Cybersecurity is a critical and growing concern for businesses of all sizes and industries, but especially for small to midsize businesses (SMBs) that often lack the resources and expertise to deal with cyber threats. Ransomware has changed the game and targets of cyber criminals. The days of assuming “this won’t happen to us” are long gone, with hundreds of public examples to support a mindset shift.
SMBs, along with non-profits, schools, and municipal government agencies, are often not a focus for many expert consulting agencies and cyber technology/tool providers because the profit margin is much thinner or non-existent in comparison with larger enterprise market opportunities. IT-managed service companies have attempted to capitalize on more tool/hardware/product sales for SMBs, but often leave business owners assuming technology alone can solve the problem and often offer very little expertise as it is outside of their primary focus.
This article will address some of the challenges and provide some recommendations on how SMBs can improve their cybersecurity posture and resilience. Additionally, we will discuss how leaders of small businesses can unite through experts to utilize the power of the community to push for progress and risk reduction against cyber threats.
SMBs face unique challenges in terms of cybersecurity, such as low awareness, inadequate technical protection, low/no defined processes, supporting policies, budget constraints, talent shortage, and compliance issues.
Low awareness: One of the first challenges SMBs can encounter is a lack of awareness of the potential cybersecurity risks they face and how to protect themselves and their business. Many SMB owners and employees may need to become more familiar with cyber threats and the context of how they might face these threats on a day-to-day basis.
Some key issues SMBs are dealing with include ransomware, phishing, and supply chain attacks (indirect attacks through key providers such as a third-party IT MSP, CPA firm, or law firm that SMBs rely on). They may also underestimate the impact of a cyberattack on their reputation, customer trust, operations, and finances. According to a recent survey by CyberRx, only 36% of SMBs have a formal cybersecurity plan in place. I would also go so far as to wager that this survey result may be on the high side, given overconfidence or who did/didn’t take the time to complete the study.
Inadequate technical protection: As many risk management-oriented veterans of the industry understand, cyber tools and services are only as good as the corresponding scope, scale, and actions that are taken from the insights they provide. Many SMBs have been sold a bill of goods from their technology providers that an anti-virus solution or some “advance scanning/monitoring” is sufficient for the risks they might incur. They might be, but if you are an SMB leader relying on a technology provider, it is critical to ensure that technology and any related services offered are backed with appropriate expertise and business acumen that relate to your business. Additionally, understanding the motivations that drive a service provider’s recommendations are important to flush out any bias in advisory and input to the decisions you make with your limited budget. It’s easy to dream about “in a box” solutions that give a wiz-bang snapshot of cyber risk and easy buttons to fix issues and improve processes. Still, they largely don’t exist and often end up being smoke and mirrors that raise more questions for business leaders than answers.
Low / No Defined Processes and Supporting Info Security Policies: Processes and supporting policies and expectations for employees are important to any cyber program. However, the context of the business you operate and your internal culture matter. Additionally, any regulatory or compliance aspects you face within your business might drive key components you must have in place. It is tempting to think that an inexpensive “policy pack” found online might be sufficient, but sometimes it can work about as well as one-size-fits shoes – they might work, but they could also be painful, sloppily large, or might get stuffed in a closet and never worn.
This topic also folds into compliance-related issues or needs. It was historically typical that suppliers who serve large companies might fly under the radar for having or evaluating key controls they are supposed to have for the data being handled. However, in today’s supply chain-riddled attack landscape, these large organizations have shifted the focus of their third-party risk programs from focusing on large high-spend suppliers to high-information or operational risk-handling providers.
Budget Constraints and Talent Shortage: Last but not least comes money and talent. Companies with under 100 employees are lucky to have one information security-focused resource and are often someone that picks it up on the side of other responsibilities. Even if SMBs can afford a dedicated resource, they typically can’t pull in an expert with decades of experience because they can’t attract that kind of talent and experience to join based on comp and/or complexity.
What to Make of the Challenges
It might be typical of cybersecurity articles to stop here as doom and gloom fearmongering finds too much wind in this industry, but it doesn’t have to be any of these things.
At Reveal Risk, we’ve found business value in having our staff support a range of Fortune 500 clients coupled with a variety of SMB and non-profit experiences. For us, it is a saw sharpener, and we find that the critical thinking that goes into right-sizing guidance and approaches from large to small and vice versa offers innovative thinking and risk-based value to both sized entities. With that said, approaching SMBs with very limited budgets requires some unique approaches to get to the right depth of value and forward momentum. More on that and how we are approaching this at the end of this article. For now, let’s talk about some solutions to the challenges every SMB leader should know and act on.
Recommendations for SMB Leaders: SMBs should invest in cybersecurity education and training for their owners and employees, as well as conduct periodic risk assessments to identify their vulnerabilities and gaps. They should also follow best practices for cybersecurity hygiene, such as using strong passwords, updating software and devices, securing files and backups, and avoiding suspicious links and attachments. These are the basics and low-hanging fruit. Investing in a SaaS-based cyber awareness solution can be a good start, and these solutions can be very solid. However, it is important to note that these out-of-the-box solutions provide great generic training but won’t address some of your business risk context and how your employees appropriately handle sensitive client or internal information. Taking time to think through your critical business processes and operations and how information flows is a good step to understanding what you need to protect and how to protect it.
Additionally, experienced cyber professionals know how to balance investments of time and money across people, processes, and technology risks and opportunities. If you don’t have that perspective yourself or don’t know if you have bought enough or too much technology, some tech-independent input could be warranted to help you prioritize your focus and effort across P, P, and T. This balance creates a layered approach to cybersecurity that covers both technical and organizational aspects.
SMBs should also establish clear and comprehensive policies and procedures for data security and privacy that comply with relevant laws and regulations, such as GDPR, HIPAA, CCPA, PCI, and other financial industry regulations, or whatever is required for the industry they serve. They should also monitor and review their security posture regularly and update it as needed.
According to a recent report by Bitlyft Cybersecurity, 32% of SMB respondents cited budget constraints as their greatest obstacle to implementing effective cybersecurity measures. For some SMBs, grants may be available to help. These vary state by state and by sector, and some are easier to navigate than others.
SMBs should strive to prioritize cybersecurity as a strategic investment rather than a cost center. They should allocate sufficient funds for cybersecurity in their annual budget. While this is easier said than done, it is easier and more cost-effective to address proactively than reactively.
It is advisable to look for cost-effective solutions that offer high value for money, such as open-source software, cloud-based services, or platforms that offer combined security solutions. They should also measure and demonstrate the return on investment (ROI) of their cybersecurity efforts in terms of reduced risk, improved efficiency, enhanced reputation, and increased customer loyalty. We like to find opportunities to help clients make their cyber security a competitive advantage and differentiator from their competition for the clients and customers they serve.
Lastly, for talent and outside support challenges, SMBs should leverage external credible resources and partnerships to augment their internal capabilities and fill the skills gap. They should also collaborate with other SMBs or industry associations to share best practices, insights, or threat intelligence. Finding this network to collaborate with, along with experienced practitioner advisors that you can trust, can take time and effort. This leads us to the last point regarding what we are doing to help.
How We at Reveal Risk are Committed to Helping You
Cybersecurity is not a luxury but a necessity for SMBs in today’s digital world. SMBs face various challenges in terms of cybersecurity, but they can also take advantage of opportunities to improve their security posture and resilience.
At Reveal Risk, we spend a significant amount of time helping large companies with complex cyber challenges. However, as mentioned above, we have found business and team value in giving our staff some time to give back to SMBs and non-profits, which in turn, helps them develop expertise in solving challenges with solutions that are fit for purpose and minimize any waste or unnecessary components.
We are excited to be offering a new SMB Cyber Cohort program (focused on approved applicant SMB companies within Indiana). The company and leadership transformational experience will include a six-month program alongside other SMB leaders/representatives and experienced cybersecurity experts to build a community of helping one another through some fundamental cyber program basics, including:
- A business-oriented mapping of cyber and information theft/loss risk within your business and critical processes
- Simple and focused processes and policies that are right-sized and tailored to your business that are possible to enact and sustain within your staff
- A technology review and rationalization to make sure you have the appropriate technical coverage and action-oriented processes supporting them. (Note: we often find duplication and waste that can be eliminated with effort/budget applied to other items)
- Cyber risk management process to help identify and prioritize cyber or data loss risks on an ongoing basis
- Processes to conduct or procure ongoing risk and vulnerability assessments – there is typically a range of existing focus in this area. Depending on how cloud-focused your organization is, the solutions (both technical and process) will vary. We typically find a lot of waste and ineffective solutions in place in this area.
- Approaches and processes to managing customer audit and cyber assessment risks (requests for SIG, individualized risk assessments, SOC2s, or other attestations or certifications)
- Cyber incident response process and practice with your cohort
Along your journey, you will not only educate yourself and your team on how to improve your cyber posture, but you will also form a community with other like-minded business leaders and a variety of deeply experienced Reveal Risk experts who will be brought into working sessions alongside you. We will give you the concepts, SMB accelerators, and knowledge to be successful in defining and implementing concepts with your team, all whilst keeping the budget affordable and maximizing value. Your experience and progress won’t end when the program ends, as the peers and community you interact with will be a good ongoing resource for you. For clients seeking additional support on specific elements of their program, options for additional expert support will be available.
If you are interested in being considered for this program and are an Indiana SMB, please contact us at firstname.lastname@example.org.