New research underscores security weaknesses in small-to midsized businesses including a dependence on antiquated Microsoft operating systems, encryption misconfigurations, poor patching regimes, and reliance on outdated Exchange 2000 email servers.
The findings, published this week by Alert Logic, demonstrate how resource-strapped SMBs increasingly are vulnerable in the face of today's cyber threats.
Some 66% of SMB devices surveyed run Microsoft OS versions that are expired or will expire in the next six months. The majority of devices scanned by Alert Logic for the study currently run Windows versions that are more than 10 years old. Microsoft will discontinue support for Windows 7 and Windows 2008 Server on January 14, 2020.
"What we suggest is for [SMB] security pros to read the report, understand it, and then take the findings to their management so business executives can better understand why it's important to make an investment in security," says Jack Danahy, senior vice president for security at Alert Logic. "If they even do one thing, focusing on patching will make a big difference. They should also put a mitigation control in for better monitoring.”"
Alert Logic also found other weak security practices by SMBs:
According to the Alert Logic research, 42% of SMB security issues are related to encryption. While automated patching has helped to reduce the frequency of vulnerabilities, configuration remains a major issue. This includes misconfiguring SSL encryption, not configuring Amazon S3 buckets properly, and providing improper access credentials to employees.
Poor patching practices
75% of unpatched vulnerabilities among SMBs are more than one year old, according to the research. While automated updates have improved software patching, organizations are still having difficulty keeping up with all the updates.
Reliance on antiquated email servers
More than 30% of SMB email servers operate on unsupported software, according to the research. Despite email being the lifeblood of most companies, almost one-third of the top email servers detected were running Exchange 2000, which Microsoft stopped supporting nearly 10 years ago.
Frank Dickson, research vice president at IDC who focuses on security, adds that there are four practical steps that SMB can take to avoid security mishaps: make sure the company's operating systems and applications are current; patch regularly; download all the updates (new versions of software); and use some form of multifactor authentication, whether it's a finger scan, facial recognition, or an iris scan.
"So many of the problems can be solved by taking some common sense steps," he says.
AlertLogic's Danahy adds that many of the same problems existed 20 years ago, but people were less familiar with security issues.
"While I do think people underappreciate the complexity of an organization changing their operating system, I think we're at a point where people are starting to look at security differently," Danahy says. "The SMB folks recognize that security has become a serious challenge."