The risk posture of small and medium-sized businesses has changed a lot over the last few years. Bluntly: small businesses inherited a series of digital risks. Many of these risks, such as supply chain and cloud-related risks, can wound and devastate a small business. Meanwhile, the enterprise, armed with more resources, could sustain the shock. When, and how, do you need to boost your small business cybersecurity?
There are non-digital risks too. (Think manufacturing, raw materials and non-software supply chain issues.) These make operations fragile but still may have a digital trail somewhere. These issues also impact small businesses, which, by themselves, have very little influence over them.
Despite this fact, small businesses make up almost 99.9% of businesses in the U.S. and employ nearly half of the workforce, even during the COVID-19 shutdowns, according to the U.S. Small Business Administration (SBA). Therefore, with such a huge footprint on and threat to economic stability, it is no surprise that the SBA offers some basic guidance to small businesses to stay safe from cybersecurity threats and recover from disasters.
But there is good news for small businesses, too. They can leverage some enterprise-level material to become more resilient. The concepts and methodologies are often the same; it is the application and details that are adjusted based on scale and scope.
Why Does Small Business Cybersecurity Matter?
Before, small businesses enjoyed some ‘cyber immunity’. Candidly, operations were simpler, at least from a technical sense. Weathering a ‘cyber storm’ was easier because of fewer dependencies, such as not relying on a digital database. Small businesses were more likely to use paper records, which are at risk to different types of threats, but nonetheless protected from the digital space.
Many of these protections have eroded, though, because of e-commerce. Good ole fashioned cash and register or copper line, modem-connected credit card authorization machines are now replaced with a mobile phone, a card reader adapter and a 5G connection.
Growing up in a small, family-owned business, the closest thing we held to customer data was a credit card carbon imprint slip. (You have dated yourself if you remember these!) We destroyed the slips after some short time passed, once we knew the transaction was complete and there were no customer follow-ups.
The only breach that I was concerned about was a burglar busting through the door at night.
Small Business Cybersecurity With Enterprise Capability Powers
But for small businesses, the risk profile has changed today. Whether they know it or not, they are using enterprise-level functions (software, cloud computing, payment processing, connectivity, you name it) resulting in an inheritance of risk.
Nowadays, small businesses (that act diligently) must review contracts with service providers to determine data residency, retention and destruction requirements. Or, they must consider alternate cloud providers and web hosts to cover small business cybersecurity. There’s also a caveat to this trade for efficiency. As a small business, you may not get the priority you need unless you pay top dollar. Enterprises may survive million-dollar losses. But, to a small business, lose a few grand at the wrong time and your doors close forever.
Enter the risk assessment. It’s designed to inform your risk appetite, identify resource allocation areas and manage your annual cybersecurity budget.
Melding a Risk-Based Approach Into a Small Business
Small businesses likely have people wearing two and three hats. It’s not uncommon for a business owner to find themselves working as CEO, CFO, CISO and cleanup crew, all in one. But whether it is one person in a small business or multiple people in an enterprise, there are some key questions that can help quantify security risk. You can find these in the IBM Risk Quantification Smart Paper:
- How do I build a business case about risk?
- What is the overall return on investment of small business cybersecurity tools?
- How can I address vulnerabilities and threats?
- How does the company avoid the next headline or survive?
Unifying these findings can help a small business decide what to fix, what to manage and what to outsource. Here are some questions that, when answered, can align efforts and define priorities:
- Do you have a good understanding or consensus view of your small business’s cybersecurity risks?
- Are all the relevant stakeholders viewing risk from relevant perspectives?
- Does a common language to evaluate your risk exist?
- Do you have the information you need to make a good decision?
- Is your security strategy out of whack with your business strategy? And to take this point further for a small business, do you have a security strategy at all?
- Do you have a methodology to measure risk?
Getting the Most Out of the Value of Your Limited Resources
Having grown up in the small business world, and running my own small businesses, I can promise you security is not top of mind. Sometimes all you are trying to do is manage payroll and pay taxes. But with that said, business risk is on your mind 24/7. Therefore, making small business owners and operators aware of today’s information security risks is crucial.
Some things are easy to fix when it comes to small business cybersecurity. Awareness and training are just elbow grease. Even for those who don’t want to spend much money, there are many options. Free and low-cost tools exist. If you are managing your own infrastructure, well, that can be a bit costlier if you are not maintaining it well. Some managed service provider assistance could be of use here. You may even consider outsourcing some services or find that the service provider in use is too risky for your appetite. If you can afford it, you may even consider a quick third-party assessment to get a sense of where your risks are, visible or hidden.
Risk Assessments Make a Difference
It’s all in the risk assessment. The principles of a guideline like NIST SP 800-30 Guide for Conducting Risk Assessments, even if designed for government and enterprises, can still apply to a small business. The material in a document like this will resonate with a business owner, even if it’s just a glance at the executive summary.
In closing, the main takeaway for small businesses is this: through no fault of your own, you have inherited a series of risks that can blindside you. Since these risks are in your orbit now, conduct the risk assessment, find out what matters to your business, devise cost-efficient strategies to protect your business through reasonable investments and decide what to fix, manage and, finally, outsource.
Senior Director, Educator and Author