IT 自動化路線圖：實現可持續業務增長

—

第一層：基礎自動化 — 馴服重複性任務

當公司規模尚小時，逐一處理建立使用者帳戶或設定筆記型電腦等任務是可行的。但當您的員工人數從 20 人增長到 200 人時，這種手動方法將會造成混亂。

基礎自動化是第一步，也是最關鍵的一步。它的目標是處理那些消耗團隊時間和精力的高頻率、低複雜度的任務。透過將這些例行工作自動化，您可以減少人為錯誤、確保一致性，並釋放您的團隊，讓他們專注於更具策略性的專案。

基礎自動化的「快速見效」項目：

• 自動化使用者旅程：將您的身分供應商與您的人力資源資訊系統 (HRIS) 同步。這能確保新進員工在第一天就獲得所需權限，並在他們離職時立即撤銷權限——從而彌補一個主要的安全漏洞。
• 零接觸裝置設定：無需 IT 人員接觸硬件，即可自動配置和部署新裝置，並套用正確的設定、軟體和安全策略。
• 自動化政策強制執行：在您的所有裝置上自動應用並強制執行磁碟加密、密碼複雜度和螢幕鎖定計時器等安全政策，以維持合規性。

—

第二層：流程串聯 — 統一您的技術堆疊

一旦個別任務實現自動化，下一個成熟度層次就是跨不同系統串聯流程。大多數組織都苦於「技術擴散 (tech sprawl)」——由各種互不相連的工具拼湊而成，造成了資訊孤島和營運摩擦。

這迫使 IT 團隊浪費時間在系統之間手動核對數據。事實上，平均每個組織使用 9.3 種不同的工具來執行核心 IT 功能，但只有 19% 的組織表示已實現完全統一的環境。這個層次旨在彌合這些差距，為使用者、裝置和存取權限建立一個單一事實來源 (single source of truth)。

此階段的關鍵舉措包括：

• 深度整合 HRIS 與 IAM：超越基本的同步。建立直接的連結，使您 HR 系統中的狀態變更（如晉升或部門調動）能自動觸發所有關聯應用程式中正確的權限更新。
• 整合您的工具：透過將功能重疊的工具整合到一個統一的平台中，來逆轉技術擴散。這能降低複雜性、減少成本，並透過集中管理和可視性來提升您的安全態勢。

—

第三層：智慧化協作 — 從被動反應到主動預防的 IT

自動化成熟度的最高層次，是將 IT 從一個被動的支援部門，轉變為一個積極主動的策略夥伴。在這個階段，由業務事件自動觸發完全協調、數據驅動的工作流程，讓您的 IT 環境能夠動態地應對不斷變化的情況。

這種先進的協作模式能夠預測需求，並在風險影響業務之前就將其化解，其背後通常由現代化的數據管道和機器學習技術所驅動。

智慧化協作環境的關鍵能力包括：

• 自動化事件應變：當發生可疑登入等安全事件時，系統會在幾秒鐘內（而非數小時）自動觸發應對工作流程，例如將裝置從網絡中隔離或鎖定使用者帳戶。
• 適應性存取控制：採用零信任 (Zero Trust) 理念，動態地做出存取決策。使用者的權限可以根據其位置、裝置的安全狀態或異常行為進行即時調整。
• 預測性分析：利用 AI 和機器學習來預測硬件故障，或識別可能預示新興安全威脅的模式，讓您在問題導致停機前就加以解決。

—

通往可持續成長之路

《MSP的信任藍圖：將網絡安全框架轉化為您的競爭優勢》

在一個擁擠的市場中，您該如何具體證明您的MSP（託管服務供應商）真正致力於安全？對於英國和澳洲的MSP來說，答案就在於政府支持的安全框架，它們能將最佳安全實踐轉化為您最強大的業務差異化優勢。

像是英國的「網絡基礎安全認證 (Cyber Essentials)」和澳洲的「八大關鍵策略 (Essential Eight)」等框架，可能看起來只是又一道合規的障礙。但如果您不把它們看作是一張檢查清單，而是視為一個能將您的安全技術堆疊標準化、建立客戶堅定信任並解鎖新收入的策略藍圖呢？

本指南將為您剖析這些框架的意義、比較其異同，並說明您如何利用它們來建立一個更安全、更成功的MSP。

英國的標準 playbook：解密Cyber Essentials (CE) 與 CE Plus

對於英國的MSP而言，由英國國家網絡安全中心 (NCSC) 推出的Cyber Essentials是網絡防禦的基礎標準。它旨在防禦最常見的網絡威脅，並建立在五項關鍵技術控制之上：防火牆、安全組態設定、使用者存取控制、惡意軟件防護及修補程式管理。

• Cyber Essentials (CE)

  一份自我評估，用以證明您已具備必要的防護措施。

• Cyber Essentials Plus (CE+)

  更進一步，由獨立的稽核員進行實地的技術稽核，以證明您的控制措施確實有效，從而提供更高層級的保證。

這對您的MSP為何重要？這不僅關乎您自己…您的客戶同樣在意。

對您的客戶而言，CE是您在安全方面盡職調查的清晰標誌。對您的MSP而言，它是一個策略工具。CE提供了一個信譽卓著的基準，讓您可以將安全服務標準化、簡化營運流程並建立不容置疑的信任。至關重要的是，它通常是英國政府及國防部供應鏈中企業的強制性要求，為您打開通往高價值新合約的大門。

澳洲的基準：理解Essential Eight

在澳洲，澳洲網絡安全中心 (ACSC) 則提供了Essential Eight。這並非一次性的證書，而是一個成熟度模型，旨在指導組織在三個不同的成熟度級別上實施其八項關鍵控制措施。

Essential Eight因其務實、貼近真實世界的焦點而備受推崇，它專注於緩解當今最普遍的威脅，從機會主義的勒索軟件到複雜的針對性攻擊。

全球洞察：打造一個「集兩者之大成」的安全標準

雖然這些框架在世界的兩端各自發展，但它們有著相同的DNA，都優先考慮如修補漏洞、保護組態設定和限制管理員權限等關鍵控制措施。

然而，真正的洞見來自於它們的差異。Essential Eight在三個領域上特別強調，英國的MSP可以採納這些領域來打造更具韌性及更高價值的服務：

1. 應用程式控管

   主動防止未經批准或惡意的程式執行。

2. Microsoft Office巨集強化設定

   封鎖或審查來自網絡的巨集，這是勒索軟件常見的攻擊途徑。

3. 強制性每日備份

   確保透過每日備份重要資料、軟件和組態設定，您能從任何事件中迅速恢復。

透過整合這些原則，兩國的MSP都能建立一種超越單純合規的安全態勢，並提供卓越的保護。

MSP的執行引擎：您達成可規模化合規的工具組

理解框架是一回事；在您所有客戶群中一致地實施它們則是另一回事。這正是統一平台對於效率和執行力變得至關重要的原因。

• 在每個端點上強制執行合規

  真正的合規要求在每台裝置上都有一致的政策執行力，無論其位置或作業系統為何。使用集中的裝置管理解決方案，您可以強制執行磁碟加密、作業系統更新和螢幕鎖定等安全設定，確保每個端點都符合框架要求。

• 保護每個身分

  兩個框架都極力強調控制存取權限。現代化的方法是結合身分與存取管理(IAM) 來執行「最低權限原則」。正如我們的合作夥伴The Light的Chris Pearson所言，這正是MSP看到最直接效益的地方：

從合規負擔到競爭優勢

Cyber Essentials和Essential Eight不僅僅是證書。它們是策略性框架，賦予您能力去將服務標準化、教育客戶您所提供的價值，並以具體的方式證明您的安全資質。

了解標準與大規模執行標準之間的差距，正是MSP贏得新業務或被市場淘汰的關鍵所在。而這正是JumpCloud for MSPs旨在彌合的差距。

JumpCloud的平台將身分與存取管理 (IAM) 和裝置管理整合到單一的統一解決方案中。這消除了使用由零散工具拼湊而成的系統的需求，讓您可以透過單一管理平台，有效率地執行兩個框架中最關鍵的控制措施：

• Cyber Essentials

  無縫管理使用者存取控制、修補程式管理和安全組態設定。

• Essential Eight

  強制執行應用程式控管、管理特權存取並保護端點。

透過將這些框架與統一平台嵌入到您的服務交付中，您不僅僅是打勾了事——您正在建立一個更安全、更具韌性且利潤更高的MSP。正如另一位合作夥伴FIFUM的Chris Notley所說。

Passwords are the bane of user and admin existence.

Keeping track of hundreds of passwords is tough, and employees inevitably forget them. When that happens, they’re frustrated that they can’t access the tools they need to do their job, and IT teams waste their precious time on lock-out tickets.

To circumvent this aggravating process, many employees create simple passwords or reuse them, which threatens their employer’s security and puts customer data at risk.

Many IT teams try to mitigate these issues by implementing single sign-on (SSO) or a password manager. But using just one or the other can still put a burden on IT and leave the company vulnerable to breaches. 

What organizations really need is a unified approach to access that will enforce password health while allowing IT to control all target systems and support multiple authentication types. But is that even possible?

Below we’ll review why unmanaged passwords are so risky, describe the pitfalls of standalone SSO, and explain what a new world could look like when SSO and a password manager are implemented together.

The Dangers of Unmanaged Passwords

Unmanaged passwords are often a key component of cyberattacks, which are only getting more prevalent as employees have to remember more and more passwords to complete their day-to-day work. For example, Verizon’s 2022 Data Breach Investigations Report found that stolen login credentials were associated with half of all data breaches — a 30% increase from 2017.

And data breaches aren’t cheap. In 2022, the average cost of a data breach in the US was $9.44M, up from $9.05M last year. Plus, they tarnish a brand’s reputation, leading to further revenue losses.

But password management is expensive even without a breach. The average password reset can cost companies $70. When extrapolated to an entire organization, that adds up quickly.

While IT can send regular reminders to update passwords and educate employees on what makes a strong password, that’s not enough to mitigate risks. And those practices don’t reduce strain on IT either.

A password manager can reduce the chances of a breach and decrease pressure on IT by:

• Enforcing password requirements – to comply with NIST 800-63 guidelines
• Generating strong passwords – to ensure password length and complexity 
• Rotating passwords – to ensure people are updating their passwords frequently
• Syncing across operating systems and devices – to prevent as many lockouts as possible

While password managers certainly help, they still force employees to login into every application individually and, ideally, require additional layers of authentication to protect a user’s master password. 

Resource Access With and Without SSO

Single sign-on, or SSO, is related to password management because it grants access to multiple applications after users provide one set of login credentials. 

Without SSO, users still must remember and type in a username and password for every application they want to connect to. In that situation, you run the risk of employees sharing passwords, keeping sticky notes with their passwords on them, reusing passwords for several different applications, or creating passwords that are extremely easy to guess.

As discussed above, these habits can cause devastating financial and reputational damage. SSO and other Identity-as-a-Service platforms lessen the chances of a breach and decrease IT load by:

• Using Security Assertion Markup Language (SAML) protocol to establish secure connections
• Increasing admin control
• Simplifying onboarding and offboarding
• Preventing shadow IT
• Lowering password fatigue
• Adding in extra authentication like MFA

But SSO doesn’t solve everything — it doesn’t generate passwords, enforce password policies, or rotate passwords like a password manager can.

Benefits of a Password Manager + SSO

Combining the benefits of a password manager and SSO gives you the best of both worlds.

Users no longer have to create hundreds of complex passwords and worry about forgetting them. With a password manager and SSO, you can meet password-based access needs while imposing new authentication practices, including federation and multi-factor authentication (MFA). Adding more security best practices increases the protection of valuable IP and sensitive customer data.

The best joint password manager and SSO solutions store passwords locally on endpoints, making it tougher for hackers to get the data they want. In addition, some come with a relay infrastructure, allowing users to share passwords via end-to-end encrypted communication.

Ultimately, users get access to sites and services quickly, while IT admins can monitor and enforce password health on the back end without slogging through a slew of password reset tickets.

Secure Single Sign-On and Password Management With JumpCloud

The fact of the matter is that no one SSO or password management solution is going to safeguard your company from attacks and dramatically reduce IT’s workload. To truly accomplish those two objectives, you need to unify your tech stack and consolidate your IT tooling. Luckily, that’s what you get with the JumpCloud Directory Platform, which combines SSO and password management into a cloud-based directory.

With JumpCloud’s robust yet easy-to-use platform, IT can lay the foundation for unified access across all users, systems, and authentication types, including MFA. JumpCloud also has a newly released password manager, and its open directory infrastructure streamlines the login process for your employees. IT staff also benefit from having more time and budget to focus on strategic initiatives.

Ready to get started? Try JumpCloud for free, or schedule a demo today.

As businesses continue returning to the office, more and more MSPs are being pressed to ensure that employees are able to return with minimal pain. Wi-Fi connectivity is often the very first issue that users will run into in a new office setting, so MSPs are finding that they must revisit how they handle the security of the wireless networks that they manage. 

Common Wi-Fi Security Vulnerabilities

It’s very likely that your customers have their Wi-Fi set up with a guest network for visitors to use and a pre-shared key that employees are given on the first day of their employment. However, this authentication method is only marginally better than having no password at all and is very dangerous if the Wi-Fi provides access to domain-associated resources. 

Addressing Connection Concerns

Being that your customers’ Wi-Fi keys are likely older than COVID-19, there has never been a better time to switch to a tried and tested solution: RADIUS. With RADIUS configured, network authentication takes place against a directory that has been configured to allow a user’s existing login credentials (username and password) to grant and revoke access to network resources. 

RADIUS adds a much needed layer of security between users and a Wi-Fi network, while also bringing added convenience to your customers’ wireless networks. While RADIUS comes with a plethora of benefits, implementation can feel intimidating — but, it doesn’t have to be!

Using JumpCloud’s Cloud RADIUS Feature

In order to set up RADIUS for a client, you will need a directory to use as the source of truth for user authentication, and JumpCloud has the perfect solution for you. Here at JumpCloud, we leverage our powerful open directory platform to offer a high-quality, easy-to-use Cloud RADIUS solution that our customers love, giving them cloud-directory-fueled authentication and MFA to keep their networks secure and efficient. 

1. Utilizing the Full Functionality of JumpCloud Alone

In addition to its Cloud RADIUS feature, implementing JumpCloud’sopen directory platform opens the door to a variety of other important features such as SSO, MDM, software deployment, and policies to help manage your users and endpoints. 

In effect, with JumpCloud, you will not only be able to address your clients’ immediate network security and user experience needs, but you’ll also be able to position your services in a new way. You’ll be able to offer current and potential customers a more forward-facing and expansive service using all of JumpCloud’s capabilities — including helping clients consolidate their technology stack or adding much needed features into their IT infrastructure.

Now, I know what you’re thinking: “That’s great, but I am not in a position to migrate directory services. I simply want to deploy RADIUS to improve Wi-Fi and VPN authentication, and I already have customers using Azure Active Directory (AAD).”

Well, I have some good news for you: you can leverage your existing Azure AD environments in harmony with JumpCloud thanks to our new feature: RADIUS Authentication with Azure AD Credentials.

2. Using JumpCloud’s RADIUS Feature With Azure AD

Surprisingly (or maybe ironically?) enough, the implementation of RADIUS with Azure AD is reliant upon on-prem resources, with physical servers needing to be allocated to perform the required tasks. JumpCloud is a strong proponent of equipping MSPs and IT professionals with world-class tools to get their jobs done effectively, which means we focus on creating solutions for problems like this.

This means that we’ve made it so you can leverage JumpCloud’s Cloud RADIUS feature while maintaining Azure AD as the source of truth for your directory needs, effectively giving you the best of both worlds, with no on-prem setup necessary. This means that your customers can enjoy secure networks while improving ease of access to networks among their credentialed employees. On that same note, what this means for you, is that you now have a cloud-based RADIUS solution that can be implemented for any of your customers without gutting their existing directories.

Getting Started With Cloud RADIUS

Here are some guides to help you begin launching Cloud RADIUS across your MSP business and your clients’ orgs.

• JumpCloud’s Cloud RADIUS Overview
• RADIUS Configuration and Authentication (AzureAD)
• Configuring a Wireless Access Point (WAP), VPN, or Router for JumpCloud’s RADIUS

Cloud RADIUS Benefits

Check out some of the benefits that JumpCloud’s RADIUS solution will give to your clients:

• Improved user experience that only requires a single, unique password to connect to networks and resources to get work done both in the office and remotely via a VPN.
• Streamlined user onboarding and offboarding due to the activation or deactivation of a single set of secure credentials compared to many different usernames and passwords.
• Fewer help desk tickets related to the pain associated with changing a PSK (pre-shared key) for a Wi-Fi network.
• Simplified compliance that’s easier to prove by getting rid of a shared network password that anyone can get ahold of.
• Easier network access for your techs. They’ll no longer be scrambling to figure out Wi-Fi passwords when performing site visits (this will also drastically lower the chance of a tech needing to huddle to one corner of a closet to get the single bar of LTE signal available for their hotspot to connect to your documentation service to find the Wi-Fi password. Definitely not speaking from personal experience. Sidenote: Why did they stop putting a network port on laptops?).

Ultimately, the largest benefit of having Cloud RADIUS from JumpCloud implemented is that you now have a solution that can be easily replicated across your entire customer base. Whether you’re working with a company that has never touched a directory service before (which JumpCloud can easily help with), or a customer that has been holding onto that 12 year-old server for dear life, JumpCloud is here to help you modernize your customers’ infrastructure. 

With Cloud RADIUS, your service offerings around network management can fully revolve around a single authentication standard, your hardware vendor of choice, and a unified support approach that will delight your customers. 

JumpCloud for MSPs

At JumpCloud, we are serious about setting MSPs up for success when working with in-office, hybrid, and fully remote clients. To do this, we have developed a dedicated platform for MSPs, called JumpCloud for MSPs. 

JumpCloud for MSPs is an open directory platform that enables our partners to centralize identity, authentication, access, and device management capabilities under one umbrella without having to tear and replace any existing infrastructure. 

This morning, like many before it, I woke up and thought, “Today is the day I come up with some  magical blog post idea that changes someone’s world!” I showered, threw on my Global Panini attire and a pair of Uggs slippers, cooked up an omelet, and made a pourover (my new obsession).

I plodded downstairs to the office and fired up the computer. I opened a new document, raised my hands to the keyboard and — nothing. Complete brain freeze. 

It’s hard to be amazing week after week. I know you feel this too. You have IT projects that are stacked up. Your boss is on you week after week to make their world more secure without adding friction for the users. Or your MSP is feeling stagnant and you need to come up with some new services to offer — or figure out how to offer your current services in a different way.

The week over week of having to be “on” all the time…it diminishes your ability to be creative after a while. Problem-solving becomes what keeps you from getting out of bed each morning instead of driving you to be 1% better every day. I get that. I hear you loud and clear.

The Block is Real

This creativity block thing is real. Very real. And if you were just doing IT for the fun of it — creating a playspace for yourself — you wouldn’t have to worry. But, folks, this IT thing is what you get paid to do. You can’t just say, “too bad, so sad” and head off to the zoo, y’know? 

Over here in the MacAdmins community, we have a great Slack instance where people are doing amazing things and being really creative. You go there, looking for something – a solution, some inspiration, a new job – but you’re still left uninspired. And you wonder why. Could be burnout. Could be general tiredness. Could be something else – let’s explore.

Brainstorming

At a recent standup (yes I now speak the language Agiletongue) I asked for a lift from my brilliant and creative teammates. Ideas, people, I needed ideas! It didn’t matter how outrageous they were. In fact, the more outrageous, the better. Anything is a springboard. As we’ve talked about previously, brainstorming requires a plethora of input and little to no judgment. 

And as a response to my request I got….nuthin. No ideas. Not a one. I wonder if it’s just the heat of this unbelievably hot summer cooking our brains or if people are just plumb wore out from current events. No clue, but nobody had any ideas for me. 

The next day, though, someone pinged me with an idea. “What about recipes?” they  said. “It’ll be fun,” they said.

I work for a tech company. Our product does (amongst other incredible things) device and identity management. IT stack centralization. MDM and security management. Automation. With my IT background, I hear the word “recipe” my brain goes to GitHub and shell scripts and munki and other IT management types of things. But, alas, that is not what they meant.

They meant real recipes. Food recipes. Don’t get me wrong, I like food. It’s an important part of my day to day life. But, hmmm…was this a weird ploy to turn this into a happy homemaker column? I was both confused and a little offended but I stuck with the discussion knowing that I’d find out if I just let them talk. 

How Does That Fit Into Tech?

Little by little the discussion started to make sense. 

Us admins are under a lot of pressure to be perfect all the time. For many (if not all) of us, one mistake can cost our companies their reputation (not to mention financial and productivity loss). In some cases, if a mistake is big enough, it could cost our jobs or our client. So if you weren’t feeling stressed before you started reading this, you probably are now. Sorry!

One way to get past the stress is to get up from your chair, step away from your desk, and get active doing something that is not related to tech (if stepping away won’t get you in trouble, that is).

Thinking about other things is a great way to open channels that allow you to come up with solutions. We’ve all experienced this — our best ideas come in the middle of the night; or the middle of a shower. 

Points to anyone who, by now, has accurately predicted where this is going.

A Story and a Treat

Growing up in my house meant that there was a plethora of home-baked goods. I don’t mean, a few store-bought cookies. I mean my mother baked. Daily. And there were always people over who didn’t live in this house.

The counter always had a few different kinds of cookies, a cake, maybe brownies, and on special occasions there were eclairs in the fridge. There were always bowls and beaters waiting to be licked clean and getting to the frosting bowl first meant you had to hide behind a locked door, lest someone steal it right out of your hands.

But one particular tradition we had was that on our birthday we got to choose our favorite dinner and our favorite cake. Mom wasn’t the best cook (I won’t say food was overcooked and dry and we’re probably lucky we didn’t all get food poisoning regularly, but…oh, I guess I will say it), but she could definitely bake.

So my choice was always spaghetti with meatballs (safe and really hard to mess up) and mom’s chocolate banana layer cake. I used to call it my migraine cake because every time I’d eat it I would end up with a migraine. Also, it was worth it every single time. I don’t do that anymore because now I know that my post-cake morbidity was due to celiac — but I can still taste it in my memory.

Here It Is

And, so, it is with a full heart and a now-hungry tummy that I gift you this recipe. Posting it here serves two purposes: 

• Getting up and doing something completely different from your work frees up your brain and refreshes your spirit.
• Eating something delicious can reduce your stress level. Even if it’s not a healthy option, a treat is good for the soul.

The recipe card (mom retyped every one of her recipes onto an index card with our Selectric typewriter that only had an all-caps ball) is well-worn. It has food stains all over it. It may have even gotten a bit too close to the heat. But it’s still here and someday it will be passed down to someone in the family. 

Chocolate Banana Cake 

Serves: 16 

Baking time: 30-35 minutes

Notes: This cake is best when frosted between layers and on the outside with a buttercream frosting.

Ingredients:

• 2 ¼ cups sifted flour
• 1 tsp baking powder
• ¾ tsp baking soda
• 1 tsp salt
• 1 tsp vanilla extract
• ½ cup sour milk
• ⅔ cup shortening (may substitute butter or margarine)
• 1 ½ cup sugar
• 2 eggs
• 2 ounce Bakers chocolate
• 1 cup mashed ripe bananas

Directions:

1. Preheat oven to 350º Fahrenheit.
2. Sift together flour, baking powder, baking soda, and salt.
3. Cream shortening together with the sugar until fluffy. 
4. Add eggs, one at a time, beating after each addition to shortening mixture.
5. Mix chocolate in with egg and shortening. Stir in vanilla extract.
6. Add the dry ingredients, alternating with the banana and milk in small amounts.
7. Turn into two 9-inch greased pans.
8. Bake for 30–35 minutes or until a toothpick inserted into cakes comes out clean.
9. Let the cake cool completely before removing from pans and frosting.

Nutrition Information*: 1 slice (1/16th of the cake) contains 241 Calories, 11.1g Total Fat, 4g Saturated Fat, 21mg Cholesterol, 220mg Sodium, 355.5g Total Carbohydrates, 1.4g Dietary Fiber, 20.3g Total Sugars, 3.2g Protein

*Note that this does not include the nutrition facts of the buttercream frosting

Let us know if this helped reduce your stress by baking it or by eating it. Or both! Join us in the community and tell us your favorite recipe for freeing up your IT brain.

October is Cybersecurity Awareness Month, and this year’s theme is See Yourself in Cyber, which focuses on the individual’s role in cybersecurity. This month, the JumpCloud blog will focus on helping you empower everyone in your organization to do their part regarding cybersecurity. Tune in throughout the month for more cybersecurity content written specifically for IT professionals and MSPs.

When we think of cyberattacks, we tend to envision the biggest and most disastrous ones — ones that involve well-known companies, expose tons of important data, and cause some serious fallout and public mistrust. While these attacks are real and dangerous, they’re not the only ones out there. 

The reality is that cyber attacks affect businesses of all sizes and in all industries. Sometimes, our focus on the big ones can eclipse the less flashy ones that are just as dangerous to small and medium-sized enterprises (SMEs). In fact, a 2021 survey found that over 42% of small business respondents had experienced a cyber attack within the last year.

Mounting a viable defense starts with understanding what you’re up against — and even understanding the basics of common threats and defense measures can go a long way. The following are six of the most common attack vectors that can hit SMEs. 

1. Ransomware 

Because the largest ransomware attacks tend to dominate news cycles, many people don’t realize that ransomware attacks on SMEs are common as well. In fact, 50-70% of ransomware attacks are aimed at small businesses.

What Ransomware Looks Like for SMEs

Ransomware generally follows the same basic principles in attacks of all sizes: adversaries seize and lock a company’s data or assets and promise to return them upon payment of a ransom. For large enterprises, these ransoms can reach into the millions. For SMEs, they are often smaller — ransoms as low as $10,000 are common. While this may sound like a silver lining for SMEs, there’s a darker motive at play: adversaries know SMEs will pay them.  

For established enterprises with decades of built-up resources, six-figure ransoms and the downtime associated with an attack are painful, but not often a death sentence. For SMEs with tighter resources, this isn’t always the case — the downtime and loss of data access alone can be crippling for a tightly-run SME. To adversaries, this means SMEs will fight to get their data back — so they demand a “reasonable” ransom and can expect with near-certainty that the SME will pay it. According to research, more than half of them do. 

The Ramifications

The ramifications of a data breach to your employees, customers, partners, and reputation are grave: a Ponemon study found that 65% of consumers whose data was breached lost trust in the company that experienced the breach. 

What’s more, paying the ransom doesn’t guarantee that your data hasn’t been compromised or shared when under the adversary’s control. Of the 59% of SMEs who said they had paid a ransom in a survey, only 23% got all their data back.

In fact, paying up can endanger your organization further: it tells hackers that you are willing and able to pay ransoms to reclaim your data. And now that they’re familiar with your defenses and architecture, they’ll have an easier time attacking you again. Unfortunately, repeat attacks are highly likely — either from the same criminal organization, or from another organization that the attackers sold your information to. 

2. Supply-Chain Attacks 

Most of us are familiar with supply chain attacks, where an infection starts with a large corporation and spreads as it comes into contact with other businesses through the supply chain. And while we’re likely to hear about supply-chain attacks on large businesses, news sources don’t always report on their trickle-down effects on smaller businesses in the supply chain.

How Supply-Chain Attacks Affect SMEs

In supply-chain attacks, SMEs aren’t usually direct targets, but rather casualties resulting from a larger breach. Thus, large supply-chain attacks have ramifications on many of the target organization’s partners, customers, or vendors. In REvil’s attack on Kaseya’s VSA software, for example, many of those impacted were SMEs that used the product. In another example, the famous SolarWinds breach was originally believed to have affected a few dozen organizations. It actually impacted over 250.

3. Phishing and Its Variants

Some of the most basic and low-effort tactics remain common — and effective — infiltration methods. Phishing remains one of the top three threats SMEs face, even despite increasing organizational awareness around it. 

The reason phishing is still so common is two-fold: 

1. It is effective for adversaries. From the cybercriminal’s point of view, phishing is relatively easy to deploy, and it often yields lucrative results. It takes few resources and minimal skill to launch phishing attacks, and yet they continue to dupe employees into sharing credentials, network access, and other sensitive (and, for cybercriminals, profitable) information and assets. 

2. It preys on human error. Unlike many other attack vectors that leverage vulnerabilities in systems, phishing uses social engineering to take advantage of human nature (and human error) to gain initial entry. It only takes one mistake to allow an attack to take hold — and the average organization has a 37.9% phishing test fail rate.

Targeted Phishing in SMEs

Cybercriminals have refined tactics to mount more targeted and precise attacks with different types of phishing. Spear-phishing, for example, involves background research to convincingly target individuals rather than bulk-sending a list to a group of recipients. This personalization and specific targeting makes spear-phishing attempts harder to spot — like the popular scam that involves posing as the target’s boss in a text or email. These messages often use conversational language and use the names of the target and the boss, which can make them quite convincing. 

Some adversaries take this type of attack a step further with whaling, which uses spear-phishing tactics to target company executives. Because executives have extensive access to systems and data, whaling is particularly popular — especially with SMEs, where scarce resources could hamper their ability to adequately train leaders on security and phishing awareness and best practices. 

4. Software Vulnerability Exploits 

Leveraging software vulnerabilities is a common way to gain access into an organization’s systems. Often, exploited vulnerabilities are known and even have patches available. In fact, many of the top exploited vulnerabilities were found years ago — for example, a Microsoft Office vulnerability found in 2017 continues to plague businesses that haven’t kept up with their patches. In a Ponemon survey, 60% of respondents who had experienced a breach said it could have occurred through a known vulnerability that had a patch available, but the organization hadn’t applied it. 

Why SMEs Are Vulnerable

Routine patching is a critical basic cyber hygiene activity, and it is highly effective at blocking this type of attack. However, large-scale organizations are more likely to have formal patch management solutions in place than SMEs, which can make SMEs an easier target. In a 2022 JumpCloud survey, only about half of SME respondents said they were confident that their organization’s patch management strategy was sufficient to protect against known vulnerabilities. 

5. Account Takeover

As businesses move to the cloud and dispersed infrastructure becomes the norm, identity has increasingly come to define the new perimeter. Because identity permeates every element of the infrastructure, it has become a common infiltration point. In fact, the number of password-stealing attacks on SMEs around the world increased by almost 25% from 2021 to 2022, and nearly 80% of attacks leverage identity to compromise credentials. 

How ATO Attacks Work

In account takeover (ATO) attacks, adversaries gain access to the network by taking over a user’s account. Account access can be gained through various means, including password-stealing ware, social engineering, and using (often, by purchasing) the credentials of already-breached accounts. Once the adversary has taken over the account, they can access resources and move around the network under the guise of a legitimate user. This makes account takeovers difficult to detect. 

6. Advanced Persistent Threats

SMEs that work with large enterprises may be more susceptible to advanced persistent threats (APTs), which are sophisticated attacks carried out stealthily over an extended period of time. APTs typically consist of infiltration, lateral movement toward targeted data or assets, and exfiltration. APTs can start from any ingress point, and can enter through methods as simple as a phishing attack or stolen password.

For example, an adversary could gain the credentials of an employee with base-level permissions through a phishing scam, then take over the account to analyze the network and gather permissions, access and store the target data, and finally exfiltrate it to sell for profit.

APTs are harder to detect in sprawled IT environments, which are common in SMEs that have grown quickly. IT sprawl limits the ability to fully carry telemetry data from one element to another, which makes infiltration and lateral movement hard to detect. 

Shoring Up SME Security 

Because cybersecurity attacks on SME attacks don’t always make headlines, SMEs often underestimate their vulnerability and underinvest in security. However, adversaries have something to gain from just about any business; SMEs face many of the same threats that enterprises do. 

The attacks above are some of the most common, but SMEs face a multitude of threats via many different vectors. And while it’s impossible for anyone to achieve 100% immunity from threats, it’s possible for SMEs to develop a strong, reliable security program that deflects most attacks.