Close this search box.

Cybersecurity for SMBs: Practical Advice from Expert Will Shu

WIll Sue of Gerent

In an era where cyber threats evolve daily, cybersecurity is no longer just a concern for large corporations. Small and medium-sized businesses (SMBs) increasingly find themselves at the center of cyber threats.

Despite this growing risk, many SMBs do not fully understand the importance of robust cybersecurity measures. This oversight can have devastating consequences, from data breaches to complete operational shutdowns. Today, even a single cyber incident can have catastrophic repercussions for a small business. 

The indirect costs can be even more debilitating beyond the immediate financial losses, which, according to the e National Cyber Security Alliance, can average $200,000 for SMBs. These include brand reputation damage, customer trust loss, and potential regulatory fines. For many SMBs, a significant cyber attack can lead to business closure. 

Will Shu, the CIO of Riverstrong, a Managed Services Provider, and the CISO of its parent company, Gerent, a leading Salesforce Summit consulting and implementation partner, has seen the consequences of cyber attacks on small and medium businesses. We sat down with him to get his thoughts on the most common misconceptions about cybersecurity for SMBs, what value cybersecurity specialists bring to a business, and why companies of all sizes should implement proactive measures for robust cybersecurity posture to protect their assets and operations. 

Understanding the Cybersecurity Landscape for SMBs

Despite misconceptions, SMBs today are particularly vulnerable to cyber-attacks for several reasons. 

First, they often need to prioritize resources and expertise to implement comprehensive security measures because they mistakenly hold misguided perceptions of what it takes to have a robust cybersecurity posture. 

Shu, who has been part of growing companies and works with SMBs daily as the CIO at Riverstrong, agrees: “Most people who aren’t in or knowledgeable of the cybersecurity industry don’t understand what they don’t understand. They cling to an old mentality that thinks, ‘I’ve installed antivirus, I’m done, I’m safe.’ But we know that’s unrealistic today, especially in the modern landscape of bad actors and automated threats.”

A recent report by Huntress backs up what Shu points out: that cybercriminals are increasingly moving away from conventional malware-focused intrusions. Huntress’s research found that 56% of cyber incidents in the third quarter of 2023 were essentially “malware free,” meaning the antivirus and malware do not catch many attacks, even though many small and medium businesses primarily rely on these for their entire cybersecurity protection. 

Shu empathizes with small and medium business owners who have outdated perceptions. They often need more knowledge or ability to keep up with a constantly changing industry. However, he points out that the need to seek out a specialist should not be a concept entirely unfamiliar to most people.

“Myself? I don’t keep up with medicine. So, am I unaware of the latest generation of medication for a particular illness? No, I’m not. But that’s why we go to the doctor. They’re specialists, and they learn, train, and understand the latest in medicine so they can diagnose, create a prevention plan, and help us avoid getting sick.

Ultimately, that’s the goal of all cybersecurity: don’t get sick. Once we get sick, lots of bad things happen, and it becomes a much more difficult situation. Like a doctor, cybersecurity professionals want to prevent attacks and keep difficult situations from happening.”

Shu says that, much like going to a medical expert, business owners need to be open to bringing cybersecurity specialists and consultants in to augment their knowledge and experience in an increasingly important field. 

Unfortunately, small and medium-sized business owners often don’t perceive themselves as the typical targets, mistakenly believing that cybercriminals only target more prominent organizations. However, the reality is quite different. Cybercriminals view SMBs as low-hanging fruit because of their often weaker security protocols. Shu also points out another alarming trend: a business is never too small to be attacked by a bad actor because many threats and attacks are automated today.

“These tools do not discriminate about who they will reach. They just try until they are successful. They are automated scripts that attack and phish. Constant targeting is just the nature of today’s business.”

Engage with Cybersecurity Professionals

Given the complexities involved, engaging with cybersecurity specialists can provide SMEs with the expertise needed to develop and maintain a secure environment. Shu points out that these professionals can offer tailored advice and solutions that align with the business’s needs, size, and industry.

“Talk to a specialist, invite them to come in and just take a look around, to see what’s there, and to give you a report so you better understand where your cybersecurity profile sits today and what plans could be put in place to mitigate your risk. At the very least, you, as a business owner, will understand where you’re at risk and what those risks are so you can begin to assess things like whether you have a budget to address the issues or decide what the risks are or whether that aligns as an acceptable risk for your business.”

While some SMBs might want to fend for themselves rather than seek a cybersecurity consultant, Shu points out that the enormity of the field, tools, and frameworks makes it more challenging for most businesses. 

“Going back to the medical analogy, when someone says, ‘I’m going to go to a doctor, or I’m going to learn cybersecurity,‘ there’s such a vast array within the practice. Cybersecurity isn’t just hardening your firewalls like you see on TV, where people punch code within a little black window. It also includes the right specialists, committed business owners, infrastructure maintenance, detailed assessments, business continuity, disaster recovery, policies, training, and more.” 

“You can do it right by going to the medical specialist and getting the prescription you need, or you can take the ‘take two Tylenol and call me in the morning’ approach and see what happens. It’s really based on your budget and your willingness.”

Riverstrong, a Gerent family company, developed a holistic offering called SecurePort that can cover cybersecurity for small businesses from end to end. It includes three security packages designed to promote the confidentiality, integrity, and availability of information systems and data.

  • SecurePort is a NIST CSF-based cybersecurity risk assessment, penetration test, and vulnerability assessment that offers a snapshot to clients of their current security posture and weaknesses.
  • SecurePort Plus offers baseline protection configurations and a modern suite of security tools to protect all devices on the network 24×7/365. These foundational tools address issues from a technology perspective, including antivirus, EDRs, 24×7 SOC, Zero-Trust Endpoint Protection, IAM, Data Management, MFAs, and more.
  • The final level, SecurePort Total, offers an all-encompassing compliance-based framework. This managed security program strives to meet all the NIST CSF controls. Riverstrong works with clients to develop a thorough policy and provide process consulting to continuously manage security controls and compliance goals.

Shu emphasized the numerous aspects of cybersecurity defense, even for small and medium businesses with multiple access points to be guarded against attack. “It’s like protecting your house. If you lock your front door, what about your back door? What about your windows? There are so many aspects of cybersecurity, and it’s not just looking at one thing.”

For this reason, in addition to consulting with experts and taking a holistic approach to security, Shu also recommends the importance of employee training, alerts, and drills to raise awareness throughout the year. He also stresses the importance of cyber insurance, which he says should be a “standard part of everyone’s business protection, or business continuity, and disaster recovery.”

Prepare Now for an Uncertain Cyber Future

For SMBs, investing in cybersecurity is not an optional luxury but a critical component of their operational integrity and longevity. As cyber threats evolve, so should SMBs’ strategies to protect themselves. The importance of cybersecurity cannot be overstated—it is essential to the survival and success of modern businesses.

But Shu points out that even as devastating as today’s cyber landscape could be for SMBs, the future is even more uncertain because cyber attackers are becoming more evolved as time passes and technologies like AI advance.

“It is a cat-and-mouse game. Now, AI is injected into this situation, and it’s both bad and good. On the bad side, malicious actors use ChatGPT and these other generative tools to create and manipulate their code. The viruses or programs executing will be created and supported by an AI-driven generative code-writing tool, so when a virus fails to execute, it will go back, rewrite its code with AI, and try again, continuously mutating. On the good side, IT uses AI integrated into our foundational tools to fight back.” he said.  

“This is another reason businesses must move away from the antivirus-alone mentality—because antivirus software can only act on known viruses. It’s about capturing the alerts around holistic analysis, data analytics, and AI-driven results, and that’s where the tools are heading today. That cat-and-mouse game becomes increasingly advanced with AI.”

For more information on Riverstrong’s SecurePort offerings or SMB-focused approach to managed cybersecurity, please visit

Jason Skidmore
James, CEO Cavelo

Explore our topics