Approaching cybersecurity as a critical business function

“I don’t have to worry about hackers, I am a small company. Why would they care about me”? I can’t count the number of times I have heard a version of that statement. I have found that many small and medium-sized businesses (SMBs) don’t see themselves as targets.

I gather that in the digital hurricane that is today’s internet, they imagine themselves as debris that are so small, no one will notice. However, as we have seen in survey after survey, cybercrime is on the rise across all industries and company sizes. Couple this with the expansion of new malware types and the growth of automated hacking tools, it has become cheaper and more accessible for cybercriminals to search for targets of opportunity.

One of the reasons SMBs have more significant exposure to cybercrime is they often lack an understanding of the risks their company faces. Many are constrained by funding and feel security would significantly impact their ability to be profitable. Also, SMBs sometimes lack skilled security staff which can lead to confusion on how to implement cybersecurity controls to meet compliance with their industry regulations. Keeping all of this in mind, SMBs can reduce risk exposure to their critical data and business operations without having to incur significant costs by following these security steps.

1.  Understand the drivers behind cybersecurity investments

To begin, SMBs need to understand why they require cybersecurity and the value these services can bring to their business. Before diving into the risk frameworks, security controls, and best practices that security teams use, SMBs should first understand the drivers behind their cybersecurity requirements.

Hopefully, their main driver is the frequent need to protect their growing business and its critical data, and the need is not due to a recent cyberattack or in reaction to attacks observed on other companies. Whether it is in response to past concerns or a new requirement initiated by customers or business partners, SMBs need to understand these drivers. These identified security drivers will dictate how much risk the business is willing to accept and how many cybersecurity services the company is willing to implement.

2. Review your IT portfolio

After the organization understands its needs for cybersecurity, there are initial steps that they can then begin to implement to manage their risk exposure. The first step is to review the current information technology (IT) portfolio. It is an inventory of the existing IT environment including hardware, software, network infrastructure, staff skill sets, third-party connections, remote workers or contractors, etc. The reason for this first step is to provide insight into the current technical environment so management understands the technologies in use, the business data that is critical, and the connections to partners and organizations outside the company. By the end of this step, the SMB should understand its IT environment’s current state and have gained some insight into its inherent risks.

3. Conduct a risk assessment

The next step is for the SMB to envision their future state and to do this correctly, I suggest conducting a risk assessment. This assessment will provide them a baseline of what current security controls are working properly, controls that are immature and need remediation, and controls that don’t apply to existing business operations. The results of this assessment will provide a more in-depth view of the risks facing the business. This new risk picture will initiate discussions into business practices that need to be updated, new security technologies to be implemented and/or security services they can contract with a trusted partner.

Getting a distinct picture of risk will establish the SMB’s “risk appetite.” It creates a methodology of how they will view future business efforts about technology and address any new risk requirements. Having this process in place allows an SMB to grow and be innovative with new technologies because they have a procedure to manage risk without it impacting their ability to be profitable.

4. Develop a strategic cybersecurity improvement plan

As mentioned previously, in establishing a risk baseline, the SMB identified business processes that need updating and security controls that were immature. These issues are a ready-made list for the business to develop a strategic plan for implementing cybersecurity. The SMB should rank these problems in priority based on the impact to business operations, their value to business stakeholders, any compliance or regulatory requirements and finally based on current funding. The development of a cybersecurity strategic improvement plan can be accomplished in parallel with the organization establishing it’s first security program and hiring their first security staff. Having this strategic plan will enable the new business’s security team to understand what security initiatives to complete first, the value the projects bring to the company, the risks that are being addressed and ongoing security controls that must be managed.

There’s no denying that the number of breaches and attacks on the SMB community is growing. I believe in addressing their escalating risks, SMBs must be proactive and manage their risk exposure through doing basic cybersecurity hygiene correctly and continuously, and the steps I have provided should help them begin this process. Furthermore, some recommended resources that can assist SMBs in developing a security strategy are:

• Implementing Cybersecurity Guidance for Small and Medium-sized Enterprises” by ISACA
• “CyberSecure my Business” by National Cyber Security Alliance

Remember, cybersecurity is a lifecycle that doesn’t provide value in a vacuum. For the SMB to be effective, it must approach cybersecurity as a critical business function and not be afraid to ask for assistance from the vibrant security community.