During a recent panel discussion organized by the Voice of Entrepreneus association ( Glas PODUZETNIKA ), I had the opportunity to delve into some of the most pressing cybersecurity challenges and trends shaping the landscape for 2025 and beyond. One topic that particularly resonated was ransomware - a threat that continues to evolve in sophistication and impact. 🚨 The Ransomware Playbook: Cybercriminals today are far more strategic. They meticulously analyze a company’s financial standing, industry, and data value to determine the ransom amount. This calculated approach ensures their demands hit where it hurts the most, making it difficult for organizations to negotiate or refuse payment. 🔍 Emerging Trends to Watch: 1️⃣ The rise of double-extortion tactics, where attackers threaten to leak stolen data in addition to encrypting it. 2️⃣ Increasing use of AI-powered phishing campaigns, creating highly personalized and believable traps for employees. 3️⃣ Targeting of critical supply chain links, where vulnerabilities in smaller vendors compromise entire ecosystems. 🛡️ How Do We Respond? It’s clear that businesses of all sizes must adopt a proactive, rather than reactive, approach to cybersecurity. This means: ☑️ Regularly assessing risks and ensuring robust incident response plans. ☑️ Implementing stronger authentication mechanisms like multifactor authentication (MFA). ☑️ Educating employees to recognize and avoid sophisticated phishing attempts. Cybersecurity is no longer a cost center - it’s a critical investment in protecting your organization’s reputation and operations. As threats like ransomware grow more complex, our strategies must become equally agile and innovative. What trends in cybersecurity are you most concerned about for 2025? Let’s discuss in the comments! 👇 #Cybersecurity #Ransomware #DigitalRisk #ProactiveDefense Tomislav Gosarić Tomislav Vuk Tino Herljević Marijan Bračić Vedran Antoljak
Cybersecurity Measures for Small Businesses
Explore top LinkedIn content from expert professionals.
-
-
In the U.S. alone, cybercrime caused $16 billion in damages in 2024 - a 33% increase from the year before. And most of these breaches weren’t due to complex hacks or advanced malware. They happened because of simple human errors: misconfigured systems, unsecured devices, careless behavior, or being tricked by a convincing phishing email. That’s why the human factor is often the weakest link in cybersecurity, but also where the biggest gains can be made. So how do we build a human-centered security culture? It’s about shaping behavior and habits. A proven approach is Neidert’s Core Motives Model, which helps leaders guide employees toward secure behavior through three stages: 🔹 Connect – Build trust and rapport. People follow leaders they like and feel connected to. Gamified training sessions, team bonding, and small acts of reciprocity go a long way. 🔹 Reduce Uncertainty – Show credibility and social proof. When senior leaders take part in security efforts, or when teams see peers taking security seriously, they’re more likely to follow suit. 🔹 Inspire Action – Reinforce commitments. Use nudges, timely reminders, and even friendly competitions to encourage continuous attention to cybersecurity practices. A collective mindset where everyone feels responsible for protecting company assets, and each other. Security doesn’t live in IT alone. It lives in everyone’s daily choices.
-
Most MSPs still think of cyber threats as isolated incidents, while data show a different reality: compromise is already part of the baseline in SMB environments. 89% of monitored SMBs have at least one user with a confirmed credential compromise at any given time, and roughly 31% of users use compromised passwords every single month. That’s reality! It’s getting worse fast. We are seeing dozens of thousands of unique spray IPs every month, session-hijacking activity increasing by more than 20% in a matter of months, and OAuth abuse accelerating as attackers move higher in the application layer, where traditional controls are weaker. Ransomware detections surged by 190%, and RMM abuse has become the number one endpoint threat vector. Business email compromise continues to operate at scale with real incidents costing millions of dollars. Attackers aren’t breaking systems anymore. They’re moving through them. That’s why adding more tools or reacting faster to alerts isn’t solving the problem. The issue isn’t volume, it’s the model itself. Security is still being operated in silos, while the attack surface is fully connected. What’s needed now is a fundamental shift in how we operate security. Moving from fragmented controls to a unified data fabric, powered by agentic detection and response that can actually understand context and act across the entire environment with automated remediation. We captured these patterns along with the drivers behind them in the 2026 State of MSP Threat Report. https://lnkd.in/eewsqvtd
-
When is it time to go beyond basic cybersecurity training and build a cyber-resilient workforce? Basic training isn’t enough. To stay ahead of evolving threats, organizations need teams that can actively respond to and recover from cyber incidents. Why this matters: Awareness Isn’t Enough: One-time training sessions fail to address real-world risks. Threats Evolve Fast: Continuous learning ensures teams stay ahead of emerging dangers. Culture Over Compliance: Security should be embedded into your company's culture, not just a checkbox. The way forward: → Tailored Training for specific roles. → Ongoing Education to stay current. → Simulated Scenarios for real-world skills. → Foster a Security Culture across the organization. A resilient workforce can proactively handle cyber threats. Let’s empower teams to be both aware and resilient.
-
The $2.8 billion mistake most small businesses make is thinking they're too small for hackers to notice. Your business is the perfect target for hackers, and it has nothing to do with your data. I've noticed a consistent pattern in hundreds of breaches, where the hackers aren't just targeting you for your data, but they're using you as a stepping stone. Small businesses have become the perfect entry point in our connected economy. When you're part of a supply chain or have access to larger client systems, you become valuable real estate for attackers. Some data on this big problem: ↳ Small businesses faced over 700,000 attacks in 2020 alone ↳ These attacks resulted in $2.8 billion in damages ↳ Only 14% of small businesses have any security plan at all When small companies become the weak link, the consequences get massive: 📌 The 2013 Target breach, exposing 40 million customer credit cards, began when hackers compromised credentials from a small HVAC vendor. 📌 In 2021, attackers targeting Colonial Pipeline caused gas shortages across the East Coast. They didn't breach Colonial directly; they entered through smaller vendors with weaker security. Most small business owners I talk to are ignoring security because they’re overwhelmed with competing priorities and limited resources. But effective security doesn't always mean expensive security. Here are four practical steps that have helped my clients significantly reduce their risk: 1. Implement multi-factor authentication This single step blocks most automated attacks and costs almost nothing to deploy. 2. Train your team to spot phishing attempts With 95% of breaches starting with human error, a simple training program creates massive returns. 3. Keep good backups When ransomware strikes, the difference between paying thousands and recovering quickly often comes down to having current backups. 4. Have a response plan ready Know exactly who to call and what to do if something happens. The first 24 hours are critical. What I've learned is that the businesses that survive are the ones that build basic security practices into their daily operations. 📌 Have you ever received a phishing email? #cybersecurity #smallbusiness #startups #security
-
You can't buy the best cybersecurity tool ever, and you need it. Culture, a security culture. Cybersecurity needs a strong culture to drive it. It’s about leadership, intentional programs, and turning security into a shared mission. Learn how to engage employees, get leadership buy-in, measure meaningful KPIs, and make security a true business differentiator. 🧙🏼♂️In this episode of The Keyboard Samurai Podcast , Mike Williams President of Appalachia Technologies, LLC sat down with me to discuss how he builds a culture of cybersecurity. ⏯️ Full episode link in the comments. Here's the TLDR 👇 1. Culture Starts with Leadership ↳ Leaders set the tone for security ↳ Model the behavior you expect ↳ Fund programs, not just policies 2. Make Security Intentional ↳ Run phishing drills regularly ↳ Host monthly lunch and learns ↳ Do real tabletop exercises 3. People Are the Front Line ↳ Train users on real-world threats ↳ Reward good security behavior ↳ Turn mistakes into learning 4. Training is Not Culture ↳ Avoid one-and-done modules ↳ Use gamified, role-based content ↳ Train early, often, and in context 5. Security is a Noble Mission ↳ Frame security as protection ↳ Connect actions to real impact ↳ Inspire a sense of purpose 6. Customize by Role or Team ↳ Tailor training to each function ↳ Map risks to daily workflows ↳ Speak their language, not yours 7. Measure What Matters ↳ Track phishing data ↳ Prioritize for your business ↳ Report on IR response times 8. Security is a Client Differentiator ↳ Promote your security posture ↳ Show real effort, not just badges ↳ Use cyber strength to win deals 9. Educate, Don’t Lecture ↳ Share breach case studies ↳ Explain how attacks actually work ↳ Keep stories short and sticky 10. Build the Case with Data ↳ Use risk registers to guide asks ↳ Show the cost of inaction ↳ Bring metrics to the boardroom 11. Security Never Stands Still ↳ Update practices as threats evolve ↳ Watch trends like AI and quantum ↳ Build a learning-first culture This episode will change how you think about security daily. How do you build cyber culture? ⬇️ 🔄 Share to build strong cybersecurity cultures 📲 Follow Wil Klusovsky for wisdom on cyber & tech business
-
Cybersecurity isn’t just about firewalls and AI-driven threat detection—it’s also about workplace culture. A toxic work environment can quietly become a company’s biggest security risk. High turnover, low morale, blame games, and disengaged employees all make organizations more vulnerable to cyber threats. When employees don’t feel valued or trusted, they’re less likely to report phishing attempts, follow security protocols, or even think twice before clicking a suspicious link. In extreme cases, disgruntled employees have been known to sell company access to hackers—a nightmare scenario for any business. So how do leaders turn the tide? ✅ Foster trust & transparency – Employees should feel safe reporting security concerns without fear of blame. ✅ Invest in security awareness training – People can be your strongest line of defense, but only if they know how. ✅ Encourage good security behaviors – Reward proactive habits like flagging phishing attempts or updating passwords. ✅ Lead by example – Cybersecurity starts at the top. When leadership prioritizes security, employees will too. Technology alone won’t protect an organization if the culture is working against it. Strong security starts with strong leadership. Is your organization building a culture that strengthens security—or one that weakens it? #CyberSecurity #WorkplaceCulture #Leadership #HumanRiskManagement #Infosec #SecurityAwareness #RiskManagement https://lnkd.in/d3GYVZT2
-
CISOs: don’t leave risk management to your risk managers alone. Every employee is an invaluable security ally, not just those in risk management and internal auditing. After all, your “frontline employees” - the ones regularly interacting with your technology, operations, and customers - far outnumber your designated risk management team. By empowering those frontline employees with the training and resources they need to spot any potential risks and manage them, you’ll strengthen your security posture exponentially. How can you do that? It starts with training and processes. Teach your frontline employees how to spot vulnerabilities in their daily tasks, and provide them with relevant risk control evaluation (RCE) forms to fill out when they do spot a likely cyber threat. These steps will make your cyber security team’s job much easier - they’ll have countless allies on the front lines, actively reporting threats that might have otherwise gone overlooked. Of course, I understand that putting such a system in place takes work. To support your front line, you need a robust risk management team. But it’s worth the effort. By allying yourself with your frontline workforce, you build up the connective tissue of your organization - and empower every team member to be their own risk manager.
-
Let’s drop the big words. Do you know what caused the largest damage for businesses in 2024? Business email compromise (BEC) was the leading cybersecurity incident businesses experienced. Continuing a steady trend that spanned all of 2023, BEC frequency increased 4% and accounted for nearly one-third of all cyber attacks businesses experienced. What is BEC in simple words? It’s a scam where criminals pretend to be someone you trust, like your boss or a supplier, to trick you into sending them money or sharing private information. They often pull this off by exploiting weaknesses in your email setup, like leveraging misconfigurations in your company’s email domain (think outdated security settings that let fake emails slip through). Or they might buy a lookalike domain, like “yourcompany.co” instead of “yourcompany.com,” to make their messages seem legit. What is the potential damage? BEC scams can cause huge financial losses, costing businesses billions worldwide. But it's not just about the money – one BEC attack can harm your reputation, interrupt your work, and break the trust of your clients. How do you avoid it? 1 - Don't assume "this won't happen to me." The truth is, BEC can target any organization, no matter its size - yes, even you, especially when you’re busy or on autopilot and don’t notice the signs. 2 - Double-check email requests. If something seems off, confirm with the sender by calling or speaking in-person. It might feel odd, but they’ll appreciate the caution. 3 - Setting up multi-factor authentication (MFA) for everyone in your organization can help stop accounts from being hacked. It takes a minute to enable, so don’t skip it. 4 - Teach employees to get extra confirmation for important or suspicious emails. Trust me, you’ll be surprised by the results if you run a simulation and see how many fall for a fake. 5 - Put strict controls in place, like requiring multiple approvals for big transfers or account changes, because it’s way better to be safe than sorry when a single slip could cost you millions.
-
Monday morning. Small business owner texts me. "My IT guy says we're secure. We've got antivirus and backups. What else do we need?" I send back one number: $600,000. That's the average ransomware demand in 2024. For businesses just like theirs. Here's the brutal truth: Your employees' passwords are probably already for sale. Right now. On forums you've never heard of. For less than the price of a sandwich. Identity Threat Detection and Response (ITDR) watches for something most small businesses never think about: when your legitimate credentials get weaponized against you. Think of it this way. Your security is like your house. Firewalls are your locks. Antivirus is your alarm system. But ITDR? That's the system that alerts you when someone made a copy of your keys. Last month, we deployed ITDR for a 38-person accounting firm. Within 72 hours, it flagged something interesting. Their office manager's credentials were attempting logins from Romania. At 3 AM. While she was asleep in Dallas. Here's what ITDR actually does: Monitors when employee credentials show up in breach databases. If Sarah used "CompanyName2023!" on LinkedIn and LinkedIn gets breached, attackers now have a key to try on your door. Watches for impossible travel. When Bob's account logs in from Chicago at 9 AM and Moscow at 9:15 AM, that's not Bob. Detects credential stuffing attacks. When someone's trying thousands of username/password combinations against your systems, hoping one works. Identifies unusual access patterns. When the intern's account suddenly starts downloading your entire customer database at midnight. The accounting firm? We stopped that Romanian attack in minutes. Changed credentials. Locked down access. Zero damage. But here's what kills me: Small businesses think they're too small to need this. Meanwhile, cybercriminals specifically target them because they think the same thing. You're not too small to be a target. You're exactly the right size. Because criminals know you probably don't have a full-time security team. Don't have sophisticated monitoring. Don't have $600,000 lying around for ransom. ITDR changes that math. For the cost of a team lunch, you get enterprise-grade identity protection. You get alerts when your credentials are compromised. You get protection before the attack, not damage control after. How many of your employees are using the same password for work that they used on that website that got breached last year?