Light Dark
January 10, 2022 By George Platsis 4 min read
Data Protection
Incident Response
Risk Management
Security Services

The risk posture of small and medium-sized businesses has changed a lot over the last few years. Bluntly: small businesses inherited a series of digital risks. Many of these risks, such as supply chain and cloud-related risks, can wound and devastate a small business. Meanwhile, the enterprise, armed with more resources, could sustain the shock. When, and how, do you need to boost your small business cybersecurity?

There are non-digital risks too. (Think manufacturing, raw materials and non-software supply chain issues.) These make operations fragile but still may have a digital trail somewhere. These issues also impact small businesses, which, by themselves, have very little influence over them.

Despite this fact, small businesses make up almost 99.9% of businesses in the U.S. and employ nearly half of the workforce, even during the COVID-19 shutdowns, according to the U.S. Small Business Administration (SBA). Therefore, with such a huge footprint on and threat to economic stability, it is no surprise that the SBA offers some basic guidance to small businesses to stay safe from cybersecurity threats and recover from disasters.

But there is good news for small businesses, too. They can leverage some enterprise-level material to become more resilient. The concepts and methodologies are often the same; it is the application and details that are adjusted based on scale and scope.

Why Does Small Business Cybersecurity Matter?

Before, small businesses enjoyed some ‘cyber immunity’. Candidly, operations were simpler, at least from a technical sense. Weathering a ‘cyber storm’ was easier because of fewer dependencies, such as not relying on a digital database. Small businesses were more likely to use paper records, which are at risk to different types of threats, but nonetheless protected from the digital space.

Many of these protections have eroded, though, because of e-commerce. Good ole fashioned cash and register or copper line, modem-connected credit card authorization machines are now replaced with a mobile phone, a card reader adapter and a 5G connection.

Growing up in a small, family-owned business, the closest thing we held to customer data was a credit card carbon imprint slip. (You have dated yourself if you remember these!) We destroyed the slips after some short time passed, once we knew the transaction was complete and there were no customer follow-ups.

The only breach that I was concerned about was a burglar busting through the door at night.

Small Business Cybersecurity With Enterprise Capability Powers

But for small businesses, the risk profile has changed today. Whether they know it or not, they are using enterprise-level functions (software, cloud computing, payment processing, connectivity, you name it) resulting in an inheritance of risk.

Nowadays, small businesses (that act diligently) must review contracts with service providers to determine data residency, retention and destruction requirements. Or, they must consider alternate cloud providers and web hosts to cover small business cybersecurity. There’s also a caveat to this trade for efficiency. As a small business, you may not get the priority you need unless you pay top dollar. Enterprises may survive million-dollar losses. But, to a small business, lose a few grand at the wrong time and your doors close forever.

Enter the risk assessment. It’s designed to inform your risk appetite, identify resource allocation areas and manage your annual cybersecurity budget.

Melding a Risk-Based Approach Into a Small Business

Small businesses likely have people wearing two and three hats. It’s not uncommon for a business owner to find themselves working as CEO, CFO, CISO and cleanup crew, all in one. But whether it is one person in a small business or multiple people in an enterprise, there are some key questions that can help quantify security risk. You can find these in the IBM Risk Quantification Smart Paper:

  • How do I build a business case about risk?
  • What is the overall return on investment of small business cybersecurity tools?
  • How can I address vulnerabilities and threats?
  • How does the company avoid the next headline or survive?

Unifying these findings can help a small business decide what to fix, what to manage and what to outsource. Here are some questions that, when answered, can align efforts and define priorities:

  • Do you have a good understanding or consensus view of your small business’s cybersecurity risks?
  • Are all the relevant stakeholders viewing risk from relevant perspectives?
  • Does a common language to evaluate your risk exist?
  • Do you have the information you need to make a good decision?
  • Is your security strategy out of whack with your business strategy? And to take this point further for a small business, do you have a security strategy at all?
  • Do you have a methodology to measure risk?

Getting the Most Out of the Value of Your Limited Resources

Having grown up in the small business world, and running my own small businesses, I can promise you security is not top of mind. Sometimes all you are trying to do is manage payroll and pay taxes. But with that said, business risk is on your mind 24/7. Therefore, making small business owners and operators aware of today’s information security risks is crucial.

Some things are easy to fix when it comes to small business cybersecurity. Awareness and training are just elbow grease. Even for those who don’t want to spend much money, there are many options. Free and low-cost tools exist. If you are managing your own infrastructure, well, that can be a bit costlier if you are not maintaining it well. Some managed service provider assistance could be of use here. You may even consider outsourcing some services or find that the service provider in use is too risky for your appetite. If you can afford it, you may even consider a quick third-party assessment to get a sense of where your risks are, visible or hidden.

Risk Assessments Make a Difference

It’s all in the risk assessment. The principles of a guideline like NIST SP 800-30 Guide for Conducting Risk Assessments, even if designed for government and enterprises, can still apply to a small business. The material in a document like this will resonate with a business owner, even if it’s just a glance at the executive summary.

In closing, the main takeaway for small businesses is this: through no fault of your own, you have inherited a series of risks that can blindside you. Since these risks are in your orbit now, conduct the risk assessment, find out what matters to your business, devise cost-efficient strategies to protect your business through reasonable investments and decide what to fix, manage and, finally, outsource.

 |  |  |  |  |  |  |  | 
George Platsis
Senior Director, Educator and Author

More from Data Protection
March 27, 2024

3 Strategies to overcome data security challenges in 2024

3 min read - There are over 17 billion internet-connected devices in the world — and experts expect that number will surge to almost 30 billion by 2030.This rapidly growing digital ecosystem makes it increasingly challenging to protect people’s privacy. Attackers only need to be right once to seize databases of personally identifiable information (PII), including payment card information, addresses, phone numbers and Social Security numbers.In addition to the ever-present cybersecurity threats, data security teams must consider the growing list of data compliance laws…

March 12, 2024

How data residency impacts security and compliance

3 min read - Every piece of your organization’s data is stored in a physical location. Even data stored in a cloud environment lives in a physical location on the virtual server. However, the data may not be in the location you expect, especially if your company uses multiple cloud providers. The data you are trying to protect may be stored literally across the world from where you sit right now or even in multiple locations at the same time. And if you don’t…

March 5, 2024

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature