Cybersecurity is a critical and growing concern for businesses of all sizes and industries, but especially for small to midsize businesses (SMBs) that often lack the resources and expertise to deal with cyber threats. Ransomware has changed the game and targets of cyber criminals. The days of assuming “this won’t happen to us” are long gone, with hundreds of public examples to support a mindset shift.
SMBs, along with non-profits, schools, and municipal government agencies, are often not a focus for many expert consulting agencies and cyber technology/tool providers because the profit margin is much thinner or non-existent in comparison with larger enterprise market opportunities. IT-managed service companies have attempted to capitalize on more tool/hardware/product sales for SMBs, but often leave business owners assuming technology alone can solve the problem and often offer very little expertise as it is outside of their primary focus.
This article will address some of the challenges and provide some recommendations on how SMBs can improve their cybersecurity posture and resilience.
Key Challenges
SMBs face unique challenges in terms of cybersecurity, such as low awareness, inadequate technical protection, low/no defined processes, supporting policies, budget constraints, talent shortage, and compliance issues.
Low awareness: One of the first challenges SMBs can encounter is a lack of awareness of the potential cybersecurity risks they face and how to protect themselves and their business. Many SMB owners and employees may need to become more familiar with cyber threats and the context of how they might face these threats on a day-to-day basis.
Some key issues SMBs are dealing with include ransomware, phishing, and supply chain attacks (indirect attacks through key providers such as a third-party IT MSP, CPA firm, or law firm that SMBs rely on). They may also underestimate the impact of a cyberattack on their reputation, customer trust, operations, and finances. According to a recent survey by CyberRx, only 36% of SMBs have a formal cybersecurity plan in place. I would also go so far as to wager that this survey result may be on the high side, given overconfidence or who did/didn’t take the time to complete the study.
Inadequate technical protection: As many risk management-oriented veterans of the industry understand, cyber tools and services are only as good as the corresponding scope, scale, and actions that are taken from the insights they provide. Many SMBs have been sold a bill of goods from their technology providers that an anti-virus solution or some “advance scanning/monitoring” is sufficient for the risks they might incur. They might be, but if you are an SMB leader relying on a technology provider, it is critical to ensure that technology and any related services offered are backed with appropriate expertise and business acumen that relate to your business. Additionally, understanding the motivations that drive a service provider’s recommendations are important to flush out any bias in advisory and input to the decisions you make with your limited budget. It’s easy to dream about “in a box” solutions that give a wiz-bang snapshot of cyber risk and easy buttons to fix issues and improve processes. Still, they largely don’t exist and often end up being smoke and mirrors that raise more questions for business leaders than answers.
Low / No Defined Processes and Supporting Info Security Policies: Processes and supporting policies and expectations for employees are important to any cyber program. However, the context of the business you operate and your internal culture matter. Additionally, any regulatory or compliance aspects you face within your business might drive key components you must have in place. It is tempting to think that an inexpensive “policy pack” found online might be sufficient, but sometimes it can work about as well as one-size-fits shoes – they might work, but they could also be painful, sloppily large, or might get stuffed in a closet and never worn.
This topic also folds into compliance-related issues or needs. It was historically typical that suppliers who serve large companies might fly under the radar for having or evaluating key controls they are supposed to have for the data being handled. However, in today’s supply chain-riddled attack landscape, these large organizations have shifted the focus of their third-party risk programs from focusing on large high-spend suppliers to high-information or operational risk-handling providers.
Budget Constraints and Talent Shortage: Last but not least comes money and talent. Companies with under 100 employees are lucky to have one information security-focused resource and are often someone that picks it up on the side of other responsibilities. Even if SMBs can afford a dedicated resource, they typically can’t pull in an expert with decades of experience because they can’t attract that kind of talent and experience to join based on comp and/or complexity.
What to Make of the Challenges
It might be typical of cybersecurity articles to stop here as doom and gloom fearmongering finds too much wind in this industry, but it doesn’t have to be any of these things.
At Reveal Risk, we’ve found business value in having our staff support a range of Fortune 500 clients coupled with a variety of SMB and non-profit experiences. For us, it is a saw sharpener, and we find that the critical thinking that goes into right-sizing guidance and approaches from large to small and vice versa offers innovative thinking and risk-based value to both sized entities. With that said, approaching SMBs with very limited budgets requires some unique approaches to get to the right depth of value and forward momentum. More on that and how we are approaching this at the end of this article. For now, let’s talk about some solutions to the challenges every SMB leader should know and act on.
Recommendations for SMB Leaders: SMBs should invest in cybersecurity education and training for their owners and employees, as well as conduct periodic risk assessments to identify their vulnerabilities and gaps. They should also follow best practices for cybersecurity hygiene, such as using strong passwords, updating software and devices, securing files and backups, and avoiding suspicious links and attachments. These are the basics and low-hanging fruit. Investing in a SaaS-based cyber awareness solution can be a good start, and these solutions can be very solid. However, it is important to note that these out-of-the-box solutions provide great generic training but won’t address some of your business risk context and how your employees appropriately handle sensitive client or internal information. Taking time to think through your critical business processes and operations and how information flows is a good step to understanding what you need to protect and how to protect it.
Additionally, experienced cyber professionals know how to balance investments of time and money across people, processes, and technology risks and opportunities. If you don’t have that perspective yourself or don’t know if you have bought enough or too much technology, some tech-independent input could be warranted to help you prioritize your focus and effort across P, P, and T. This balance creates a layered approach to cybersecurity that covers both technical and organizational aspects.
SMBs should also establish clear and comprehensive policies and procedures for data security and privacy that comply with relevant laws and regulations, such as GDPR, HIPAA, CCPA, PCI, and other financial industry regulations, or whatever is required for the industry they serve. They should also monitor and review their security posture regularly and update it as needed.
According to a recent report by Bitlyft Cybersecurity, 32% of SMB respondents cited budget constraints as their greatest obstacle to implementing effective cybersecurity measures. For some SMBs, grants may be available to help. These vary state by state and by sector, and some are easier to navigate than others.
SMBs should strive to prioritize cybersecurity as a strategic investment rather than a cost center. They should allocate sufficient funds for cybersecurity in their annual budget. While this is easier said than done, it is easier and more cost-effective to address proactively than reactively.
It is advisable to look for cost-effective solutions that offer high value for money, such as open-source software, cloud-based services, or platforms that offer combined security solutions. They should also measure and demonstrate the return on investment (ROI) of their cybersecurity efforts in terms of reduced risk, improved efficiency, enhanced reputation, and increased customer loyalty. We like to find opportunities to help clients make their cyber security a competitive advantage and differentiator from their competition for the clients and customers they serve.
Lastly, for talent and outside support challenges, SMBs should leverage external credible resources and partnerships to augment their internal capabilities and fill the skills gap. They should also collaborate with other SMBs or industry associations to share best practices, insights, or threat intelligence. Finding this network to collaborate with, along with experienced practitioner advisors that you can trust, can take time and effort. This leads us to the last point regarding what we are doing to help.
How Reveal Risk is Able to Help You
Cybersecurity is not a luxury but a necessity for SMBs in today’s digital world. SMBs face various challenges in terms of cybersecurity, but they can also take advantage of opportunities to improve their security posture and resilience.
We spend a significant amount of time helping large companies with complex cyber challenges. However, we also recognize the needs of smaller and mid-sized organizations when it comes to cybersecurity. Because of our breadth in-depth in cybersecurity, we are able to take complex enterprise-grade programs and right-size them for smaller organizations.
At Reveal Risk, we evaluate, design, and deliver strong processes and results in cyber, privacy, and risk that work efficiently, are fit-for-purpose, and are sustained. If you want assistance building your company’s cyber security strategy, governance, and plan towards desired state maturity, please don’t hesitate to contact us.
317.759.4453
About the Author
Aaron is a former Eli Lilly IT and security senior IT/Security/Audit/Privacy/Risk leader with over 20 years of experience in the pharmaceutical and life sciences sector. He founded the risk management working group for the H-ISAC (Healthcare Information Security and Analysis Center) which enabled information sharing and benchmarking across pharma, payers, and health care providers. Aaron is a certified Six Sigma blackbelt with career emphasis on building and improving internal processes and controls.
