In today’s increasingly connected world, SMBs can no longer hide in digital noise made by bigger players in the market. In fact, SMBs are facing the same cybersecurity threats as those making national headlines.
In particular, ransomware is continuing to wreak havoc, threatening the availability of a business’s data if a ransom isn’t paid to unlock it. Unfortunately, ransomware is often the result of another major threat to SMBs, social engineering, which uses phishing techniques to manipulate a legitimate user to share confidential information or credentials with a criminal.
Many businesses are also failing to put proactive maintenance of their systems, applications and hardware on their priority list, allowing criminals to take advantage of commonly known vulnerabilities to gain unauthorized access to your network.
2. Do I have to have a designated information security expert on staff or a third-party trusted information security and risk advisor?
Whether your business relies on an internal IT employee or a third-party provider for security depends on several factors. Chief among them are the qualifications, skills and knowledge that your in-house IT professional has about cybersecurity and your business’s threat environment.
However, given the range of technology that your business uses each day, the security policies that need to be implemented and updated, and the wide range of existing solutions and services out there made for businesses such as yours, bringing in an external team may be worth the investment in the long run. This can also allow your in-house IT team to focus on more strategic business initiatives.
3. How much should we be spending on information security-related tools and controls?
The answer to this question depends on your industry, regulatory requirements, company size, customer expectations and even your business’s appetite for risk. What is more certain, however, is the fact that it is usually less expensive to prevent a cyberattack than it is to recover from the financial and reputational costs of one.
Just as one data point, Deloitte found that the average company spent about 11% of its IT budget on cybersecurity or about $2,700 per full-time employee per year. The same study found that the biggest elements of those budgets were threat monitoring, endpoint and network security tools, and identity access management solutions, respectively.
4. How much training should we be giving our employees and where should we start?
Even before the dramatic shift toward remote work arrangements and the use of digital services to connect with customers, employees were on the front lines of their business’s cybersecurity.
Although security technology has continued to improve its ability to filter out most threats, it will never fully eliminate all risks from reaching the employees that are often the target of cybercriminals. This is where security awareness and other training can empower your employees and give them the tools to play their part in your cybersecurity strategy.
Begin with providing a foundation of strong security practices, such as the importance of password management, the need to use secure networks, phishing awareness and their role in incident response. Then build out the processes to regularly reinforce their knowledge and emphasize their role in protecting your business’s customers, brand and even their colleagues.
5. How should we respond if we’re breached or experience a cyberattack?
CyberCatch found that 30% of SMBs do not have an incident response plan to call on in the event of an attack.
While there is no universal approach, here are some key elements that should help to get your own incident response plan started:
- Work to identify the extent of the breach or attack and contain the threat from spreading. This may mean shutting down part or all of your connected systems and cutting over to backup systems if they are in place.
- Contact any related service providers and, depending on the event, local and federal law enforcement and relevant regulatory bodies.
- After containing the threat, begin to assess the impact, the initial cause and any consequences for employees or customers. An outside incident response or forensics team may be needed.
- Begin to recover from the attack by prioritizing repairs, updating stakeholders and implementing new controls to prevent further threats.
Bottom Line: A Focus on Continuous Improvement
Between balancing human resources challenges, developing marketing strategies and handling day-to-day budgeting and operations, SMB leaders have plenty on their plates.
Fortunately, there are a lot of resources out there to help SMBs learn more about the best practices and tools they can employ to strengthen their organization’s cybersecurity. Good places to start are with the U.S. Department of Homeland Security tier-based road map, CISA’s SMB Toolkit and list of related resources and the online and in-person events sponsored by the National Cybersecurity Alliance.
Ultimately, it is important to remember that cybersecurity isn’t a one-and-done exercise; it’s a continuous journey that SMB owners and their employees will be taking together.