Small and midsize businesses (SMBs) are not immune to cyberattacks, yet they struggle with an evolving threat landscape and knowing how to best manage risk.
During the “Cybersecurity for SMBs Roundtable: Navigating Complexity and Building Resilience” earlier this month, Sage brought together a group of CISOs and other cybersecurity professionals from small businesses, government agencies, and nonprofit organizations to discuss some of the biggest concerns facing SMBs and their ability to secure their company assets. Among the top challenges for SMBs and nonprofit organizations are:
Nearly half of SMBs have experienced a cybersecurity incident in the past year, according to a new study from Sage. While 69% of respondents worldwide say that cybersecurity is part of their company culture, nearly the same number don’t consider it until there’s an incident — only 4 in 10 respondents say their company regularly discusses cybersecurity.
Cybersecurity Doesn’t Have to Be Expensive
After an attack, it’s too late to start discussions about how to protect the network and company, but many SMBs don’t have the right systems in place. According to Sage’s research, for example, 46% of SMBs don’t use firewalls and 19% rely only on very basic tools.
Yes, cybersecurity can be expensive. Enterprise companies can have upward of 100 security tools in use. It doesn’t have to be that complicated for SMBs, however, and some approaches can even be free or inexpensive.
Start by creating an insider risk program that oversees security policies across the company with an emphasis on employee behavior, recommended Shawnee Delaney, CEO at Vaillance Group, during the roundtable.
“It requires you to have the conversations, sometimes an uncomfortable conversation, because no one wants to think their own employees might do something malicious,” Delaney said. “But the truth is, the vast majority [of cyber incidents] are unintentional.”
Managing human employment life cycles is vital to an effective cybersecurity system. It begins during the interview and hiring process by making sure you have someone who is a good cultural fit and is willing to recognize how cybersecurity fits into the organizational structure, Delaney added. Once you have made a hire, follow onboarding processes that stress basic security hygiene, including least-privilege and as-needed access. And when the employee leaves, make sure offboarding processes disconnect access completely.
Individualize Security Training
Because of the human connection to cybersecurity, everyone in a smaller company, from the CEO on down, has to have a basic understanding of what threats look like. There are plenty of security awareness training options out there, but SMBs would be wise to avoid a one-size-fits-all option.
Training should be geared toward the individual workers based on criteria such as job function and generational gaps in tech savviness and interests. Older workers often have a different style of learning than younger employees, just as employees who work in more labor-intensive jobs may have a different relationship to technology than those who are attached to their devices all day. Not respecting those differences results in uneven training that could end up doing more harm than good.
Make Cybersecurity a Business Issue
There’s a tendency, especially among SMBs, to think of cybersecurity as an IT problem for which all the knowledge lies in the tech space, according to Gustavo Zeidan, Sage’s CISO.
A better approach is to think of cybersecurity as a business issue. Security culture is better driven from the top, Zeidan said during the roundtable, and management needs to be discussing cyber threats and how their businesses may be targeted.
“Business leaders acknowledge it’s a problem, but they don’t talk about it,” Zeidan explained. The worst thing that can happen is to be unprepared for a security incident that disrupts business operations.
And when there is a cyber incident within the company, don’t keep it hidden. The Federal Trade Commission (FTC) offers guidelines on who should be contacted, including law enforcement, customers, and vendors.
But don’t stop there. Communicate with other businesses and discuss strategies to work through the incident. Share this information through industry-focused organizations or at local Chamber of Commerce meetings — wherever you have contact with other business leaders.
“If you have a breach, be open, be honest, and share your lessons learned with other businesses so practitioners can learn from that,” said Delaney. “It doesn’t matter if we’re competitors. It’s all national security when you boil it down.”
Know Where to Go for Help
Every company, no matter its size, needs more cybersecurity expertise than it has. Regardless of how the SMB invests in security, the responsibility for cybersecurity needs to be spread across the company.
Resources are available to help guide SMBs in their security journey. The Cybersecurity and Infrastructure Security Agency (CISA), for example, offers an SMB cybersecurity guide that speaks specifically to the different security-related roles individuals play in a small business environment.
Partnerships with businesses of all types and sizes is core to CISA’s mission, said roundtable panelist Lauren Boas Hayes, senior adviser for technology and innovation at CISA.
“The landscape is changing; there are new threats every day,” Delaney added.
Practitioners and businesses might feel like they’re playing whack-a-mole with their efforts to thwart these new threats, but the good news for SMBs is that mitigation techniques are out there. It’s just a matter of finding the program that works best for the individual company.