Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecurityManagementSecurity & Business Resilience

SMB security essentials: Layer up security defense

By Johannes Wiklund
yes we're open sign on door

Image via Unsplash

September 8, 2023

In the past two decades, it has been pretty popular for small and medium-sized businesses (SMBs) to outsource all things cybersecurity to a third-party managed security services provider (MSSP). But the tradeoff has often been giving up strategic thinking.

In today’s operational environment, infused with SaaS sprawl and multi-cloud hosting, the risks are everywhere and could blindside companies that don’t take a closer look at their cyber defenses. Once a company has grown to about 50 or so employees, it’s time to move beyond cookie-cutter solutions and dedicate some time to reviewing security posture. What follows are some concrete ideas for SMB IT and security personnel to examine to ensure they are effectively building a multi-faceted defense at the right level of maturity.

Beyond layered defense

The traditional approach to cybersecurity has been the layered defense model, which focuses on setting up protections at the various system layers (i.e. data, server, network and application). These layers were often compared to a series of moats and castle walls that shielded sensitive data from outside attacks.

But this model needs an update to account for the fact that not all assets are inside the castle anymore, and that not all attacks come from the outside.

For example, most small or medium-sized businesses today rely on popular solutions like Microsoft Office 365, Google Workspace, Slack and other software for everything from email communication to sales support and financial accounting.

Guess what? Most competitive software products in these categories have one thing in common: They all run in the cloud. That means they are no longer behind moat and castle walls. And if an employee is careless about their passwords, an attacker could easily pose as an insider and take control of sensitive data.

For this reason, the traditional layered defense model needs to be expanded to include less-technical protections related to people and processes, such as awareness training, password policies and software compliance standards. But it’s not enough to have the bare minimum security in each layer. SMBs need to examine the maturity of each layer of defense, and then reinforce these controls to defend their company.

“Layer up” 

This is done by increasing the level of sophistication of each layer through a mix of people, process and technology controls. The effectiveness of a layered security strategy will depend on an appropriate investment in technology, solid repeatable processes and appropriately trained and risk-aware staff. The below graphic depicts how these layers reinforce each other to guard company data against various threats.

Passwords and phishing prevention

People can be a company’s best asset, or its weakest link. They are also typically the first layer of defense. To play that key defensive role, employees need to possess general risk and security awareness as well as a level of vigilance that can only be gained through effective training. And most may not be aware of how simple changes in their behavior can significantly improve the company’s overall security posture.

The first mission is to ensure people choose unique and long (16 character) passwords for all their cloud services. The password should not have been used elsewhere, either for business or on personal websites. 

Why? There are two facts today regarding passwords. First, cheap and lightning-fast computing power makes password cracking, security key cracking, etc., a pretty competitive sport. There is a lot of potential benefit for attackers if they get lucky enough to guess a password, and not a lot of reason to stop trying.

Second, because of a series of breaches of popular websites, most people have had at least one password compromised at one time or another. 

While including numbers and special characters in passwords helps somewhat, it’s really the length of the password that makes it harder to guess with a computer. Once employees have established a long unique password, make it so they never have to change it. Advise users to pick a memorable yet unique password and then stick with it. 

The second easy but mandatory step is to give users some basic phishing education. According to Deloitte, 91% of breaches start with an email.

Threats that can enter an organization through an email include everything from ransomware to financial scams to password theft, and today’s phishing emails have become much more sophisticated in enticing employees to click on links or fill out forms that give away sensitive data. To the untrained eye, it can be difficult to separate scams from legitimate business emails.

Compliance frameworks and device standards

Most SMBs will end up needing probably a dozen cloud software solutions. In fact, by 2025, enterprises will spend more on public cloud services than traditional IT solutions, according to Gartner. And with everything provided “as-a-service,” SMB managers should demand more out of this service. Specifically, they should be asking their cloud service providers what standards and compliance frameworks they follow.

By choosing cloud service providers with solid data processing controls in place, SMBs can often “inherit” some parts of these controls, or leverage them in a way that helps them ensure their own compliance. But it’s important to note that an SMB cannot truly outsource their compliance. Security leaders are still accountable for ensuring compliance end to end.

Another important security control is to set some standards for computing and mobile equipment. Imagine a 50-person company that has grown over time that may have issued employees three different brands of computing devices depending on their start date, even allowing some employees to use their own device for business purposes. While it’s tempting to let employees bring their own devices, especially mobile devices, and then let them access corporate data on these devices, this increases the threat surface and can be a costly mistake if not properly managed.

Personal mobile devices are often a source of business email or sensitive data compromise, as users may unknowingly install malicious apps on their phones and accidentally grant these apps access to the phones’ contact list, email client or even corporate document repositories! And when an employee leaves, due to the authentication protocols used by some mail clients, it can be difficult to ensure they no longer have access to corporate email.

A good solution, if feasible, is to issue corporate-owned mobile devices to employees who need roaming access to any company data. If that’s not possible, then another good choice would be a policy management software that installs a small profile on the device and lets security leaders delete any of their company data with a single click. These solutions also have a side benefit of allowing security leaders to understand if devices are running the latest security-patched version of the operating system, and are available for both laptops and phones. Setting the right minimum patch levels and system standards for devices accessing sensitive data can be a great process layer control that reduces risk of compromised data.

The “Layer up” model is more of an approach than a prescription. Companies should perform a gap analysis to see where their biggest deficiencies are and how to level up each layer. 

KEYWORDS: cyberattack cybersecurity and business cybersecurity assessment small and medium business (SMB) security small business security

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Johannes Wiklund is Head of Information Security at Jotform.

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Security Enterprise Services
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Cyber Tactics Column
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Technologies & Solutions
    By: Charles Denyer
Subscribe For Free!
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

  • Duty of Care
    Sponsored byAMAROK

    Integrating Technology and Physical Security to Advance Duty of Care

Popular Stories

Pills spilled

More than 20,000 sensitive medical records exposed

Laptop in darkness

Verizon 2025 Data Breach Investigations Report shows rise in cyberattacks

Computer with binary code hovering nearby

Cyberattacks Targeting US Increased by 136%

White post office truck

Department of Labor Sues USPS Over Texas Whistleblower Termination

Internal computer parts

Critical Software Vulnerabilities Rose 37% in 2024

2025 Security Benchmark banner

Events

September 29, 2025

Global Security Exchange (GSX)

 

November 17, 2025

SECURITY 500 Conference

This event is designed to provide security executives, government officials and leaders of industry with vital information on how to elevate their programs while allowing attendees to share their strategies and solutions with other security industry executives.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • appSec

    Why application-layer security is critical in preventing data breaches

    See More
  • building entrance

    Access Control Should Always be the First Layer of Security

    See More
  • critical-infrastructure-freepik

    Shoring up cybersecurity in critical infrastructure and the nation's defense supply chain

    See More

Related Products

See More Products
  • physical security.webp

    Physical Security Assessment Handbook An Insider’s Guide to Securing a Business

See More Products
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing