A clear, realistic and possible look at how to protect your business without knowing about technology
For many years, cybersecurity was seen as something distant, expensive and reserved for large companies. Something that happened in banks, multinationals or technology companies, but not in a hardware store, an accounting firm, an industrial SME or a service company. However, that idea was completely out of date. Today, technology cuts across every aspect of the business, from billing to customer communication, from payments to suppliers, from the owner’s cell phone to the administrator’s computer. And where there is technology, there is risk.
The problem is that most SMEs do not feel at risk. Not because they are irresponsible, but because they are focused on surviving, selling, paying salaries, meeting clients and solving day-to-day life. In this context, thinking about cyberattacks seems like a luxury or an exaggerated concern. Until something happens. And when it happens, it’s almost always too late.
Reducing the attack surface is neither a technical concept nor a fad. It is simply a way of thinking about the business with a little more digital care. It is asking how many doors are open, how many keys there are, who has them and if they really need to be like this. It is not about distrusting everyone, but about understanding that human error exists, that technology fails and that digital criminals do not rest.
Most cyberattacks that affect SMEs are not sophisticated. They do not require advanced knowledge nor do they aim at something specific. They are massive, automatic, repetitive attacks. Bots that scour the internet looking for companies with weak passwords, outdated systems, open access or distracted employees. They are not looking for someone in particular, they are looking for whoever is most exposed.
And there appears the key word: exposure. A company can be small, but if it is very exposed, it is an easy target. Having many open accesses, many active accounts, many uncontrolled devices and many untrained people is equivalent to leaving the business door open all night waiting for no one to enter. Sometimes nothing happens. Until it happens.
One of the most common mistakes is to think that security depends on one thing. An antivirus, a firewall, a technician who comes from time to time. In reality, security is a sum of small everyday decisions. Human decisions, not technical ones. How passwords are used, how emails are handled, what is installed on computers, who accesses what information and what happens when someone leaves the company.
Passwords, for example, continue to be one of the biggest problems. Not because people don’t know they should be safe, but because real life pushes comfort. It’s easier to use the same password for everything. It’s easier to choose something simple. It’s easier to never change it. The problem is that criminals know it. And the first things they test are precisely those simple, repeated and predictable passwords.
When a password is leaked on the Internet, it doesn’t matter from where. It can be from a social network, an online store or a service that has nothing to do with work. If that password is reused in the company’s email or in an internal system, access is served. You don’t need to hack anything. The door was already open.
Something similar happens with email. Email is, today, the most used work tool and at the same time the most dangerous. Not because email is insecure, but because it’s easy to fool people. A message that seems legitimate, a fake invoice, a delivery notice, a supposed resume, an attachment that generates curiosity. All it takes is for one person to click where it doesn’t belong and the problem begins.
In SMEs, in addition, something very particular usually happens: everyone does a little of everything. The owner responds to emails, the administrator downloads files, the accountant receives documentation, the salesperson uses his personal cell phone to work. This mix of roles and devices multiplies the risk. Not because someone does something wrong on purpose, but because no one can pay attention all the time.
Reducing the attack surface, in this context, does not mean distrusting employees or limiting work. It means to order. Know what is used, what it is used for and who uses it. It means eliminating what is no longer useful and better protecting what is necessary.
Many companies, for example, have active accounts of people who no longer work there. Emails that continue to work, access to systems that were never deactivated, passwords that no one remembers who uses them. Each of those accounts is an open door. And many times no one knows until something strange happens.
Another common problem is the use of personal devices to work. Cell phones, notebooks, tablets. It is not a bad thing in itself, but if these devices do not have any type of protection, if they are connected to public networks, if they are lost or stolen, the company’s information is exposed. There is no need for someone to want to steal data. All it takes is for a device to fall into the wrong hands.
Added to this is something that usually generates resistance: updates. Many SMEs postpone system and program updates because “they work just fine” or because they fear that something will stop working. The problem is that many of those updates fix known security flaws. Flaws that attackers already know how to exploit. Not updating is like knowing a lock is broken and deciding not to fix it.
The attack surface also grows when using more tools than necessary. Systems that were tested and remained, online services that are no longer used, access that was given “just in case.” Every extra tool is another place where something can go wrong. The simpler and orderly a company’s technological ecosystem is, the easier it is to protect it.
But perhaps the most important point, and the least talked about, is training. Not in technical terms, but in digital common sense. Teach people to distrust, to ask, to not be afraid to say “this seems strange to me.” Create a culture where it’s okay to ask before you click. Where mistakes are not punished, but rather we learn from them.
Many SMEs suffer attacks because someone was too embarrassed to ask. Because he thought it would be annoying. Because he thought it was obvious. Security does not fail due to bad intentions, it fails due to silence. Reducing the attack surface also means accepting that not everything can be controlled, but you can be better prepared. Having backups, for example, is one of the simplest and most important decisions. And yet, many companies don’t have them or don’t know if they work. Until one day they lose everything.
Backup is not an expense. It’s insurance. And like all insurance, it seems unnecessary until it is needed. When a company understands that cybersecurity is not a product but a process, everything changes. Stop looking for magic solutions and start making constant small adjustments. Stop reacting and start preventing. Stop thinking that “it won’t happen to me” and start thinking “what can I do to make it less likely.”
Reducing the attack surface does not require expertise. It requires paying attention. It requires order. It requires simple decisions, sustained over time. Close access that is not used. Use better passwords. Train people. Keep systems updated. Have backup copies. And, above all, understand that digital security today is part of the business, not something separate.
The SMEs that survive and grow are not those that do not have problems, but those that are best prepared to face them. In an increasingly digital world, taking care of information, systems and people is taking care of the heart of the business. Because at the end of the day, the question is not whether someone is going to try to get in. The question is how easy we are making it for them.
*Solution Architect & Pre-Sales Engineer at ZMA IT Solutions
by Maximiliano Ripani
