Hardly a week goes by without a report of another alarming cybercrime. Successful attacks against giant corporations and government agencies may get all the headlines, but small and medium-sized businesses are not immune. In fact, they often make particularly attractive targets because they tend to have smaller security budgets than larger companies, and cybersecurity is not part of their core business, says Andy Woods, direct of commercial cybersecurity at BAE Systems, Intelligence & Security.

“SMB owners need to recognize that it isn’t just the large primes that are being targeted,” Woods says. “Our adversaries recognize that, in most cases, large businesses have dedicated resources for cybersecurity, making them much harder and more complicated targets. The first step for SMBs is to make their security a core element of their business in order to protect their (networks).”

Brian Burch, vice president of product marketing at Norton, says his company is “crisscrossing the country, educating small business owners about common targeted attacks.” Chief among them are:

• Spear-phishing, an email spoofing fraud that targets a specific organization and is one of the most lethal and cunning ways to compromise a small business. SMBs accounted for 30 percent of all spear-phishing attacks in 2013, according to Symantec’s Internet Security Threat Report.
• Exploitation of unpatched systems and software, which can leave sensitive customer and business information vulnerable to hackers. Cybercriminals often use small businesses as a stepping-stone to infiltrate larger enterprises “because they have fewer employees and are generally less secure,” Burch says.
• Crypto-ransomware, a type of digital extortion that encrypts data and demands a ransom for its release. Even when the ransom is paid, the perpetrators often do not return the data.

SMBs can do more to keep themselves safe from cybercrime by adopting best practices in this area:

• Make data protection a top priority.
• Identify critical IT assets and sensitive data. “This will provide the visibility and control capabilities needed to prevent attackers from accessing and stealing your sensitive data,” says Mark Stevens, vice president of global services at Digital Guardian.
• Improve security education for employees. Add data protection policies to manuals and employment agreements, and train employees regarding the use of confidential data.
• Adopt multilayered security solutions to protect against today’s advanced threats.
• Keep all systems and software updated. Taking the time to update operating systems on an ongoing basis will help protect against recently discovered vulnerabilities, as well as unexpected attacks, Burch says.
• Embrace mobility. Securing mobile devices that handle corporate data should be a priority. Burch suggests limiting unnecessary mobile access to customer information and keeping a close eye on who has permission to access data.
• Prevent users from installing and executing non-approved corporate software.
• Do not allow general use of administrator accounts. “Make this an as-needed practice,” Woods advises.
• Implement complicated passwords, establish a change policy, and prohibit password reuse.

The right security package can offer a high degree of protection, but one mistake many SMBs make is choosing a security software package or hardware device without first performing a gap analysis to identify the threats they need to mitigate, Woods warns. A thorough analysis can help SMBs get the protection they need along with the best return on their cybersecurity investment.