Source: Song_about_summer via Shutterstock

Small and medium businesses are more vulnerable to attacks because software companies, cloud service providers, and technology makers either charge for safety features that should be offered at every service tier or fail to offer the features at all.

Earlier this year, at least 165 customers of data-services provider Snowflake had been compromised — and one reason was because the firm did not offer a way to easily require all users to enable multi-factor authentication, cybersecurity experts say. And just last year, a non-profit organization failed to detect an attack because—among other reasons—its Microsoft 365 license level of 'E3' did not come with logging features that were available to organizations on the more expensive 'E5' plan, incident responders stated at the time.

Software makers and service providers need to offer effective security features as a safety measure to every tier of service and not create a cybersecurity gap between the "cyber poor" and enterprises that can afford extra security, says Kymberlee Price, CEO and co-founder of Zatik, a provider of fractional security expertise targeting smaller businesses.

"If vendors do not change the way they price security, if they don't put seatbelts in the base model, then software liability is inevitable," Price says.

Finding ways to secure the cyber poor—those companies and organizations that cannot afford dedicated cybersecurity professionals nor high-priced security systems—has become a critical effort worldwide. In 2023, the US Cybersecurity and Infrastructure Security Agency (CISA) pledged to find ways to help the smallest organizations, which typically do not have budgets for information technology, let alone information security. Security compromises can result in business failures and significant stress-related problems for small business owners.

Driving security down to the smallest firms is critical to promote security across the business ecosystem, as larger companies count SMBs among their vendors, contractors, and partners, says Saeed Abbasi, product manager of vulnerability research at Qualys.

"Strengthening cybersecurity in SMBs is essential for protecting their assets and safeguarding larger business ecosystems, as these small businesses often serve as links in broader supply chains," he says. "Moreover, proactive cybersecurity costs are typically lower than the potential losses from data breaches."

Delivering More Security By Default

Defining the difference between what should be a security product in its own right and what should be a security feature is not easy, acknowledges Price. Single sign-on capabilities, such as Okta, would be obviously considered as a security service, but a feature in another product to connect to Okta's SSO should not require purchasing a higher tier, Price says.

"If there's some completely new innovation that revolutionizes the way security works, ... that's going to involve development and other costs," so charging extra for that seems fair, she says. "But at this point, so many of these features [are the equivalent of] backup cameras, which were an LX-model option when they first came out, but now they're standard in the base models."

Among the safety features Price would like to see: Firms should be given the ability to require and monitor two-factor authentication across the business, single sign-on integration should be a base-tier feature, and role-based access controls that split administration and normal user functions should be standard, she says. In addition, companies should start offering audit trails in every application by default and the ability for an administrator to revoke access to users.

For Snowflake, it was not a matter of charging extra for a multi-factor authentication, but not enabling a feature that cybersecurity professionals have long advocated for. On the platform, individuals could opt into MFA, but the company administrator had no power to require the security for every user in their organizations, Ofer Maor, co-founder and CTO at threat response firm Mitiga, said in an interview last month.

"Snowflake not only does not require MFA, but also makes it very hard for administrators to enforce this," he said. "Unlike other SaaS platforms, where an admin of a tenant can require MFA for all users in the tenant, in Snowflake this option is not available. The only way for the admin to attempt to enforce it is by manually reviewing every user in the system to see if they voluntarily enabled MFA, and if not, ask them to do so."

Both Snowflake and Microsoft now offer the requested security features on their platforms: Administrators can require MFA by default for Snowflake as of July 9, and Microsoft changed its policy on the cost of logging last year, following criticism of its licenses.

Make Cyber Safety Easy, Available in Lowest Tiers

Because small and medium organizations often do not have their own IT specialist, not to mention a skilled cybersecurity expert, offering easy-to-use basic security is paramount. There needs to be a path to drive security down to the every user, says Narayana Pappu, CEO at Zendata, a data security and compliance firm.

"SMBs usually lack security expertise in house, don't have resources to implement nor maintain a solution, and usually carry security risk that can put them out of business if or when a security incident occurs," he says. "These are great reasons to drive good security down to SMB level—in a connected ... world you are only as strong as your weakest link."

While, the latest generative AI and large-language models (LLMs) could provide some companies more security, the cost may still be prohibitive and rarely are such features offered at the base level.

Instead, cybersecurity and software firms should provide basic, effective security in every product at the base service tier, says Zatik's Price, who stresses that she is not against charging everyone a bit extra to make the feature available. However, there should be no tier in which the most effective security measures are not offered, she says.

"There's no version of a car that does not include seatbelts on the market today," she says. "Are seatbelts free? No, they're baked into the cost of that car. [Similarly,] we're not saying that all security should be free and zero cost."