CyberSecurity Primer for the Small to Mid-Sized Business
Small and midsize businesses face an increasingly complex digital landscape. On the one hand, cloud-based operations are almost unavoidable. Considering 40% of consumers start their search online, operating without a web presence is often a losing prospect, especially within highly competitive industries. Still, even those 36% of small businesses in the U.S. without a website have some exposure to cybersecurity threats. Business email, web-connected servers and even brick-and-mortar POS systems are all vulnerable to attack and data loss.
Cybersecurity risk mitigation is essential for businesses participating in a digitally-centric economy. Effective strategies typically exist across one of two channels: shoring up in-house security concerns, or minimizing liabilities by reducing exposure. Either route has advantages and disadvantages that are important for small and midsize businesses to consider.
In-House Data Protection Strategies
Many small and medium-sized operations lack the resources to hire full-time IT staff. They do, however, devote on average around 11% of its budget on security software—the same as large enterprises. Considering the vast revenue differences between small, midsize and large companies, that spend is considerably less than ideal to mitigate security risks.
As an alternative to eating away the budget on IT security, these businesses often take an in-house approach. For some, the owner or founder carries the burden of self-educating and managing IT risks. For others, a tech-savvy lower-level who is likely already wearing too many hats is asked to add yet another one. Neither of these is entirely ideal. But whether because of proprietary data concerns or cash flow issues, in-house security management is incredibly common among small and midsize businesses.
Self-Run Cybersecurity Management on a Tight Budget
Creating a framework for in-house IT management is possible on a tight budget if you approach the problem holistically. That begins with identifying where critical security threats exist, based on the type of web-connected infrastructure and software the business utilizes. Common cybersecurity exposures for small and midsize businesses can include (but are not limited to):
- Business and personal email
- Point-of-sale devices
- Wi-fi networks
- In-house data storage (including servers and computer hard drives)
- Video conferencing
- Mobile devices
- Staff access to sensitive data
Uncovering every risk area can take some time, but it’s an essential first step in the process. Once your business has properly identified risks, begin incorporating software and operational practices that reduce unwanted access to these systems or accounts.
For example, business websites are a key entry point for hackers. Once they have access, they can install malware that steals customer data or redirects users to real-looking phishing versions of your site. There are several ways you can boost website security, such as:
- Switching to sitewide SSL encryption
- Installing backend firewall and website AV software
- Enforcing strong password policies for users with backend access
- Limiting the number of individuals with access to website backend
- Regularly updating CMS plugins, especially if using WordPress
If you have a website, website security is a must. But it’s not the end-all, be-all for protecting your business. Ensure you’ve identified and mitigated all risks areas, especially email and in-house app security.
Apply Similar Strategies Across Your Business
Most of the strategies mentioned above aren’t website specific and can be rolled out across your organization. For example, you may want to install endpoint security software on any computers or in-house servers used for business purposes to reduce the risk of data loss from malware, ransomware or other viruses. And establishing strong password policies for staff email and business app accounts can help avoid infiltration from credential stuffing or brute-force attacks.
Many small businesses often fail to account for insider data loss risks. Insiders—primarily employees or contractors with account access—are responsible for 60% of business data breaches. These insiders could be pawns (being used by someone else to gain access), goofs (accidentally leaking data), lone wolves (independent malicious intent) or collaborators (working with others for personal gain). The more individuals with access to your business’ personal and customer data, the more likely an insider breach will occur. Any data that can be monetized is a potential target.
Enforcing strong password policies and reducing the number of individuals with sensitive account access is crucial. Training staff to spot threats will also reduce the chances they become victims of phishing attacks that could expose user data.
Minimizing Liability by Using Third-Party Service Providers
Not all security threats need to be managed in house. Where possible, it’s a good idea to minimize some liability by reducing exposures. Purchasing services from managed third-party providers can help reduce your number of web-connected environments that hackers could target. As the burden of security shifts, your business can eliminate common issues (including insider data breach threats with in-house management.
Almost any aspect of your operation that relies on private data use and access can be shifted to third-party providers. Some of the most common areas they can manage include:
- Cloud-based data storage
- Website management
- Social media management
- Digital payment processing
- Cybersecurity risk training for staff
- Software installation and updating
Turning over security tasks to third parties primarily minimizes your liability by shoring up gaps in knowledge, experience or financial resources within your business. But should a data breach occur and customer, staff, or proprietary data leak out or get stolen, you could still face lawsuits—not to mention impacts to your business’ reputation.
Some third-party providers cover these risks in the contract by providing compensation should their mistakes lead to your loss. But this isn’t always the case. And it won’t always account for lost business following a major breach or short-term recovery costs.
Always properly vet any third-party service providers before establishing the relationship. If necessary, hire a security professional who can properly consult you on whether the providers you consider utilize industry best practices for data security.
Both In-House and Third-Party Management Have Value
You likely aren’t going to turn over all of your web-based infrastructures to third parties. After all, you and your staff still use business email and possibly other communication services such as Zoom or Slack. All of these are exposure points. Phishing attacks against businesses are only getting worse, while Zoom and Slack are both hacker targets.
Keep an open mind about all forms of threat mitigation, and take an approach that maximizes costs and control concerns.
A cost-benefit analysis should help you determine which threats are best covered through in-house methods vs. third-party service providers. There’s always an upper level for what you can realistically spend on cybersecurity, but your exposure won’t be the same as everyone else’s. It all depends on how your business is structured and what your web presence looks like.
If your operation is small, for example, you may not need a third-party provider to install and regularly update antivirus software on your business computers. You might also be capable of switching to more secure email services that better filter phishing attempts. Additionally, you could consider managing your in-house password policy and insider access to certain accounts.
However, more complicated or technical IT tasks (such as server management and website security) might be best left in the hands of seasoned professionals. Unless you have the budget to hire someone internally, picking the right third-party providers can save you money.
Don’t Ignore Cyber Insurance
Even the best mitigation strategies won’t always work. A data breach can cost tens or hundreds of thousands of dollars—enough to bankrupt many small and mid-sized businesses. Consequently, cyber liability insurance is something most businesses should at least consider adopting. Given the increasing data breach threat, it should be considered alongside more traditional coverages, such as general liability, commercial property or business owner’s policies.
Unless you plan to revert your business to pre-internet infrastructure, cybersecurity threats are unavoidable. The good news is that risk mitigation doesn’t have to break the bank. You’ll simply need to account for areas where your business is exposed and reduce your security risks either through in-house strategies or trustworthy and properly vetted third-party service providers. Most businesses will find a mixture of both strategies is ultimately the best path forward. An experienced technology consultant can help you make the best choices for your organization.