Small and Medium-sized businesses are victims of 40%+ of cyberattacks today, and this number continues to increase. Yet for most SMBs, cybersecurity is unexplored terrain, with under 10% having any focus on cybersecurity. Why? Because they believe that SMBs are too
small to warrant the attention of cyber miscreants. Hackers, on the other hand, are finding it tougher and tougher to attack larger companies due to the cyber fortresses they are building. Thus, they are increasingly turning their focus to SMBs
The most common cyber threats that SMBs face are critical data leaks, unacceptable digital interface controls, Trojan horse attacks, duplicate payments, phishing, malware, ransomware, denial of service, etc. These can result in huge financial losses, business
continuity disruptions, data losses, and so on. The ultimate result: bankruptcy and business closure.
SMBs must build a solid, yet cost-effective cybersecurity strategy. This may seem dauntingat first. But following 3 key principles, will make the journey much easier:
- Start simple
- Define goals
- Build a short, mid, and long term roadmap.
Below is a 5 point framework to consider:
- Protection: Appropriate safeguards to ensure protection of all systems, networks, and infrastructure. Consider using the COSO framework. Implement a monthly audit of all systems, networks, and infrastructure. User access must be restricted and documented. This allows for the breaches to be contained and easily detectable.
- Detection: Strong monitoring and detecting capabilities to ensure events are identified in real-time. Studies indicate SMB breaches go undetected for weeks together and by then the damage is beyond repair. Implementing the right systems can auto-detect suspicious activities before they spread.
- Response & Recovery (R&R): An agile response & recovery system is very important, especially in today’s remote employee workforce model. Delays in response and recovery could have a hugely detrimental impact on SMBs. A research study showed that 60% of small businesses shut down within six months of a cyber-attack. A clear response plan, with well-defined processes, clear roles and responsibilities, and an adequate communication plan are critical to R&R.
- Compliance: This area has become very important especially as more and more
processes move fully online. For instance, the EU’s General Data Protection Regulation (GDPR) has several compliance requirements for data storage, breaches, and response plans. Staying compliant not only is mandatory but also will make your business stronger and less susceptible to threats. Digitizing all compliance with laws,regulations, and protocols is key.
- Build employee awareness: Unaware employees are highly vulnerable to threats such as phishing, and social engineering. Creating a well-informed cybersecurity culture is important. Even simple strategies such as following good password hygiene or making password refreshments a religion, will make a big difference.
In addition to the above, please consider our list of 10 points that may help in developing a cybersecurity plan for your SMB:
- Build a baseline of all business-critical assets, information, data, and reports to identify your digital assets.
- Include your extended network of vendors, partners, customers, etc. in the above. All APIs must be encrypted.
- Prioritize external-facing online systems e.g., eCommerce websites, vendor portals, etc. if applicable. Ensure that you install protective software.
- Ensure all digital devices (like laptops, devices, phones) are in scope, especially given that several of us are working from home today.
- Conduct a detailed audit/assessment to identify potential gaps & understand levels of severity.
- Build a plan to address the gaps; use planning services/tools, like threat modeling to help you plan better.
- Do not be constrained by lack of in-house expertise – work with partners who are experts in this space and can provide a complete range of security solutions.
- Managed services are a great way for SMBs to resolve the skill gap issue. They are cost-effective with better, tried-and-tested solutions.
- Continuous monitoring and regular testing of the cybersecurity setup is important. Very much like testing your home security system.
- Execution of the plan is key. But remember this is not a one-time deal – the strategy and plan for cybersecurity needs continual evolution and should be a key agenda item in the business planning process.
If the above still feels intimidating, as a starting point, below are some simple things SMBs can do right away to improve their cybersecurity defense:
- Password management: Refresh password every 30 days, prevent password sharing in emails and texts, introduce 2-factor authentication.
- Lock your servers. Lock screens of desktops and laptops when away from them.
- Separate your networks. Guest WiFi Network ≠ Company WiFi ≠ Database Server Network.
- Use only authorized app stores.
- Encrypt all emails with sensitive data.
For several of us, our first exposure to anything cyber were the early Terminator movies. Cyberdyne and Skynet became the topics of umpteen discussions. Most of these movies followed a similar plot – the future is ugly and can’t be fixed. So people are sent back in time to address it in the present (or their past), thus changing the future and making it better. And Schwarzenegger saves the day. Given that time travel isn’t possible, at least not yet, none of us will have the ability to go back in time and fix things. The good news is that there are things today that can help SMBs prevent an ugly future, especially when it comes to cyber safety.
Cybersecurity is not as expensive as it once was. Neither is it as intimidating as it was. It is easy to get started. Get an audit done and understand where you stand and what options you have to begin with. SMBs should make this a priority before it is too late.