Small and mid-sized businesses (SMBs) continue to face the same sophisticated cybersecurity risks as large enterprises, but often without the same level of resources or expertise. Effective cybersecurity requires more than damage control after an attack; it demands strategic planning, proactive prevention and a commitment to sustaining policies and procedures over time.  

While large enterprises have teams dedicated to defense, SMBs must be deliberate in their approach. By embedding preventive measures into daily operations and continuously refining them, SMBs can build lasting resilience against evolving cyber threats. 

In this fourth and final installment of our cybersecurity awareness month series, we take a step back to look at the bigger picture: how organizations can strengthen their overall cybersecurity posture through proactive, sustainable measures.  

Whether you’re a growing company looking to establish foundational safeguards or a more mature organization refining your security strategy, this segment offers actionable insights to help you protect your data, people and reputation in a highly evolved digital age. 

Q.        What are the key risks organizations should keep in mind when adopting artificial intelligence (AI)-driven tools in their security programs? 

There are several key areas that organizations should investigate when adopting AI-driven tools, including: 

1. Data privacy and compliance: This is one of the largest concerns companies face when implementing AI-driven tools in their infrastructure. AI often processes very sensitive personally identifiable information (PII). Poor data handling can lead to breaches or privacy violations that do not comply with relevant regulations and requirements, such as the Health Insurance Portability and Accountability Act (HIPAA) and the General Data Protection Regulation (GDPR). It is important to know what data the AI tool is accessing and make sure there are guardrails in place to limit exposure to data that should be off limits. 
2. Lack of transparency: It is often difficult to know or understand the technology behind the AI models and if customer data is being trained to improve the model. Asking critical questions to learn how the AI software is developed (in-house vs. a third-party tool, such as Azure OpenAI) is essential. One way to do that is to create a vendor risk assessment program and require all third-party vendors to complete security questionnaires.  
3. Bias and inaccurate results: AI has the potential to produce unfair or prejudiced outcomes that could be due to flaws in their training data or algorithms. Verify that bias mitigation tools are implemented in the AI models. AI hallucination can also occur when the models generate factually inaccurate or even fabricated results. One way to mitigate these risks is for AI companies to integrate their models with a real-time knowledge base to ground the responses. Additional ways to mitigate bias might include diverse datasets, fairness audits and human oversight. 

Q.        How, if at all, does company size influence the likelihood or severity of a data breach?  

isolved’s cybersecurity team frequently researches data breaches on the dark web. Lately, we are seeing company size not being a factor in the likelihood or severity of the breach. However, there has been an uptick in SMB attacks. This is more than likely due to the lack of cybersecurity resources and technical controls put in place.  

Q.        Beyond size, what other organizational factors increase vulnerability to cyberattacks? 

The top organizational factors that contribute to data breaches are: 

1. Phishing emails and an untrained workforce: Phishing emails and poorly trained employees can be a soft target for bad actors. It is critical to train your workforce using security awareness training programs and phishing simulation exercises. Phishing emails can lead to malware spreading throughout an organization and data breaches. Implementing an email security provider, such as Proofpoint, Mimecast or Abnormal, can block many of these phishing emails from coming in. 
2. Clicking on malware: Malicious software and viruses can be delivered not only from phishing emails, but also through compromised websites or clicking on infected downloads.  
3. Outdated software and legacy systems: Old, outdated software and legacy systems with vulnerabilities can lead to cyberattacks. Always upgrade to the latest operating system and make sure all company software and dependencies are updated to the latest version.  
4. Exposed RDP ports: Remote desktop protocol (RDP) can often lead to data breaches if ports are left publicly accessible on the internet. Hackers can use tools like Shodan.io to find these open RDP ports and they can target an SMB’s server, deploying malware after gaining access. 
5. Weak passwords: Strong password best practices include not easy to guess, contain numbers and special characters and is at least 16 characters long. Passphrases are highly recommended because they can be the most difficult for bad actors to crack. Most companies and account creation processes require the above-mentioned requirements.  

Q.        How can SMBs realistically manage the administrative safeguards (i.e., access controls, vendor risk management, policies, etc.), and when should they consider leaning on outside partners? 

If an SMB does not have the financial resources to staff a full cybersecurity team, they should consider hiring an outside managed security service provider that offers 24/7/365 support. SMBs will likely need to engage an IT security organization to set up their environment with the necessary tools, such as antivirus/anti-malware on all laptops and computers, firewalls and email security. 

Q.        What practical steps can leaders take to close gaps in resources and skills, especially in SMBs? 

One practical way to close the gap in technical skills is for an SMB to upskill or educate their own workforce. This can be done with outside certification programs offered by companies like Microsoft, Amazon Web Services (AWS) or even local community colleges. Companies can also provide educational webinars and send their employees to conferences to learn about new technologies.  

Q.        What key features should SMBs specifically look for when evaluating a cyber insurance policy? 

Prior to evaluating any cyber insurance policy, companies should first identify the types of sensitive information that they store or process, such as PII and credit card data. Next, they should assess the financial impact on their organization, including direct costs (i.e. system repairs, data recovery and incident response) and indirect costs (i.e. harm to a company’s brand), which could lead to financial loss resulting from customer churn.  

When evaluating cyber insurance, a company should look for these key items: 

1. Business interruption coverage: Cybersecurity incidents can cause operations to halt for days and even weeks. This can be very costly, especially for SMBs. Explore the insurer’s business interruption coverage and limits. 
2. Legal fees: Legal costs and regulatory fines from data breaches can be damaging. Carefully review clauses in the cyber insurance company’s contract, specifically if they have any exclusions, especially for intentional acts. 
3. Ransomware: With ransomware attacks being on the rise, make sure your policy does not limit payouts or require special approval from the insurer. The decision to pay the ransomware group is something that should be carefully discussed with your organization’s legal team. 

Sustainable cybersecurity isn’t a one-time project; it’s a continuous effort to prevent future attacks and safeguard long-term business integrity. For SMBs, that means treating cybersecurity as an ongoing investment—one that evolves alongside your people, processes and technology. By regularly reviewing risks, updating policies and engaging trusted partners, businesses can stay prepared, not just protected. When cybersecurity becomes part of how a business thinks, operates and grows, prevention becomes second nature and resilience a shared responsibility. 

To stay in the know about the latest fraud, cyber and security trends, connect with fellow human resources (HR), payroll, benefits and talent professionals in the isolved People Heroes Community. 

 

^{Disclaimer: The information provided herein is for general informational purposes only and is not intended to be legal, investment or tax advice. It is not a substitute for professional legal, investment or tax advice, and you should not rely on it as such. No attorney-client or accountant-client relationship or any other kind of relationship is formed by any use of this information. The effective date of various provisions, amendments, and regulatory guidance may impact eligibility. The accuracy, completeness, correctness or adequacy of the information is not guaranteed, and isolved assumes no responsibility or liability for any errors or omissions in the content. You should consult with an attorney, investment professional or tax professional for advice regarding your specific situation.} 

 

Print