Many SMB’s today have the mindset that they are "not big enough” to be targeted by cyber criminals. Having smaller budgets than their enterprise counterparts, SMB’s are also often not willing to invest in adequate protection. As a result, many SMBs fail to both prevent breaches and respond effectively when they are breached.
A successful attack can cost hundreds of thousands, even millions of dollars. For an SMB with limited financial resources, the damage can be catastrophic. There’s no such thing as a company that "can’t afford" security. But where do you begin? Here are four steps to get you started.
Step 1: Understand the real threat – it’s not about compliance
Many SMB’s make two very common errors. First of all, they believe that they are not a target. In years past, the Verizon Data Breach Investigations Report has noted that 60% of all successful attacks were aimed at the SMB -- not the Target and Home Depot’s of the world. Why? SMB’s typically do not have the expertise, resources, or processes required to appropriately monitor and manage security products in their environment. Interestingly, while Verizon didn’t look at the percentage of SMBs successfully attacked in its 2015 report, they did find that the cost of a breach is not necessarily lower for small businesses. However, larger organizations do have higher losses per breach, but really only because they typically lose more records.
Another reason is that many SMB’s believe that if they are compliant, whether it’s HIPPA, GLBSA, SOX, or others, that they are also secure. The reality is that it is possible to be 100 percent compliant yet 100 percent insecure. Compliance does not equal security, or vice versa. Compliance, depending on the regulatory body you are dealing with, can address only those aspects of security required to protect the data in question. Security is a much more holistic strategy, involving multiple data/access sources and threat vectors. Achieving compliance will not make you secure. Being secure may not make you compliant, as there is no such thing as 100 percent security. Focus must be brought to bear on both independently.
Step 2: Security is a business imperative
According to the National Cyber Security Alliance, one in five small businesses falls victim to cybercrime each year. And of those, some 60% go out of business within six months of an attack. You need to protect your business, but a McAfee study showed that almost 90% of SMBs do not adequately protect their data. Often SMB’s believe that security boils down to technology purchases, when in reality, technology products are only part of the equation. Technology tools aid in implementing security policies that protect the business, but without the right people and the right processes behind the technology, an SMB is not fully protected.
As a business you should: know where your business vulnerabilities are (data, bank account access, and operational dependencies); be able to quantify the impact of any business vulnerabilities that are compromised; determine what risk is acceptable and what risk must be eliminated and have implemented the technology, people, and processes that are necessary to eliminate that risk.
At the end of the day, security is a business decision, not a technology decision.
Step 3: Put your investment where the threat is the greatest
An SMB security budget is often an afterthought and, as a result, small. There are numerous vendors that will sell you point products for every attack vector known to man or woman. By understanding your business and its vulnerability points, you can prioritize your investment in technologies and resources that will mitigate that threat.
When investing in your security strategy, it is important to consider the additional expenditures required to make your technology decisions effective. Regardless of the technology tool purchased, you must also have trained resources – people -- who can configure and manage the tool; alerting capability during non-business hours so you know when a threat has been detected; and senior-level, expert practitioners who know how to respond to and remediate threats before damage can be done.
A tool is only as good as the expertise of the person using it.
Step 4: Chose the right partner
SMB’s are focused on growing their business, not building an IT department. Often in a small business, the owner is also the IT manager, and, in many cases, the SMB has a partner that has, in effect, become their outsourced IT department, providing hardware, implementation services, break-fix, and even hands-on management services. Those partners advise SMB owners on what new products to buy, but when it comes to security, you can be left “holding the bag” when an event occurs.
In choosing security partners, consider their level of expertise, resources, and 24x7 infrastructure. They should be knowledgeable about security products, but also have the capability to deliver security services that detect and remediate threats. Putting the right security strategy in place to mitigate threats that can jeopardize your business is not just a good idea – it’s mandatory to sustain and grow your business.