IS Decisions logo

IS Decisions Blog

The challenge to secure SMBs (small and medium-sized businesses)

SMBs and the MSPs serving them face a challenge: IT security needs to be just as effective as enterprise-level software, but the tech needs to be easy for one person to implement and manage.

Published May 31, 2018
The challenge to secure SMBs (small and medium-sized businesses)

Small & medium-sized businesses (SMBs) today are under attack from malware, ransomware, external threats and data breaches. But with the lack of sophistication around most SMBs’ security stance, the prospect of remaining unaffected by attacks is bleak. The challenge to secure SMB access is to balance easy implementation and use with protection against sophisticated attacks.

Enterprise-caliber access security with SMB sensitivity

Learn how SMBs, and the managed service providers (MSPs) servicing them, can get big business protection in terms of focus and effectiveness, but with SMB sensibilities in terms of implementation and use.

The impact of security on an SMB’s bottom line

A tour of any modern SMB office highlights how IT solutions are critical to business success.

Case in point: what would success look like for your organization without email, communication systems, productivity applications, and enterprise tools? Everything from organizing processes to reporting on financial data. And yet despite this, IT Security is still viewed as an unwelcome cost, rather than an enabler of business solutions.

IT matters to small-medium business success, and security matters to IT success.

Today any SMB can quickly adopt a new technology to gain new capabilities, improve efficiency and/or reduce costs. However each new application creates a need to secure SMB users, data and the environment that the solution integrates into.

Those who treat security as an onerous requirement that is invoked each time a new technology is contemplated will be slow to adopt and slow to profit from new efficiencies.

SMBs that build effective IT security frameworks can move more quickly and surely than their competitors. Environments without effective IT security solutions will have difficulty innovating and are likely to fall behind more nimble competitors.

But, it’s no easy feat securing the SMB

Firstly this not about spreading FUD (fear, uncertainty and doubt). According to Accenture’s Cost of Cybercrime Study, 43% of cyberattacks are aimed at small businesses, but only 14% are prepared to defend themselves.

SMBs are a lucrative target because most do not have sufficient defenses in place to protect, detect or react to attacks.

The Verizon Data Breach Investigation Report highlights how the attack surfaces at SMBs and enterprises share more in common than ever before, thanks to widespread use of similar services and infrastructure.

Why the SMB is a target

It’s not so much these exact reasons: lack of resources, lack of expertise, lack of information, lack of time, lack of training although they are all very relevant and real. The common issue on why we are seeing SMB as an easy target is because there is a “lack of something.”

  • Lack of resources
    SMBs have already made an investment in their existing systems and technology. They want to avoid onboarding a single solution that requires an overhaul to the whole infrastructure, updating storage, or updating the operating system.

  • Lack of expertise
    The challenges are also becoming more and more complex. Organizations need to deploy security solutions that extend to remote locations and cover roaming and mobile users. For those customers that are located in a distinct geographic region, the problems are often just as complex. They have partners, consultants, supply chains that extend beyond the traditional network perimeter and make things even harder to defend.

  • Lack of information and training
    Most small and medium sized businesses do not have a sizable IT team. Security solutions with stickiness tend to be simple to implement and intuitive to manage.

  • Lack of time
    Smaller businesses are understandably focusing on being operational from day to day, so they can serve customers to keep the business going and pay the staff working. Medium sized businesses often lack the buy in from management who need to be better educated on the dangers to make this a priority and offer the resources and training for IT to fulfill their security needs. It’s not just about money. Cybersecurity perspectives are available to assist the SMB, but it takes time.

The state of SMB security today is focused on primarily protective security

An effective security stance should go beyond merely “raising the shields” around users, data and networks.

But today most SMBs focus on protective security such as antivirus, patch management, email or web filters, application whitelisting and perhaps an intrusion detection system or two-factor authentication (2FA) for your most privileged accounts.

There’s nothing wrong with this. These are obvious protection and prevention steps you should take, but it’s not enough to just put the barriers up.

Despite best efforts, compromise will continue to exist. Attackers improve, look for new ways to take advantage and the problem is no one is detecting this. And if no one is detecting, no one can respond.

In fact, sometimes the challenge with a breach is to know they even happened at all. According to IBM's 2023 Cost of a Data Breach Report, it takes on average 204 days to discover a breach.

The best protective strategy therefore needs to be validated over time. "Detect and react" should be used to ensure preventative measures are working. That is, spotting and reacting to abnormal or suspicious activity.

Implement MFA across all users

The “lack of something” in SMB security resources often leaves IT admins to restrict MFA, if present at all, to privileged accounts.

While each organization has a different balance, you’ll reduce risks by extending security down the “non-privileged” path as possible. The real value of MFA is to protect any account with access to critical data, applications and systems.

And that’s perfectly attainable for SMBs. MFA is dogged by common myths, such as its too costly, complex or frustrating for SMBs. But MFA has evolved dramatically. With the right solution, you can implement customized, granular MFA that helps you strike the right balance between employee productivity and security.

Set up automated controls that take action before damage is done

But don’t stop with MFA. While spending all your (limited) time trying to monitor every last bit of the network is a failing proposition, there are other ways to automate preventative measures.

Monitoring in and of itself is a pretty costly mode of operation; it requires significant IT time and resources to put proper detection mechanisms in place, will likely raise an initial set of false positives that need to be fine-tuned, and necessitates reports and meetings to ensure the detection is actually working.

All small and medium businesses battle against lack of time and resources. They are far better off running and monitoring solutions that offer automated controls in addition to threat identification and real time response.

In short, should something fall outside a set of established restrictions, your solution should automatically take action before the damage is done (and not only when IT intervenes).

Enterprise-caliber security with SMB sensitivity

So how does a secure SMB build an approach that safeguards their organization, users and data?

Firstly, security solutions for an SMB and MSPs servicing them, should not be any less effective than it is for an enterprise client. The data is no less sensitive, the disruption no less serious. They need enterprise caliber defense in terms of focus and effectiveness, but with SMB sensibilities in terms of implementation and use.

Here are 8 SMB-friendly criteria to achieve minimum effort for maximum impact


Look to add layers, like MFA, to your SMB security strategy. Putting a layered defense in place maximizes your chances of stopping a threat before it starts.


Solutions that just offer information result in the need to hire a watch dog. Choose intelligence and insights that can help spot and stop a breach.


Should something fall outside a set of established restrictions, your solution should automatically take action before the damage is done not only when IT intervenes.

Limited administration

Most small and medium sized businesses do not have a sizable IT team. Security solutions with stickiness tend to be simple to implement and intuitive to manage.


SMBs cannot take a lot of false positives. There's no time to chase 50 alerts a day.

Non disruptive for IT

Solutions that work alongside existing infrastructure don’t frustrate IT teams.

Easy adoption

If security overwhelms and stifles productivity, users can’t do their job and the solution is already dead on arrival. Security should be behind the scenes, protecting the users and the environment until the moment the user is truly conflicting with security protocol.

Cost effective

If you agree with the "when" not "if" premise, then you already know your security strategy is incomplete and requires more investment. Security doesn’t have to come at a high cost – but it does have to be effective in relation to its cost.

Secure the SMB against external attacks and internal security breaches

Logons provide one of the clearest indications of potential compromise. They are the one common activity across nearly all attack patterns and often effortlessly compromised. It only takes a careless employee to share a password or leave a workstation unattended. Even the most careful employee can be exploited and the victim of stolen credentials.

With UserLock MFA and contextual restrictions, IT teams can make sure authenticated users are who they say they are, even when credentials are compromised. Logon attempts that don’t satisfy the second authentication factor along with any established restrictions are automatically blocked, before any damage is done. Risk detection tools alert on other suspicious activity offering IT administrators the chance to instantly react. Working alongside Active Directory, UserLock extends SMB security far beyond group policies and native Windows functionality.

"UserLock is simple to install, easy to configure and offers a level of protection that all small, medium and large business should be implementing as part of their security roadmap."

- Ricky Magalhaes,

Video thumbnail

Try UserLock for free

3400+ organizations like yours choose UserLock to secure access for Active Directory identities and meet compliance requirements.

Download a free trial