Ask almost any kid, “Who gets picked on by the playground bullies?” and there’s a good chance they will tell you it’s the little guy. It is a rare person who can’t remember someone being picked on at some point during their childhood. Most of the time, it was because the victim was not prepared to defend themselves.
Fortunately, most of us learn how to defend ourselves, avoid trouble, or both by the time we become working adults. Unfortunately for those of us who work for, manage, or own a small to midsize business (SMB), being the “little guy” can make it difficult to safeguard against all kinds of problems, including cybercrime. Cybercriminals have learned over the years that issues like a lack of resources, a cybersecurity talent shortage, and the high level of access that some SMBs have to valuable assets (often supporting bigger companies or their own clients) make them an enticing target for these bullies of the cyber playground.
During the twenty years I spent as a Law Enforcement Officer, I had ample opportunity to interact with individuals on both ends of the bully or bullied spectrum, and a common theme among these interactions was vulnerabilities; those taken advantage of by the bullies and those left unaddressed by those being bullied. Unfortunately, when defending against cybercrimes, most SMBs have unaddressed vulnerabilities, too. There is a big difference between being vulnerable and being helpless, though, and developing a plan to address those vulnerabilities and prepare for potential threats goes a long way to protecting your SMB from cyber threats.
Problems and Solutions
- The problem: SMB owners, operators, and employees are experts in their area of business, not cybersecurity. They are busy learning and doing the things that produce the product or service they have developed. This leaves little time to focus on cybersecurity threats until they are in the middle of an incident and the opportunity to prepare has passed. Not only that, but there is little time to evaluate what information the business has that is potentially valuable to a criminal, how or if that information is protected, and how a criminal would attempt to take it.
- The solution: Invest time and resources into cyber awareness for their teams. SMBs should develop a plan to set aside time to evaluate their business to determine their most valuable information and resources and how they are vulnerable. These activities can often get pushed aside in favor of competing priorities. Scheduling these efforts helps prioritize them and keeps them from getting lost in the hecticness of business. If finding time internally is difficult, leverage a partner that can deliver tailored content or employee-focused campaigns as a service.
- The problem: With an endlessly increasing number of cyber-attacks in the news, there are an endless number of companies selling tools and solutions to solve the problem. Some are great, and some are not. The problem for SMBs is that there is no single technical solution for all your cyber problems. While large companies might have budgets for ongoing service contracts with tool vendors, limited budgets for SMBs barely cover the one-time purchase of a solution, leaving the SMB to learn how to operate the solution best.
- The solution: Choose tools wisely. The newest, shiniest object is always a temptation and will almost always be presented as the most powerful and best option. As great as these tools are made to look, I remember growing up watching Bruce Lee and Michelangelo of the Teenage Mutant Ninja Turtles using their Nunchaku and thinking it was just the most incredible defensive tool ever. When I finally got my hands on a pair, I realized I had no idea what I was doing when I promptly hit myself in the face with them. Ensure the tool you buy from the vendor is something you understand and can use to defend yourself against cybercriminals, especially if you need more room to hire a cyber ninja.
Processes and Policies
- The problem: One size does not fit all. Yes, you can find policy packs online, or you may even find some for “free” if you are willing to sign up for email marketing lists or other services. However, context needs to be added to products like these and doesn’t necessarily fit your business. It’s true that Jim Thorpe won two Olympic gold medals with a mismatched pair of shoes, and like Jim Thorpe, you can make policies not designed for your business work, but you don’t have to. Sometimes simple and tailored to how you need your business to operate can be more affordable in the long run than mismatched policy shoes.
- The solution: Make sure the shoe fits. Athletic teams have equipment managers for a reason, and a cybersecurity professional can help ensure that the policies and procedures you use for your business fit your business and offer the right kind of protection. You don’t need HIPAA compliance if you don’t work with health information. If you process credit card payments, you almost certainly need PCI compliance. If a 300-pound NFL Defensive Tackle is headed your way with ill intent and your protective gear is a bike helmet, or you are dressed like an NHL Goalie, either way, you are in trouble. Ensure your policies and procedures fit who you are and what you do as a company.
Money and Talent
- The problem: Budgets are finite, and finding talent is difficult. With fewer members that make of the staff of a SMB, the odds of having a dedicated expert in information security as a member of your staff are severely reduced for most companies. That, coupled with the fact that limited budgets, among other factors, can make it difficult to attract cyber talent.
- The solution: Cyber must be made the responsibility of everyone on the team. Just like movie scenes set in medieval times, when a village with no army is going to be attacked, everyone from the smallest child to the oldest village elder grabs a pitchfork, a stick, or a rock and prepares to defend the village. The staff of an SMB must be educated, as much as possible considering time and budgetary constraints, about common cyber-attacks, how to prepare for them, how to spot them, and what to do to defend against them. You don’t need fancy tools to defend against every kind of attack. Quite often, the best defense is knowledge and good habits. Cyber-awareness solutions are available that fit well within the budgets of many SMBs and are an effective investment into protecting your business.
Strength in Numbers
Facing common challenges has always been a factor in bringing groups together. While there is always healthy competition for business amongst SMBs in common markets, when it comes to combatting cyber threats, working together against a common enemy can benefit the entire community. With this in mind, Reveal Risk is excited to present our new SMB Cyber Cohort program (focused on approved applicant SMB companies within Indiana). As part of the Cohort, SMB leaders/representatives will be brought together with Reveal Risk’s team of cybersecurity experts to work together and help one another address common fundamental cyber program basics, such as:
- A business-oriented mapping of cyber and information theft or loss risks
- Simple and focused processes and policies
- A review and rationalization of existing technologies
- Cyber risk management process review
- Processes to conduct or procure ongoing risk and vulnerability assessments
- Approaches and processes to managing customer audit and cyber assessment risks
- Cyber incident response process
Cohort participants will become part of a community of well informed and prepared SMBs while educating and preparing themselves for cyber threats. Cohort members will not only build their own knowledge and experience in preparing for cyber threats and build relationships with others in their space to do the same but will also be guided by Reveal Risk’s team of experts along their path to better cyber preparedness and provided accelerators to help prepare Cohort members efficiently to implement the knowledge and skills gained through participating. Upon completion of the six-month program, members of the Cohort with leave not only with new knowledge, skills, and abilities, but with a community of other SMBs that can interacted with and leveraged for greater protection far beyond the Cohort program. Of course, for any members of the Cohort that wish to seek additional support, the experts at Reveal Risk will be available to discuss those needs.
If you are an Indiana SMB and are interested in being considered for the SMB Cyber Cohort program at Reveal Risk, please contact us at email@example.com.