Being an SMB isn’t easy. It’s often tough to respond to the latest cybersecurity threats at scale due to resource constraints and knowledge gaps. But make no mistake, guarding your company’s data is imperative, not only for protecting your business but also your customers.

Below, we’ve listed the seven most common security mistakes SMBs make and the best ways to address each.

1.) Weak Password Practices

Yes, this is still an issue in 2024. We would like to note that we totally understand the issues we all face with the sheer number of passwords we manage between work and our personal lives. For many, there is nothing worse than forgetting a password and having to go through confusing password retrieval processes to get back to work. However, we’re here to tell you that getting hacked is far worse than the inconvenience of waiting for that retrieval email.

According to LastPass, 81% of breaches are due to weak passwords, and while the retrieval process can be excruciating, it won’t lead to your company’s or your customer’s data being stolen. So, here are a few ways to improve your password to stop hackers in their tracks:

  • Keep your password secret. Tell NO ONE.
  • Use a different password for every login.
  • Password length is better than complexity… but make them complex, too.
  • Use multi-factor authentication (more on that later).

And when it comes to storing passwords, the days of keeping a log in our desk drawer are long over. Secure password management tools are designed to enhance online security by providing a centralized and encrypted solution for storing and managing complex passwords. Effective password management tools also often include features such as password strength analysis, two-factor authentication support, and secure password sharing options, contributing to a comprehensive approach to safeguarding digital identities.

2.) Failing to Keep Software Up to Date

Hackers are always on the lookout to exploit weaknesses in systems. And since humans design these systems, that means they are inherently imperfect. For this reason, software is always going through updates to address security concerns as they arise. Every time you wait to update your software, you’re leaving you and your customers at risk to yesterday’s security hazards.

You should always ensure your software is up to date to help prevent your company from becoming an open target. Closely monitor your applications and schedule time to check for the latest updates. That few minutes can be the difference between keeping your data safe or leaving yourself open to a cyberattack.

3.) Gaps in Employee Training and Awareness

Phishing scams are not highly technical in nature – they rely on human trust and lack of awareness to breach our cybersecurity efforts. This is the very reason why phishing scams have become the most common form of cybercrime in the world, leading to stolen credentials that give hackers free-range access to your data systems.

It’s vital that your employees be able to identify some of the telltale signs of a phishing scam. These include:

  • Checking to see if the email is sent from a public address. A legitimate company will likely not send an email using “gmail.com” as an address.
  • Verifying the spelling of the address. Many phishers try to trick your eye into believing that an address is legitimate by using tricky spelling. If you ever get an email from “Cicso.com,” we promise you that’s not us!
  • Is the email written well? A vast number of phishing emails originate from outside the U.S. Most hackers are not going to go through all the trouble to learn the nuances of American English before they start their life of cybercrime. If an email is poorly written, that’s a good indication you may be reading a phishing email.
  • Looking out for unusual links and attachments that are designed to capture credentials.
  • Is the email unusually urgent or pushy? Many phishing emails try to exploit employees’ good nature or desire to do a good job by assuming the role of a company leader and demanding they provide information they urgently need.

4.) Not Having an Incident Response Plan

We’ve talked a lot about ways to defend against a cyberattack, but what about after a cyberattack has occurred? It’s crucial that SMBs have a way to address cyberattacks if they occur, not only to reduce the damage caused but also to learn from mistakes and take corrective measures.

Your incident response plan should be a written document that goes over all the ways to address a cyberattack before, during, and after an event. It should outline the roles and responsibilities of members who should take the lead during a crisis, provide training for employees at all levels, and detail the steps each person should take.

This document should be reviewed throughout the company regularly and continually improved upon as new threats emerge.

5.) Neglecting to Use Multi-Factor Authentication

Sure, multi-factor authentication (MFA) can be a hassle when you need to login in a hurry, but as we stated earlier, a cyberbreach will have a far more negative impact on your business than the few minutes of productivity you lose. MFA adds an extra layer of security to your data and is very easy to set up. Most cybersecurity tools on the market have some form of MFA, so there’s really no reason to go without it. It’s especially important in today’s multi-device workplace, where employees have access to company data from work, home, or wherever they might be.

Which leads us to…

6.) Ignoring Mobile Security

Remote work continues to grow year after year. As of this 2024, over one-third of workers in the U.S. who are able to work remotely do so, while 41% work a hybrid model. As remote work continues to become the norm, more and more employees will rely on mobile phones for their day-to-day work needs.

That makes mobile security more important than ever since employees can now literally take vital company data with them on the go, outside the confines of the office. SMBs can protect mobile devices in several ways:

  • Require employees to password-protect their mobile devices.
  • Encrypt data just in case these devices are compromised.
  • Install specialized security apps to further protect information from hackers looking to access them on public networks.
  • Make sure employees have a way to quickly and easily report lost or stolen equipment.

7.) Not Having a Managed IT Service

Handling all your cybersecurity needs can be a chore, which is why managed IT services can help SMBs fill the gap so you can focus more on running your business.

Managed IT services like Cisco Meraki allow SMBs to protect against cyberattacks at scale with the help of Cisco Talos’ top security analysts. Our team will help you defend your systems from the latest security threats. The Talos team will work to bolster your incident response using the latest best practices and continually monitor your systems to respond to threats quickly.

If you’re looking for other ways to protect your SMB from emerging cybersecurity threats, our team is happy to work with you to find the right tools and best practices to protect your business. Contact a Cisco expert today, and we’ll uncover the right solutions for your specific security needs.


Ian Thompson

Leader, SMB Marketing

Americas Growth Marketing