% of customers had no or only limited protectionfrom web or email threats.

We all know that Anti-Virus and Firewalls are fundamentalsecurity components of any network, but they fall very short when blocking modernday threats. This is why you need multiple layers of security.

You should always consider implementing a secure web or emailgateway, to control which places your users can access on the internet and ensurethat bad email is filtered before reaching your users. This will help defendagainst common malware and phishing attacks.

Vulnerability Management

What you don’t know about, you cannot protect. This is relevantto both Vulnerability and IT asset Management. Understanding your assets andknowing the vulnerabilities that may exist in them is critical to establishingand maintaining a strong cyber security posture.

With 86% having no capability in place to identifyand manage vulnerabilities across their IT assets, the risk to small businessis huge.

We recommend carrying out annual vulnerability assessmentsas a minimum. This is another area that can help to prioritise items whentrying to create a new cyber action plan.

Internet Exposed Services

Knowing and controlling what services you make available to thepublic via the internet, is critical to securing an organisation. Having excessiveor vulnerable services exposed, increases a hacker’s opportunity to launch asuccessful attack.

64% of customers allowed Vulnerable Services andProtocols to be accessible from the internet.

Most of these organisations had management protocols such asRemote Desktop Protocol (RDP) accessible from the internet; this is a commonmethod used by malicious actors to gain access to an environment and launchRansomware attacks. Ensure that only necessary services are available from theinternet, and that management services are only accessible from the internalnetwork.

Multifactor Authentication & Password Security

Of the customers assessed, it was disappointing to find thatnone were using, enforcing or even recommending the use of Multi FactorAuthentication (MFA) to their users.

In addition, only a single customer was recommending the useof Password Managers.

Studies show that approx. 75% of people reuse thesame password on more than one website or service. And with the ever-risingnumber of data breaches, we see the number of compromised accounts continue toincrease with them.

Password Managers provide users with a safe way to generateand securely store unique random passwords and reduce the password reuseproblem. While MFA adds another layer of security to the users accountrequiring a one-time passcode and reducing the risk of account compromise.


The assessments and their associated results highlight thefact that most smaller companies are just not preparing themselves effectivelyand securing their businesses.

Core fundamentals are not being addressed in most caseswhich leaves organisations vulnerable to the most common of cyber-attacks.

Considering that most of these organisations had experiencedsome form of security incident in the last 2 years, this is more evidence of howimportant it is to get the basics in place.

If you are not sure where to start with your cyber security,then begin with completing a Cyber Assessment. Engaging a specialist to assessyour business security is a great first step to understanding your risks andgaps. Assessments will help you to focus on the items with the highest risk anddeal with these first.

Please don’t be another cyber statistic, start securing your business today!


Stuart Hare is a Technologist with a passion for helping people in all aspects of IT & Cyber Security. Stuart is the Founder of Ironshare, an Information and Cyber Security company providing consultancy and managed services.

Samuel is a Security Analyst with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.

Joshua is working as a Managed Service Lead with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.


Ironshare is a provider of Information and Cyber Security services.

we went with; wizard pi