By Julien Bonnay, Partner, Jayadevan Vijayakrishnan, Managing Principal, Alex Donovan, Senior Consultant, CAPCO
Cybersecurity threats for small to medium sized businesses (SMBs) are real. SMBs are just as likely as larger businesses to be attacked. Yet, many are much less prepared to detect and endure an attack. There is a path forward to significantly improve the risk posture of an organisation with good cyber hygiene, a strategic roadmap, and a cybersecurity insurance policy.
SMBs face a specific set of challenges and limiting factors when it comes to improving their cybersecurity posture. Their smaller size often makes it difficult to find cybersecurity champions and define a right-sized cybersecurity governance model. Most SMBs do not have a dedicated chief information security officer (CISO) or information security organization to champion cybersecurity efforts. In fact, 35 per cent of SMBs have no one function that determines information security priorities, and 43 per cent of SMBs have no cybersecurity defense plan in place.
Small in-house and outsourced IT departments typically have limited expertise on cyber hygiene best practices and cybersecurity program management and limited capacity for new projects or tools. These IT teams may also have initiatives underway to move infrastructure to the cloud and, with limited cloud security expertise, they are unknowingly opening the door to an entirely new arena for hackers to play in with their advanced cybercriminal tools.
Approaches for improving cybersecurity risk
Keep in mind that your approach to cybersecurity should be tailored to the size, industry, location and type of operations specific to your organisation, especially as it relates to newly adopted remote working models or investments in cloud-based technologies. To protect your SMB, follow these four steps to start building a cybersecurity strategy to withstand inevitable cyberattacks such as phishing, business email compromise (BEC), malware and ransomware.
- Take stock of your current cybersecurity capabilities and identify any gaps in baseline security requirements with a cybersecurity assessment. Industry standard framework, such as the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF), is a quick and straightforward starting point.
- Conduct a cyber hygiene review to first focus your cybersecurity programs on key fundamental requirements, before dedicating time and resources to more sophisticated technologies and tools that may not be the right fit to combat the most relevant risks. These baseline requirements should be implemented by all organisations regardless of size or industry to protect against the most common cyber threats using common sense solutions.
Start implementing these fundamental cyber hygiene practices:
- Password complexity and rotation
- Multi-factor authentication
- Data classification and encryption
- Identity and access management
- Remote access and work-from-home best practices
- Establish required training and awareness for all employees. Top root causes of data breaches are
often due to negligent employees or careless third-party partners.
- Strong password requirements and rotation
- Phishing and BEC awareness
- Appropriate use policies
- Other cyber hygiene best practices (e.g., clean desk policy, data classification and protection, reporting mechanisms)
- Take regular backups of critical data and store backups either offsite or in the cloud.
- Test restoration of backups
- Consider different scanning or health check solutions to ensure malware does not propagate to backups in the event of an attack
- Create a strategic roadmap. Once a baseline of best practices has been reviewed and implemented, strategic and longer-term planning can be organised based on the current risk posture and risk appetite. Compose your roadmap with a series of project cards organised by NIST CSF function and prioritized for the short-term (6-12 months) and long-term (12-24 months).
Short-term initiatives may include:
- Define a whitelist of approved software (e.g., anti-virus software) and standardize corporate tools used across the organization (e.g., Dropbox, OneDrive)
- Define a checklist for third-party security reviews during the pre-contract phase of vendor negotiations (e.g., roles and responsibilities, data security)
- Document formal recovery plans for critical assets, including recovery time, service-level agreements (SLAs), processes and requirements
Long-term initiatives may include:
- Implement an automated scanning solution to reconcile and update asset inventory for network devices and installed software
- Implement a formal data classification solution for data and email to keep data privacy top of mind
- Implement a security information and event management (SIEM) tool designed for SMBs to aggregate and analyse data across platforms, identifying and mitigating threats before they cause damage
- Purchase a cybersecurity insurance policy. This fast- growing sector of the insurance industry gives many SMBs peace of mind that they are covered when a cybersecurity incident occurs. Be aware that insurance carriers expect baseline security best practices and require a solid understanding of your cybersecurity policies and how you protect your assets to determine coverage details and premiums. The output of your cybersecurity assessment, as outlined in step one, can be used to purchase a cybersecurity insurance policy.
Premiums can vary from a few hundred thousand dollars to $5 million, with the cost of based on:
- Industry and type of non-public information (NPI) / personally identifiable information (PII) stored
- Who has access to your systems and data
- Network security requirements and policies
Conclusion: The Best Defense Is a Good Offense
Make it a priority to protect your data for the benefit of your employees and customers and the long-term health of your business. Hackers have no prejudice. These criminals will invade your organisation, regardless of its size, prominence, or location, with their sophisticated tools. SMBs are under attack as never before, a trend the pandemic has only accelerated with newly adopted remote work.
It is no longer an option for SMBs to simply adopt a defensive plan to ward off an anticipated attack. SMBs need to go on the offense by taking stock of their current cybersecurity capabilities, conducting a cyber hygiene review, creating a strategic road map, and investing in a cybersecurity insurance policy. One door left unlocked is enough to result in significant financial losses, many unhappy customers and headlines that no CEO or investor wants to read.
If you have an interesting article / experience / case study to share, please get in touch with us at [email protected]