Small Business Cybersecurity: The 5 Most Common Mistakes

Small Business Cybersecurity: The 5 Most Common Mistakes

There was a period long ago when small businesses could (partly) rely on their size to hide them from hackers. But the time for “security through obscurity” has long passed, and cyber criminals are now targeting small-and midsize businesses at almost the same rate as enterprises.

According to statistics from penetration testing company Astra Security, approximately 43% of cyberattacks target small businesses annually, with an alarming 46% of these attacks being directed at companies with 1,000, or fewer employees. The average attack costs $25,000 per incident.

While designing and building a comprehensive cybersecurity strategy takes high level expertise, there are some relatively simple cybersecurity issues that we find routinely contribute to a high number of hacks here in Tampa.


Here’s what businesses can look out for, and some tips for keeping yourself safe.

1 - Weak Passwords and Poor Password Management

Here’s a terrifying security factoid: the password “123456” has been consistently at the top of the list of commonly used passwords for several years in a row. Even in 2023, after decades of articles, training sessions, and face-to-face advice, poor password practices continue to cause massive trouble for many small and medium businesses.

Why? Weak passwords contribute to a host of serious security issues, such as increased vulnerability to “brute-force” attacks in which hackers simply try to guess your password to gain system access, phishing attacks, internal unauthorized access to sensitive data, and compliance problems.

One way to overcome this problem is multifactor authentication (MFA) and password managers.

MFA adds an extra protection layer beyond the password by requiring users to provide two or more forms of identification other than a password before being able to access an account. This may include biometric data (facial recognition, fingerprints, etc.) or a one-time password (OTP) on a trusted mobile device.

MFA is the single most effective cybersecurity step you can take, as it solves over 99.9% of authentication-based attacks, according to Microsoft.

It is also never advisable to use the same password for multiple accounts, a fact that you should make clear to your staff on a regular basis. Password managers help create and manage multiple passwords for different accounts helping automatically enforce password best practices.

2 - Not Preparing your Staff for Cybersecurity Success

Employees are considered the weakest link in an organization and the number one cause of infiltration and data loss.

In light of this statistical fact, it becomes critical that you have a cybersecurity training program in place that makes them aware of potential threats and prepares them to counter those dangers.

This is especially true as ChatGPT and other AI models enable attackers to gather and analyze vast amounts of data about potential targets from various sources, such as social media, public databases, or previous breaches. This information is then used to craft highly personalized and convincing phishing messages.

By allowing criminals to tailor the content of their attacks at scale, hackers increase their chances of success and dramatically raise the bar for security training programs. Businesses must implement regular cyber awareness training, which includes testing their employees’ abilities, tracking progress, and making targeted improvements to proactively stay ahead of those threats.

3 - Poor Patching and Updating Procedure

Unpatched software and hardware are a common source of cybersecurity attacks, although most businesses without internal security staff don’t fully realize what that means or how vital this security measure is.

The SolarWinds attack in December 2020 that made national headlines was the result of unpatched software, which allowed hackers to insert malicious code into unpatched software. That infected software was then distributed onto SolarWinds customers.

In this case, hackers used that access to gain unauthorized access to both private and government organizations, resulting in several massive data breaches that did millions in damage.

Another high-profile, infamous attack that resulted from unpatched software was the WannaCry Ransomware Attack in May 2017. This highly successful ransomware exploited a vulnerability in Microsoft’s Windows operating system, which the company had already released a patch a few months before the attack.

Because organizations had not installed the security updates, they left their systems vulnerable, and the ransomware spread across the globe with amazing speed, causing up to $4 billion in damages.

4 - Neglecting Disaster Recovery Maintenance

Your business needs to have a plan for responding to disasters of all kinds, including natural disasters such as an earthquake or a flood (which are happening with greater frequency), or a man-made disaster such as a cyber-attack.

According to Accenture’s Cost of Cybercrime Study, small businesses are targets of 43% of cyberattacks, yet only 14% are prepared to protect themselves and recover.

Having a disaster recovery plan (DRP) is more than just backup. It’s being able to use well-maintained backups to restore services after an attack to minimize disruption and contain financial damage. It’s a combination of IT systems, people, processes, and careful planning.

Testing is an area of particular weakness for many organizations.

To properly test your DRP, you must define a clear set of objectives and create a comprehensive test plan that outlines the scope, methods, roles, and timelines for the test. Then isolate the test environment to avoid impact on live systems and simulate all the disaster scenarios that you’re trying to prepare for.

Monitoring and documenting the recovery process, then evaluating the results against predefined objectives, will give you a clear picture if you’re as ready for cyberattack as you feel you are.

5 - Not having an Incident Response Plan

A cybersecurity incident response plan is a documented set of procedures and guidelines that enable you to efficiently handle and mitigate cybersecurity incidents within your organization.

What happens if your network gets infected with malware? Or, if an employee steals a password as they leave your company? What if someone loses a cell phone? These are just some of the scenarios that a properly designed incident response plan (ICP) will prepare you for.

Building an incident response plan can be a complex process, but here are the steps you can build a viable ICP:

  • Start by auditing and documenting your network. Understanding your entire IT infrastructure and potential threats allows you to define the objectives and scope of the plan.
  • Assemble a response team with predefined responsibilities to ease communication and decision-making.
  • Identify which incidents you want to be able to respond to and classify them based on the likelihood of them happening and the severity of their impact.
  • Develop and document response procedures for detecting, assessing, containing, eradicating, and recovering from each of the incidents you’ve just identified.
  • Regularly test the incident response plan with the help of simulations and tabletop exercises, ensuring that the measures you’ve chosen function as you hoped.
  • When an incident occurs, analyze both the incident itself and your response to understand what happened, how it was handled, and what can be improved.
  • Regularly review and update the incident response plan to adapt to new threats, address changes in your IT infrastructure, or lessons learned from past incidents.

 If that process feels overwhelming to you, we encourage you to reach out to the friendly LNS Solutions team for help. In our 20 years of cybersecurity service to Tampa businesses, we’ve developed a streamlined process for incident response planning that takes all the guesswork and uncertainty out of the process.

Tampa’s Trusted Cybersecurity Expert

For 30 years, the LNS Solutions team has been helping businesses in Tampa defend themselves against cyber criminals, malware, ransomware attacks, and more. If your business is struggling to achieve the resiliency and confidence you need, contact our helpful team any time at (813) 393-1626 or We look forward to speaking with you!


chevron-downmenu-circlecross-circle linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram