When it comes to cybersecurity, the attention of news media tends to focus on the big data breaches and hacks of large companies, like the embarrassing and costly breach of Sony. That might lead many small and mid-sized businesses (SMBs) to think they don’t face the same type of threats. Unfortunately, that’s dead wrong.

Because SMBs tend to have fewer resources and focus on IT security, they are prime targets for cybercriminals. With that in mind, here are four ways SMBs get security wrong – and how to get it right.

1. We have antivirus; that should be enough.

It's true that you need antivirus on your desktops and laptops, but it's no longer enough. You need comprehensive endpoint security that protects against vectors of infection like web exploits and USB drives – and stops threats with multiple layers of defenses. Look for features like host-based intrusion prevention system (HIPS), web content filtering and device control.

2. Our data is stored safely.

Ransomware can get past your defencss and onto your computer, where it can encrypt all your files with a private key, making them inaccessible to you unless you pay the ransom. Even if you have backups, test them periodically. Many organizations have been confident in their backups until they needed them, only to find they were unable to restore the data they needed after an incident.

3. Our passwords are strong enough.

Even a good password can be cracked. Or your users could be duped into giving away their passwords by social engineering tricks and phishing websites.

To prevent unauthorized logins, you should implement two-factor authentication (2FA) wherever possible.

4. Users access email securely from their mobile devices

While the connection between a mobile phone or tablet and your email server may be secure, that's no guarantee that the data is safe once it reaches the device. A lost or stolen phone or a malicious app can lead to critical data ending up in the wrong hands. Be sure to use mobility management software to enforce policies like automatic screen locking, strong password requirements, and mandatory encryption.