Cyber Protection for SMBs
Cyber
Protection for SMBs
Small
Business - Apps - Business Owners - IT/Tech
Solutions - Tech Trends - All - Cyber
Security -
CYBERSECURITY MYTH #1
SMBs aren’t at risk from cyber
attacks.
CYBERSECURITY MYTH #2
Your employees are the weakest
link.
CYBERSECURITY MYTH #3
The more you spend, the safer
you will be.
CYBERSECURITY MYTH #4
Zero Trust is the silver
bullet.
The
message? Cybersecurity is something companies of all sizes, large or small,
need to pay attention to.
Admittedly/typically, yes, it is/has been larger, enterprise-scale organizations
that make the news when it comes to cyber attacks and their effects, but that
said, “SMBs are dynamic—the backbone of innovation and the poster child of hard
work. They run even faster and work even harder than enterprise peers. And they
are exposed to the same cyber threats,” (Cisco SMB
Cybersecurity Report).
It’s not about fear mongering, or doomsaying. It’s about understanding the threat, and how you can protect, defend, and, if necessary, recover from it. Which is why cybersecurity awareness and education are so important.
It’s not about fear mongering, or doomsaying. It’s about understanding the threat, and how you can protect, defend, and, if necessary, recover from it. Which is why cybersecurity awareness and education are so important.
Enter National
Cybersecurity Awareness Month
“Held
every October, National Cybersecurity Awareness Month (NCSAM) is a
collaborative effort between government and industry to raise awareness about
the importance of cybersecurity and to ensure that all Americans have the
resources they need to be safer and more secure online,” (National
Cybersecurity Awareness Month, Department of Homeland Security).
More specifically, this year SMBs should be able to benefit even more from NCSAM, as it concentrates on their needs with programs like CyberSecure My BusinessTM and specific SMB resources.
More specifically, this year SMBs should be able to benefit even more from NCSAM, as it concentrates on their needs with programs like CyberSecure My BusinessTM and specific SMB resources.
Check in: What is
Cybersecurity?
Out
of the gate, it’s easy to start throwing around terms and phrases like
cybersecurity, data protection, and zero trust, but we can’t assume that
everyone is on the same page when it comes to protecting your organization.
That’s the whole point of NCSAM: Awareness needs to be raised, and people/organizations need to be educated to ensure they are aware of the risks and measures available to protect against them.
So, what, exactly, is cybersecurity for those who aren’t as familiar as they’d like to be?
Cybersecurity is the state or process of protecting and recovering networks, devices, and programs from any type of cyberattack.
Cyberattacks are an evolving danger to organizations, employees, and consumers. They may be designed to access or destroy sensitive data or extort money. They can, in effect, destroy businesses and damage people’s financial and personal lives.
What’s the best defense? A strong cybersecurity system has multiple layers of protection spread across computers, networks, and programs. But a strong cybersecurity system relies not only on cyber defense technology, but also on people making smart cyberdefense choices.
(Source: “What is Cybersecurity?” via Norton by Symantec)
We could go much (MUCH) deeper into this definition, and we’ll address more specific terminology throughout the article, but for now we will leave it at that. If you want to dig further, please check out the Norton by Symantec blog post referenced above.
That’s the whole point of NCSAM: Awareness needs to be raised, and people/organizations need to be educated to ensure they are aware of the risks and measures available to protect against them.
So, what, exactly, is cybersecurity for those who aren’t as familiar as they’d like to be?
Cybersecurity is the state or process of protecting and recovering networks, devices, and programs from any type of cyberattack.
Cyberattacks are an evolving danger to organizations, employees, and consumers. They may be designed to access or destroy sensitive data or extort money. They can, in effect, destroy businesses and damage people’s financial and personal lives.
What’s the best defense? A strong cybersecurity system has multiple layers of protection spread across computers, networks, and programs. But a strong cybersecurity system relies not only on cyber defense technology, but also on people making smart cyberdefense choices.
(Source: “What is Cybersecurity?” via Norton by Symantec)
We could go much (MUCH) deeper into this definition, and we’ll address more specific terminology throughout the article, but for now we will leave it at that. If you want to dig further, please check out the Norton by Symantec blog post referenced above.
CYBERSECURITY MYTH #1
SMBs aren’t at
risk from cyber attacks.
Well,
we know that’s not true based on our opening statistic: “53 percent of
midmarket companies have experienced a cybersecurity breach.”
That said, perhaps there’s a feeling (or hope?) amidst the middle market that they aren’t as likely to be targeted by malware attacks.
The truth? SMBs need to own this. Many malware attacks are automated. They don’t discriminate based on size or market cap.
Another truth: The risk and related stakes are all relative. An enterprise-level organization may have more resources and budget to address cyber threats, and they hopefully have the infrastructure and capital to recover from them, should they become a reality.
SMBs? In a recent survey, “almost half of SMBs (48%) said that a major data breach would likely shut down their business permanently. The percentage increased significantly with 71% of financial services and insurance SMBs reporting that a major breach would be fatal to their business.” (Source: “Cybercrime & Hackers 'More Devastating' To SMB's Than Fire, Flood & Transit Strike Combined,” Forbes,).
But Why Are SMBs At Risk?
We
now have a fundamental understanding of what cybersecurity is, but this year’s
NCSAM is concentrating on small-to-middle-market organizations. Those
businesses that may understand how important cybersecurity is at a high level,
but applying that understanding to our own business, and knowing how important
it is specifically for SMBs, is clearly disconnected.
“Sixty-six percent of senior decision-makers at SMBs do not believe they are likely to be targeted by cyber attacks, and 60% report that they do not have a cyber attack prevention plan, according to a recent study.
So let’s be clear: studies state, and statistics suggest cyberthreats/attacks don’t discriminate based on size, business type, or how long you’ve been in business. SMBs are clearly at risk, just like any other organization.
What is it about SMBs that make them a target at all?
“SMBs often serve as a launch pad or conduit for bigger campaigns. Adversaries view small/mid-market businesses as soft targets that have less sophisticated security infrastructure and practices and an inadequate number of trained personnel to manage and respond to threats.” (Source: Cyberthreats and Solutions for Small and Midsize Businesses, Vistage Research Center, 2018. Developed in collaboration with Cisco and The National Center for the Middle Market).
The rise of automation and automated practices, AI and machine learning have been highlighted as innovations that have both put organizations (SMBs or otherwise) at risk of falling prey to cyberattacks, as well as potentially protecting against them.
On one hand, smaller companies often can’t staff an IT department or hire a cybersecurity firm, so they rely on cloud-based online security and protection services and apps. The automated nature of these tools ensures your security software is always up-to-date, and AI, along with machine learning are integral to proactively identifying anomalies in user behavior and detecting threats.
On the other hand, the people developing the malware are pretty proficient in their ability to incorporate the same tools, technology, and tactics into their own practices, so organizations have to be careful they aren’t just patching the problem(s) and forgetting about it/them. Working with a proven and trusted provider is paramount when it comes to protecting your data.
“Sixty-six percent of senior decision-makers at SMBs do not believe they are likely to be targeted by cyber attacks, and 60% report that they do not have a cyber attack prevention plan, according to a recent study.
So let’s be clear: studies state, and statistics suggest cyberthreats/attacks don’t discriminate based on size, business type, or how long you’ve been in business. SMBs are clearly at risk, just like any other organization.
What is it about SMBs that make them a target at all?
“SMBs often serve as a launch pad or conduit for bigger campaigns. Adversaries view small/mid-market businesses as soft targets that have less sophisticated security infrastructure and practices and an inadequate number of trained personnel to manage and respond to threats.” (Source: Cyberthreats and Solutions for Small and Midsize Businesses, Vistage Research Center, 2018. Developed in collaboration with Cisco and The National Center for the Middle Market).
The rise of automation and automated practices, AI and machine learning have been highlighted as innovations that have both put organizations (SMBs or otherwise) at risk of falling prey to cyberattacks, as well as potentially protecting against them.
On one hand, smaller companies often can’t staff an IT department or hire a cybersecurity firm, so they rely on cloud-based online security and protection services and apps. The automated nature of these tools ensures your security software is always up-to-date, and AI, along with machine learning are integral to proactively identifying anomalies in user behavior and detecting threats.
On the other hand, the people developing the malware are pretty proficient in their ability to incorporate the same tools, technology, and tactics into their own practices, so organizations have to be careful they aren’t just patching the problem(s) and forgetting about it/them. Working with a proven and trusted provider is paramount when it comes to protecting your data.
Cybersecurity for
SMBs: What is at Risk?
One
of the most difficult components in building a cybersecurity plan and process
is determining what it is you need to protect.
While not all data needs to be “secure” or protected, it is difficult to pick and choose.
Some organizations recommend a tiered approach to data protection:
Not all data are created with equal value. The customer data associated with a bank’s credit-card program or a retailer’s loyalty-card program are of greater value than the generic invoice numbers and policy documents that companies generate in-house. Companies don’t have endless resources to protect all data at any cost, and yet most deploy one-size-fits-all cybersecurity strategies …
In our experience, a strong cybersecurity strategy provides differentiated protection of the company’s most important assets, utilizing a tiered collection of security measures. Business and cybersecurity leaders must work together to identify and protect the “crown jewels”—those corporate assets that generate the most value for a company.
They can inventory and prioritize assets and then determine the strength of cybersecurity protection required at each level. By introducing more transparency into the process, the business value at risk and potential trade-offs to be made on cost would then be more obvious to all parties.
(Source: "Understanding the true costs and impact of cybersecurity programs,” McKinsey).
While not all data needs to be “secure” or protected, it is difficult to pick and choose.
Some organizations recommend a tiered approach to data protection:
Not all data are created with equal value. The customer data associated with a bank’s credit-card program or a retailer’s loyalty-card program are of greater value than the generic invoice numbers and policy documents that companies generate in-house. Companies don’t have endless resources to protect all data at any cost, and yet most deploy one-size-fits-all cybersecurity strategies …
In our experience, a strong cybersecurity strategy provides differentiated protection of the company’s most important assets, utilizing a tiered collection of security measures. Business and cybersecurity leaders must work together to identify and protect the “crown jewels”—those corporate assets that generate the most value for a company.
They can inventory and prioritize assets and then determine the strength of cybersecurity protection required at each level. By introducing more transparency into the process, the business value at risk and potential trade-offs to be made on cost would then be more obvious to all parties.
(Source: "Understanding the true costs and impact of cybersecurity programs,” McKinsey).
CYBERSECURITY MYTH #2
Your employees are the weakest link.
Unfortunately, this one can cut both ways. In many instances, human error on
the part of an organization’s employees is often one of the most likely ways a cyber
attack breaches security protocols, if any exist.
But it doesn’t have to be:
Most organizations acknowledge the issue of end-user vulnerability and make some effort to educate employees in the basics of prudent data handling and online behavior. But too often, IT managers do little more than issue a handout with a few guidelines and call it a day. Doing so enables them to check the box that they’ve done something, knowing that the effort will ultimately fail at some point. And can you blame them? They would prefer to spend time and resources on IoT defense or implementing a sophisticated zero-trust cyber security strategy. Employee training lacks sizzle.
Your organization’s employees could be the first line of defense, not the weakest link.
There are three basic requirements for a strong security awareness program:
But it doesn’t have to be:
Most organizations acknowledge the issue of end-user vulnerability and make some effort to educate employees in the basics of prudent data handling and online behavior. But too often, IT managers do little more than issue a handout with a few guidelines and call it a day. Doing so enables them to check the box that they’ve done something, knowing that the effort will ultimately fail at some point. And can you blame them? They would prefer to spend time and resources on IoT defense or implementing a sophisticated zero-trust cyber security strategy. Employee training lacks sizzle.
Your organization’s employees could be the first line of defense, not the weakest link.
There are three basic requirements for a strong security awareness program:
- Engaging.
There is no substitute for effective communication. Sending out a printout
or an email is not enough. Videos play a vital role, but videos must be
high-quality to attract and hold employees’ attention. They must be
topical, concise, and memorable.
- Measurable.
Are people viewing the videos? Are they retaining the information? A brief
before- and-after viewer quiz can answer those questions. Quiz results let
you know who is keeping up to date and who is not – and let the employees
themselves know how they are doing.
- Evolving.
Because new threats are emerging all the time, security awareness
information must be refreshed regularly in order to remain relevant. Just
as cyber security defense strategies must continually adapt, security
awareness training is never finished.
(Source: "Users: How to Turn Your Greatest Weakness into Your First Line of Defense,” Symantec Blog).
Cybersecurity for
SMBs: How Much is Enough?
At
this stage, let’s assume you’re buying in. You understand how important
cybersecurity is for your SMB, and you’re committed to implementing a plan, and
investing in the tools and tactics necessary to safeguard your organization
against digital attacks.
How much do you buy in for? What budget do you set?
The unpredictability of attacks, and the evolving nature of how and what could be targeted, makes it difficult to advise and/or adjust what to spend on security.
How much do you buy in for? What budget do you set?
The unpredictability of attacks, and the evolving nature of how and what could be targeted, makes it difficult to advise and/or adjust what to spend on security.
CYBERSECURITY MYTH #3
The more you spend, the safer you will be.
Big
budgets don’t prevent cyber attacks. It’s not about how much, it’s about where
you invest, and how.
“A lot of [cybersecurity technology] gets acquired and is not leveraged,” explains Tom Parker, Managing Director of Accenture Security. “A lot of the time it’s about having organizations understanding the value of what they have already invested in…It’s easy for us in this industry to say ‘sure you need more budget and give us more money,’ but the reality is the conversation you want to have is not about how much money you have to spend, but how to spend smart money on the problem.” (Source: "Where Should You Invest Your Cybersecurity Budget?” National Cyber Security Alliance).
The goal, according to the National Cybersecurity Alliance (NCSA), is understanding your organization and knowing your infrastructure.
Plus, all businesses, big or small, need to know that cybersecurity isn’t a one-time investment or fix. Above all, work with a specialist and trusted providers:
“Securing your business isn’t something you can ever really close the book on. You’re going to need to adapt how and where you spend your money based on how your business grows and the threat landscape evolves. Otherwise, it doesn’t matter where you spend the money – you’ll eventually be spending it in all the wrong places,” (Source: NCSA).
We know that the “it depends” answer isn’t very satisfying, but in this case it happens to be true. The key is to try and focus your investment on trusted providers and their services, whether that be in the form of consultation and oversight, or software.
“A lot of [cybersecurity technology] gets acquired and is not leveraged,” explains Tom Parker, Managing Director of Accenture Security. “A lot of the time it’s about having organizations understanding the value of what they have already invested in…It’s easy for us in this industry to say ‘sure you need more budget and give us more money,’ but the reality is the conversation you want to have is not about how much money you have to spend, but how to spend smart money on the problem.” (Source: "Where Should You Invest Your Cybersecurity Budget?” National Cyber Security Alliance).
The goal, according to the National Cybersecurity Alliance (NCSA), is understanding your organization and knowing your infrastructure.
Plus, all businesses, big or small, need to know that cybersecurity isn’t a one-time investment or fix. Above all, work with a specialist and trusted providers:
“Securing your business isn’t something you can ever really close the book on. You’re going to need to adapt how and where you spend your money based on how your business grows and the threat landscape evolves. Otherwise, it doesn’t matter where you spend the money – you’ll eventually be spending it in all the wrong places,” (Source: NCSA).
We know that the “it depends” answer isn’t very satisfying, but in this case it happens to be true. The key is to try and focus your investment on trusted providers and their services, whether that be in the form of consultation and oversight, or software.
Cybersecurity for SMBs: Speaking of Trust
What
do we mean by “trust” when it comes to cybersecurity and protective measures?
With numerous cybersecurity horror stories hitting the headlines in recent history, it’s not surprising that “trust”—at least when it comes to data collection, data security, spam/malware attacks—is at an all time low.
But that’s at a high level. What is it, exactly, that we’re not trusting? The link in that email? The email itself? Whether you and your organization are GDPR compliant? SSL certificates? Ransomware/malware?
In short, the answer is “yes.” Yes to it all. Zero trust.
With numerous cybersecurity horror stories hitting the headlines in recent history, it’s not surprising that “trust”—at least when it comes to data collection, data security, spam/malware attacks—is at an all time low.
But that’s at a high level. What is it, exactly, that we’re not trusting? The link in that email? The email itself? Whether you and your organization are GDPR compliant? SSL certificates? Ransomware/malware?
In short, the answer is “yes.” Yes to it all. Zero trust.
Zero Trust
Security
What
is Zero Trust? It is one of the most effective cybersecurity models simply
because it is built on the principle that organizations, regardless of their
size, shouldn’t trust anything inside or outside its “controlled” operations.
Instead, the Zero Trust model focuses on verifying anything and everything that
tries to “get in” before granting access.
According to Microsoft’s Group Program Manager, Identity Security & Protection, Alex Weinert:
The easiest way to think about Zero Trust is to assume everything is on the open internet, even resources we think are safe in our ‘walled gardens.’ With Zero Trust, we move from the world of implicit assumptions made based on single elements to explicit verification of all elements of access…
With the many networks, devices, and applications needed in daily business, the only common denominator is the user. This is why we’ve said, ‘Identity is the control plane.’
It’s critical to establish who the user is as the core of trust for other transactions. If we aren’t sure who the user is, no other system access control or security matters. Once we are sure of the user, we can explicitly verify every element of access whether our resources are on-premises, in cloud-hosted servers, or managed by third-party SaaS apps like Office 365.
(Source: Zero Trust part 1: Identity and access management,” Microsoft).
Again, this methodology and our discussion isn’t designed to foster or propagate “fear.” Zero Trust is about the integrity of your systems, and the security of your data.
It’s easy to slide either way on the spectrum: Don’t focus or worry about it too much, and your data could be at risk. Over-concern and obsess, and you could be wasting time and resources and cybersecurity measures that may not be necessary.
According to Microsoft’s Group Program Manager, Identity Security & Protection, Alex Weinert:
The easiest way to think about Zero Trust is to assume everything is on the open internet, even resources we think are safe in our ‘walled gardens.’ With Zero Trust, we move from the world of implicit assumptions made based on single elements to explicit verification of all elements of access…
With the many networks, devices, and applications needed in daily business, the only common denominator is the user. This is why we’ve said, ‘Identity is the control plane.’
It’s critical to establish who the user is as the core of trust for other transactions. If we aren’t sure who the user is, no other system access control or security matters. Once we are sure of the user, we can explicitly verify every element of access whether our resources are on-premises, in cloud-hosted servers, or managed by third-party SaaS apps like Office 365.
(Source: Zero Trust part 1: Identity and access management,” Microsoft).
Again, this methodology and our discussion isn’t designed to foster or propagate “fear.” Zero Trust is about the integrity of your systems, and the security of your data.
It’s easy to slide either way on the spectrum: Don’t focus or worry about it too much, and your data could be at risk. Over-concern and obsess, and you could be wasting time and resources and cybersecurity measures that may not be necessary.
CYBERSECURITY MYTH #4
Zero Trust is the
silver bullet.
The
reality? There is no silver bullet. The Zero Trust goal should be:
“Continuous improvement. Measures must be put in place and then enforced so
they become part of daily routine for IT and for employees … The goal is to
achieve steady risk reduction over time by mitigating negligence and reducing
mistakes without impairing productivity.”
(Source: “The Two Keys to Zero Trust: Data Loss Prevention and Machine Learning,” Symantec).
(Source: “The Two Keys to Zero Trust: Data Loss Prevention and Machine Learning,” Symantec).
Cybersecurity for
SMBs: What Next?
It’s
hopefully becoming clear that a discussion on cybersecurity is an ongoing
affair. To summarize, we’ve outlined what cybersecurity is, and that it is just
as important for SMBs to implement a cybersecurity plan as it is for any other
organization.
We’ve broached the issue of budget, and the fact that this isn’t a one-and-done exercise.
We’ve touched upon some cybersecurity myths and, ultimately, we’ve identified the fact that Zero Trust is the underlying methodology for most protocols, tools, and tactics. Strong backups, anti-virus software, and endpoint protection are important, but multi-factor authentication and ensuring the identity of your users is paramount.
And yet, it seems like we have barely scratched the surface. The reality? Like any complex issue, it’s all too easy to fall down a rabbit hole of information/misinformation when it comes to cybersecurity.
Even education, while important, can get in the way of action. It is, of course, entirely possible that National Cybersecurity Awareness Month and articles like this one engender as many questions as they answer.
We’ve broached the issue of budget, and the fact that this isn’t a one-and-done exercise.
We’ve touched upon some cybersecurity myths and, ultimately, we’ve identified the fact that Zero Trust is the underlying methodology for most protocols, tools, and tactics. Strong backups, anti-virus software, and endpoint protection are important, but multi-factor authentication and ensuring the identity of your users is paramount.
And yet, it seems like we have barely scratched the surface. The reality? Like any complex issue, it’s all too easy to fall down a rabbit hole of information/misinformation when it comes to cybersecurity.
Even education, while important, can get in the way of action. It is, of course, entirely possible that National Cybersecurity Awareness Month and articles like this one engender as many questions as they answer.
Cybersecurity for
SMBs: Getting Started
With
that in mind, before you embark on your cybersecurity efforts, we thought we
should share some resources to provide you with some actionable starting
points.
- First, visit the National
Cybersecurity Awareness Month site and take a look at all they
have to offer.
- Download the NCSAM
2019 Toolkit.
- Check out StaySafeOnline.org.
It is part of the NCSA and is filled with numerous resources.
- More specifically, review their CyberSecure My
BusinessTM program.
- It’s a series of in-person, highly interactive and
easy-to-understand workshops based on the National Institute of Standards
and Technology (NIST) Cybersecurity Framework to educate the SMB community
about:
- Identifying and understanding which business assets (“digital
crown jewels”) others want
- Learning how to protect those assets
- Detecting when something has gone wrong
- Responding quickly to minimize impact and implement an action
plan
- Learning what resources are needed to recover after a breach
- Additional components include: monthly webinars with industry,
government and nonprofit cybersecurity experts, online portal of resources
to help the SMB community and monthly newsletters summarizing the latest
cybersecurity news.
- StaySafeOnline also has a specific SMB-specific
Resource Library.
- Once you feel you are in a position to take some action, review trusted services and providers like Norton Security Online, Office 365, or the G Suite Business Bundle to get started.
If you would like to share your
cybersecurity experiences and add your voice to this discussion, please comment
below and/or follow the discussion on LinkedIn.
If you have additional questions or you would like to inquire about our products and services, connect with us on LinkedIn or email us.
If you have additional questions or you would like to inquire about our products and services, connect with us on LinkedIn or email us.
Comments
Post a Comment