For small and medium size businesses (SMBs), the risk of a cyberattack is no small matter. In fact, the average total financial impact of a data breach to SMBs is $117,000. The damages include everything from extra staff time and the hiring of outside consultants to lost business, personal information and public relations to help remedy the trouble.
The far-reaching implications of a security incident can leave an SMB reeling. That’s why Trent Teyema, Chief of Cyber Readiness at the Federal Bureau of Investigation, says the most forward-looking small businesses not only focus on being prepared for an attack but also integrate that readiness into the fabric of their business.
Today, cyberattacks aren’t a matter of if, but when. There are two types of businesses – proactive and reactive. Historically, cybersecurity followed a castle with a moat approach. We put the security around the technology, and nothing went in or out. But in today's, everything-connected world where systems are increasingly decentralized, cybersecurity needs to continuously evolve and be a top of mind consideration for everyone within an organization. Business leaders must constantly be weighing the risks and costs (both financially and loss of convenience) associated with their security plan.
Gone are the days when your SMB’s cybersecurity efforts could be relegated to the IT team. With the threats multiplying, the most successful businesses now recognize that reducing the risk of cyberattacks is an operating effort that spans teams and encompasses the whole company. “You can’t think of security as a cost center anymore,” Teyema says. “Instead it’s about protecting the integrity of your brand—it’s an investment in your company’s future.”
A recent Oracle and KPMG Cloud Threat Report 2018 found that 90 percent of information security professionals classify more than half of their cloud data as sensitive. Furthermore, 97 percent have defined cloud-approval policies, however, the vast majority (82 percent) noted they are concerned about employees following these policies.
So what does that look like exactly? Teyema notes that different companies take different approaches. But broadly, he recommends identifying positions in the business that are specifically responsible for information security, and then also creating cross-functional teams—including people from marketing and legal—who are also involved in security efforts. Because the brand is ultimately at stake, Teyema says some SMBs are even housing their cybersecurity initiatives under the Chief Marketing Officer. The takeaway: Cybersecurity can’t be an afterthought, but instead requires proactive action and attention from multiple teams and systems.
Ironically, as technology accelerates, people become more important. This is a situation where technology and people can truly complement each other. An increasing number of organizations are creating positions within the line of business to help bridge business expertise with IT. For example, companies using SaaS ERP and EPM applications, are beginning to create positions within the finance function that support the CFO and manage the evolving financial planning needs of the business as the finance function evolves to a more strategic partner within the business.
The tiny silver lining: The rise of cybercrime is actually generating jobs in the tech field. In one recent survey, IT professionals from across North America and Europe cited cybersecurity as the biggest area of skills shortage at their organization. SMBs may not have the budget or resources to compete for lots of high-level cybersecurity talent with bigger organizations. But Teyema says training up less experienced people can also help fill the need. “You want to do a little of both,” he says. “Hire one senior individual who has done this before, and then find some less experienced people who you are willing to invest in.”
New programs are developing to meet the talent shortage. For example, at the new Merritt College cybersecurity program faculty includes industry CIO’s who instruct students using interactive scenarios built on virtual infrastructures and compete in National Cyber League events. These activities reflect the direct experience and collaborative mentality required to address the ever-evolving cyber risks. Additionally, through private, academic and public partnerships the school has established programs with the county that may help supplement internship costs, benefiting both students and business. Graduates often have previous work experience in private business or military training which helps them to identify what assets need to be protected and prioritize security spending; effectively bridging the evolving business and technology security needs. By growing your own talent, you’ll eventually end up with a mature information security team that deeply understands not just the cybersecurity landscape, but also the inner workings of your business.
The number of people that your SMB can afford to dedicate to cybersecurity and attacks may likely be in the single digits. However, Teyema says that doesn’t mean that has to be the extent of your security efforts. SMBs working on a budget can supplement their own internal security efforts by hiring a cybersecurity consultant or firm.
Such Security-as-a-Service companies can provide a range of assistance, from providing ongoing training for your staff to identifying network vulnerabilities to being on-call for incident response. In some cases, Teyema says that SMBs choose to use Security-as-a-Service for the vast majority of their cybersecurity needs.
Creating a wide-reaching cybersecurity plan can be overwhelming. Get your arms around the issue by first identifying the sensitive data that your SMB is handling on a regular basis. As noted, a network security firm can help with this task. Such data might include your customer information, intellectual property, payment or billing data, employee tax information and more. “You protect the most sensitive data first, then broaden the circles out to protect more as you can,” Teyema says.
In addition to your own team and outside consultants, your SMB software can play a key role in protecting this data as well. Cloud-based software products can offer smaller businesses access to enterprise-level security expertise and protocols. These systems have built on capabilities that leverage emerging technologies such as artificial intelligence, machine learning, and blockchain, to keep users always up to date on the most recent strategies to combat hacking.
As you investigate software products, ask the vendor what technologies they use to secure client data and computer systems, how many of their employees work exclusively on security and whether you’ll have access to security audits and reports.
There are many players in the world of cybersecurity. Understanding the resources available can ensure that your SMB has access to knowledge, education and help when you need it. For instance, consider becoming part of information security or certification associations. Such organizations typically provide access to cybersecurity research and trainings to their members. Cybersecurity training companies can provide similar benefits. Also keep up with the research coming out of academia about cyber threats, how they’re handled and who is affected.
Teyema recommends that every business connect with the cyber units of the local and federal law enforcement in their area. Connect with the FBI's cyber squad in the field office nearest you. An outreach coordinator can outline what the agency is doing to protect businesses, threats you should be aware of and how to respond if your suffer a breach. “Establish that contact proactively, then you’ll know who to call when an event happens—and it will.” The agency is also regularly distributing cybersecurity information on its website. You can also go to this site to find out how to contact your local office.
The threat of a cyber attack isn't something that just affects your IT team. It's a threat to your brand, your business and the existence of your SMB. Incorporate cybersecurity efforts into the core of what you do, your social engineering and who you hire, and you'll ensure that you're ready for whatever cyber threat comes your way.