While big businesses dominate market share and brand awareness, small businesses actually comprise more than 99% of the U.S. market. Small- and medium-sized businesses (SMBs) are a vital part of the U.S. economy, but the choices they often have to make may lead to compromise. In the case of cybersecurity, “compromise” is a double entendre. A company generating $10 million USD in annual revenue is less likely to have a full cadre of IT and cybersecurity staff than a $100 million USD organization. And a $100 million USD company is likely to have fewer IT and security staff than a $1B USD company. Nonetheless, a $10M company is just as likely to be a cyber attack victim as a company with 10X (or more) resources. Unfair? Perhaps. Reality? Definitely.
Though cyber threats don’t discriminate, SMBs typically cannot prioritize cybersecurity programs over the need for product development, business insurance, office equipment, payroll services, and the like. This doesn’t mean, though, that cybersecurity can be ignored. One bad breach or major disruption could seriously cripple or even kill a small business’s chance at survival. Owners and operators of small- and medium-sized companies may not be aware of the consequences of handling a security incident, says Mike Treacy, CEO of Salt Cybersecurity, but the necessity of addressing cybersecurity—even on a limited budget—isn’t far from their minds.
“A lot of SMBs don’t think they’re big enough to need to worry about cybersecurity,” says Treacy, “but if you ask them if they’re personally concerned about getting hacked, the answer is always ‘yes.’” The irony is that most U.S. citizens have had their personal information or credit card(s) breached at some point, and we’ve all read the promises from the Prince of Nigeria. So while protecting personal accounts is top-of-mind, securing corporate customer data, computer resources, and intellectual property often gets the shaft in favor of more pressing issues—like pushing out products and generating revenue. This is understandable, of course, but Treacy says it’s important that SMBs recognize it can be really difficult—operationally and financially—to recover from a cybersecurity incident. “The good news,” he says, “is that it doesn’t have to be expensive for an SMB to institute a security program.”
{tweetme}It can be overwhelming and be intimidating for a small business owner to approach the topic of cybersecurity if it isn’t their area of expertise. #InfoSecInsider #infosec{/tweetme}
Where do I start?
It can be overwhelming and be intimidating for a small business owner to approach the topic of cybersecurity if it isn’t their area of expertise. For one thing, cybersecurity can be a hugely technical topic, plus many practitioners like to perpetuate the myth that it’s “all or nothing.” Patch everything! Encrypt all your data! Make each employee use multi-factor authentication on every device! This gruff attitude from the experts can lead to analysis paralysis on the part of the business owner, but Treacy ensures clients that security doesn’t have to be quite so daunting. The first thing SMBs should realize, he says, is that there are security consultants and advisors who can help them get started—they don’t have to go out and hire a CISO or even full-time security employees. “It’s a lot more cost-effective,” he says, “to bring in a third-party expert because, as an SMB, you probably don’t need full-time coverage.”
To begin, he says, “find a partner that understands your business and is focused on helping SMBs.” Doing so will prevent overselling and overstepping. Though it might be tempting for a smaller company to enlist the most well-known provider, says Treacy, if the provider’s portfolio is chock full of mostly large clients with big budgets, your small business could be deprioritized when the bigger client comes calling or if your projects aren’t technically “challenging” enough to hold their interest. Fortunately, there are plenty of providers who specialize in SMB cybersecurity—all you have to do is ask! NASCAR-esque client slides are impressive at first glance, but if you’re an SMB, you want that prized client list to consist of others like you.
Is my IT provider sufficient?
It’s not uncommon for an SMB to retain an IT firm to handle networking and help desk issues. Everyone recognizes the prudence in having an IT expert on hand, even if that person is not a full-time, on-site employee. When it comes to cybersecurity, many SMBs assume that their IT expert can pinch hit on cybersecurity subjects—it’s all systems and computer related, after all. However, IT and security are two fields, and while there is crossover between disciplines, SMBs must realize that each area has specialists. Just because an IT consultant can handle certain security issues, they may not be the experts. In the same way that your primary healthcare provider may be able to diagnose appendicitis, a patient requires a surgeon for the actual appendectomy.
Treacy says SMBs can’t be afraid to query their IT provider (if they have one) about security specialization: Can the firm help with writing a security policy, conducting a network vulnerability test, or delivering security awareness training? If not, and the provider’s entire staff are IT generalists, it’s probably time to layer on these services. If, however, the provider can supply confidence that they employ a security professional, ensure that your contract includes access to that person for security-specific services.
How do I know what I need?
Auspiciously enough, says Treacy, is that “the goal of the cybersecurity program is the same if you’re a $1 million company or a $1 billion company: to best protect your own data and systems and your clients’ data and system.” In this way, an SMB’s cybersecurity program can scale alongside the business. But only if you start at the ground floor, he warns: “It’s much easier to build out a small security program that grows with the business than it is to retrofit a security program to a large, complex business.” To this point, SMBs may have an advantage over their larger counterparts—again, if they start at the beginning. Treacy’s advice to SMBs: start small. After you’ve interviewed and found a trusted security partner who understands and can prioritize your business, it’s time to map out a plan.
The first step, says Treacy, is a security assessment. Have your provider identify assets (including third-party partnerships and integrations), evaluate existing security practices (e.g., password policies), and discuss specific risks to your business.
{tweetme}Attention to cybersecurity has become a standard element of running a business, whether that business is 10 people strong or tens of thousands of employees scattered across the globe. #InfoSecInsider #infosec{/tweetme}
Next, create a security policy with your advisor that focuses on the security fundamentals (of which asset identification is one). The policy must be specific and unique to your SMB, says Treacy: “You can’t just Google a templated policy, implement it, and expect it to work well.” The key here, again, is understanding the needs and scope of the business; a mature security consultant should be able to help without overselling requirements. As part of this step, Treacy recommends security testing. Before a company can execute and practice a security program, it needs to truly understand its risks and vulnerabilities. Without testing the network, computers, applications, and people, no business can accomplish that. Penetration testing is a foundational element, but make sure the engagement includes remediation of any found vulnerabilities; simply knowing you have a weakness won’t help you defend against cyber criminals.
The third piece, says Treacy, is training employees. Especially in a small company where resources are scarce, the tendency is to think: This won’t happen to us; we have so many other priorities. But all it takes is one accidentally clicked malicious link to lock up the entirety of customer files, financial records, or other critical business data for the company to be wishing it had run even one lunch-and-learn session hosted by the security provider. Security training doesn’t have to be a big program—it just needs to be enough to cover end-user security basics. Let your employees know they can help the company by remaining vigilant about computer and data use, and they can leverage what they learn in their personal lives as well.
The long and short of it
Attention to cybersecurity has become a standard element of running a business, whether that business is 10 people strong or tens of thousands of employees scattered across the globe. While the needs of a security program can scale with the business, the need for a program exists regardless of size; every business has systems and data it must protect and keep private. If you’re an SMB and stressing about “one more thing” that takes time away from building that awesome widget you know will change people’s lives, don’t fret. There are specialists who can help—look for the one who understands that security is a foundational element to your business (but not necessarily the focus of your business) and you’ll be one step ahead of your competition.
To learn how you can make a difference with a small security team, attend InfoSec World 2018, March 19-21, 2018. Check out the online agenda here.
