The risk posture of small and medium-sized businesses has changed a lot over the last few years. Bluntly: small businesses inherited a series of digital risks. Many of these risks, such as supply chain and cloud-related risks, can wound and devastate a small business. Meanwhile, the enterprise, armed with more resources, could sustain the shock. When, and how, do you need to boost your small business cybersecurity?

There are non-digital risks too. (Think manufacturing, raw materials and non-software supply chain issues.) These make operations fragile but still may have a digital trail somewhere. These issues also impact small businesses, which, by themselves, have very little influence over them.

Despite this fact, small businesses make up almost 99.9% of businesses in the U.S. and employ nearly half of the workforce, even during the COVID-19 shutdowns, according to the U.S. Small Business Administration (SBA). Therefore, with such a huge footprint on and threat to economic stability, it is no surprise that the SBA offers some basic guidance to small businesses to stay safe from cybersecurity threats and recover from disasters.

But there is good news for small businesses, too. They can leverage some enterprise-level material to become more resilient. The concepts and methodologies are often the same; it is the application and details that are adjusted based on scale and scope.

Why Does Small Business Cybersecurity Matter?

Before, small businesses enjoyed some ‘cyber immunity’. Candidly, operations were simpler, at least from a technical sense. Weathering a ‘cyber storm’ was easier because of fewer dependencies, such as not relying on a digital database. Small businesses were more likely to use paper records, which are at risk to different types of threats, but nonetheless protected from the digital space.

Many of these protections have eroded, though, because of e-commerce. Good ole fashioned cash and register or copper line, modem-connected credit card authorization machines are now replaced with a mobile phone, a card reader adapter and a 5G connection.

Growing up in a small, family-owned business, the closest thing we held to customer data was a credit card carbon imprint slip. (You have dated yourself if you remember these!) We destroyed the slips after some short time passed, once we knew the transaction was complete and there were no customer follow-ups.

The only breach that I was concerned about was a burglar busting through the door at night.

Small Business Cybersecurity With Enterprise Capability Powers

But for small businesses, the risk profile has changed today. Whether they know it or not, they are using enterprise-level functions (software, cloud computing, payment processing, connectivity, you name it) resulting in an inheritance of risk.

Nowadays, small businesses (that act diligently) must review contracts with service providers to determine data residency, retention and destruction requirements. Or, they must consider alternate cloud providers and web hosts to cover small business cybersecurity. There’s also a caveat to this trade for efficiency. As a small business, you may not get the priority you need unless you pay top dollar. Enterprises may survive million-dollar losses. But, to a small business, lose a few grand at the wrong time and your doors close forever.

Enter the risk assessment. It’s designed to inform your risk appetite, identify resource allocation areas and manage your annual cybersecurity budget.

Melding a Risk-Based Approach Into a Small Business

Small businesses likely have people wearing two and three hats. It’s not uncommon for a business owner to find themselves working as CEO, CFO, CISO and cleanup crew, all in one. But whether it is one person in a small business or multiple people in an enterprise, there are some key questions that can help quantify security risk. You can find these in the IBM Risk Quantification Smart Paper:

  • How do I build a business case about risk?
  • What is the overall return on investment of small business cybersecurity tools?
  • How can I address vulnerabilities and threats?
  • How does the company avoid the next headline or survive?

Unifying these findings can help a small business decide what to fix, what to manage and what to outsource. Here are some questions that, when answered, can align efforts and define priorities:

  • Do you have a good understanding or consensus view of your small business’s cybersecurity risks?
  • Are all the relevant stakeholders viewing risk from relevant perspectives?
  • Does a common language to evaluate your risk exist?
  • Do you have the information you need to make a good decision?
  • Is your security strategy out of whack with your business strategy? And to take this point further for a small business, do you have a security strategy at all?
  • Do you have a methodology to measure risk?

Getting the Most Out of the Value of Your Limited Resources

Having grown up in the small business world, and running my own small businesses, I can promise you security is not top of mind. Sometimes all you are trying to do is manage payroll and pay taxes. But with that said, business risk is on your mind 24/7. Therefore, making small business owners and operators aware of today’s information security risks is crucial.

Some things are easy to fix when it comes to small business cybersecurity. Awareness and training are just elbow grease. Even for those who don’t want to spend much money, there are many options. Free and low-cost tools exist. If you are managing your own infrastructure, well, that can be a bit costlier if you are not maintaining it well. Some managed service provider assistance could be of use here. You may even consider outsourcing some services or find that the service provider in use is too risky for your appetite. If you can afford it, you may even consider a quick third-party assessment to get a sense of where your risks are, visible or hidden.

Risk Assessments Make a Difference

It’s all in the risk assessment. The principles of a guideline like NIST SP 800-30 Guide for Conducting Risk Assessments, even if designed for government and enterprises, can still apply to a small business. The material in a document like this will resonate with a business owner, even if it’s just a glance at the executive summary.

In closing, the main takeaway for small businesses is this: through no fault of your own, you have inherited a series of risks that can blindside you. Since these risks are in your orbit now, conduct the risk assessment, find out what matters to your business, devise cost-efficient strategies to protect your business through reasonable investments and decide what to fix, manage and, finally, outsource.

More from Data Protection

How to craft a comprehensive data cleanliness policy

3 min read - Practicing good data hygiene is critical for today’s businesses. With everything from operational efficiency to cybersecurity readiness relying on the integrity of stored data, having confidence in your organization’s data cleanliness policy is essential.But what does this involve, and how can you ensure your data cleanliness policy checks the right boxes? Luckily, there are practical steps you can follow to ensure data accuracy while mitigating the security and compliance risks that come with poor data hygiene.Understanding the 6 dimensions of…

Third-party access: The overlooked risk to your data protection plan

3 min read - A recent IBM Cost of a Data Breach report reveals a startling statistic: Only 42% of companies discover breaches through their own security teams. This highlights a significant blind spot, especially when it comes to external partners and vendors. The financial stakes are steep. On average, a data breach affecting multiple environments costs a whopping $4.88 million. A major breach at a telecommunications provider in January 2023 served as a stark reminder of the risks associated with third-party relationships. In…

Communication platforms play a major role in data breach risks

4 min read - Every online activity or task brings at least some level of cybersecurity risk, but some have more risk than others. Kiteworks Sensitive Content Communications Report found that this is especially true when it comes to using communication tools.When it comes to cybersecurity, communicating means more than just talking to another person; it includes any activity where you are transferring data from one point online to another. Companies use a wide range of different types of tools to communicate, including email,…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today