Every family has its IT guy, ours is Raphael and he is great at it. Embracing this position within the family he married into, Raph faithfully keeps us updated on WhatsApp with interesting articles and important security updates. About a year and a half year ago he sent one of those updates and included a phishing quiz. With the confidence that is becoming of a Product Manager in the Israeli high-tech scene, I embraced the challenge and… failed miserably. Ironically enough, I got a call eight months later from David Habusha, vice president of product management at IRONSCALES (an industry leader in email security) about an opportunity to join the team. The memory of failing Raphael’s phishing quiz was still fresh in my mind.

The tendency to overestimate your own abilities and underestimate the risk you face is well documented and referred to as the optimism bias and is all too common among small and medium businesses (SMBs) regarding cybersecurity. They underestimate the risks to their business, thinking that they’re not as interesting to cybercriminals as larger enterprises. While, in reality, the lack of investment in cybercrime prevention and solutions increases their desirability as a mark.

For the cybercriminals, aided by automatization, it’s a numbers game and with their relatively low awareness and preparedness, SMBs are a cybercrime sweet spot. Just like large enterprises, SMBs handle sensitive data and successful account takeovers are excellent con-gateways for cybercriminals with their eyes on the big price; the large enterprises the SMBs work with. So, now what? Of course, the resources available for SMBs to protect themselves cannot be compared to that of larger enterprises even if they want to.

Luckily, there are noteworthy measures that don't cost anything:

1. Clearly Define Responsibilities

One of the most common issues is “diffusion of responsibility” where employees are aware of a problem but don’t take action awaiting the response of “someone higher up." It is pivotal that securing and maintaining a secure cyber environment (incl. device usage, networks, SAAS applications, permissions, and more) is someone's explicit responsibility, and this must be clearly communicated across the organization.

2. Secure User Management

Make sure all the software and services used within the organization can only be accessed by the employees (including executives) that really need access to do their job.

3. Training & Awareness

Enable and empower your employees to recognize and alert for anything out of the ordinary. Free tools like IRONSCALES™ Starter™ can help you set up simulation training campaigns to increase awareness and preparedness across your organization.

Optimism is great but be aware of the bias (including your own), and be realistic about the risks around you and your organization.