The risk posture of small and medium-sized businesses has changed a lot over the last few years. Bluntly: small businesses inherited a series of digital risks. Many of these risks, such as supply chain and cloud-related risks, can wound and devastate a small business. Meanwhile, the enterprise, armed with more resources, could sustain the shock. When, and how, do you need to boost your small business cybersecurity?

There are non-digital risks too. (Think manufacturing, raw materials and non-software supply chain issues.) These make operations fragile but still may have a digital trail somewhere. These issues also impact small businesses, which, by themselves, have very little influence over them.

Despite this fact, small businesses make up almost 99.9% of businesses in the U.S. and employ nearly half of the workforce, even during the COVID-19 shutdowns, according to the U.S. Small Business Administration (SBA). Therefore, with such a huge footprint on and threat to economic stability, it is no surprise that the SBA offers some basic guidance to small businesses to stay safe from cybersecurity threats and recover from disasters.

But there is good news for small businesses, too. They can leverage some enterprise-level material to become more resilient. The concepts and methodologies are often the same; it is the application and details that are adjusted based on scale and scope.

Why Does Small Business Cybersecurity Matter?

Before, small businesses enjoyed some ‘cyber immunity’. Candidly, operations were simpler, at least from a technical sense. Weathering a ‘cyber storm’ was easier because of fewer dependencies, such as not relying on a digital database. Small businesses were more likely to use paper records, which are at risk to different types of threats, but nonetheless protected from the digital space.

Many of these protections have eroded, though, because of e-commerce. Good ole fashioned cash and register or copper line, modem-connected credit card authorization machines are now replaced with a mobile phone, a card reader adapter and a 5G connection.

Growing up in a small, family-owned business, the closest thing we held to customer data was a credit card carbon imprint slip. (You have dated yourself if you remember these!) We destroyed the slips after some short time passed, once we knew the transaction was complete and there were no customer follow-ups.

The only breach that I was concerned about was a burglar busting through the door at night.

Small Business Cybersecurity With Enterprise Capability Powers

But for small businesses, the risk profile has changed today. Whether they know it or not, they are using enterprise-level functions (software, cloud computing, payment processing, connectivity, you name it) resulting in an inheritance of risk.

Nowadays, small businesses (that act diligently) must review contracts with service providers to determine data residency, retention and destruction requirements. Or, they must consider alternate cloud providers and web hosts to cover small business cybersecurity. There’s also a caveat to this trade for efficiency. As a small business, you may not get the priority you need unless you pay top dollar. Enterprises may survive million-dollar losses. But, to a small business, lose a few grand at the wrong time and your doors close forever.

Enter the risk assessment. It’s designed to inform your risk appetite, identify resource allocation areas and manage your annual cybersecurity budget.

Melding a Risk-Based Approach Into a Small Business

Small businesses likely have people wearing two and three hats. It’s not uncommon for a business owner to find themselves working as CEO, CFO, CISO and cleanup crew, all in one. But whether it is one person in a small business or multiple people in an enterprise, there are some key questions that can help quantify security risk. You can find these in the IBM Risk Quantification Smart Paper:

  • How do I build a business case about risk?
  • What is the overall return on investment of small business cybersecurity tools?
  • How can I address vulnerabilities and threats?
  • How does the company avoid the next headline or survive?

Unifying these findings can help a small business decide what to fix, what to manage and what to outsource. Here are some questions that, when answered, can align efforts and define priorities:

  • Do you have a good understanding or consensus view of your small business’s cybersecurity risks?
  • Are all the relevant stakeholders viewing risk from relevant perspectives?
  • Does a common language to evaluate your risk exist?
  • Do you have the information you need to make a good decision?
  • Is your security strategy out of whack with your business strategy? And to take this point further for a small business, do you have a security strategy at all?
  • Do you have a methodology to measure risk?

Getting the Most Out of the Value of Your Limited Resources

Having grown up in the small business world, and running my own small businesses, I can promise you security is not top of mind. Sometimes all you are trying to do is manage payroll and pay taxes. But with that said, business risk is on your mind 24/7. Therefore, making small business owners and operators aware of today’s information security risks is crucial.

Some things are easy to fix when it comes to small business cybersecurity. Awareness and training are just elbow grease. Even for those who don’t want to spend much money, there are many options. Free and low-cost tools exist. If you are managing your own infrastructure, well, that can be a bit costlier if you are not maintaining it well. Some managed service provider assistance could be of use here. You may even consider outsourcing some services or find that the service provider in use is too risky for your appetite. If you can afford it, you may even consider a quick third-party assessment to get a sense of where your risks are, visible or hidden.

Risk Assessments Make a Difference

It’s all in the risk assessment. The principles of a guideline like NIST SP 800-30 Guide for Conducting Risk Assessments, even if designed for government and enterprises, can still apply to a small business. The material in a document like this will resonate with a business owner, even if it’s just a glance at the executive summary.

In closing, the main takeaway for small businesses is this: through no fault of your own, you have inherited a series of risks that can blindside you. Since these risks are in your orbit now, conduct the risk assessment, find out what matters to your business, devise cost-efficient strategies to protect your business through reasonable investments and decide what to fix, manage and, finally, outsource.

More from Data Protection

Cost of a data breach 2023: Pharmaceutical industry impacts

3 min read - Data breaches are both commonplace and costly in the medical industry.  Two industry verticals that fall under the medical umbrella — healthcare and pharmaceuticals — sit at the top of the list of the highest average cost of a data breach, according to IBM’s Cost of a Data Breach Report 2023. The health industry’s place at the top spot of most costly data breaches is probably not a surprise. With its sensitive and valuable data assets, it is one of…

Cost of a data breach 2023: Financial industry impacts

3 min read - According to the IBM Cost of a Data Breach Report 2023, the global average cost of a data breach in 2023 was $4.45 million, 15% more than in 2020. In response, 51% of organizations plan to increase cybersecurity spending this year. For the financial industry, however, global statistics don’t tell the whole story. Finance firms lose approximately $5.9 million per data breach, 28% higher than the global average. In addition, evolving regulatory concerns play a role in how financial companies…

Advanced analytics can help detect insider threats rapidly

2 min read - While external cyber threats capture headlines, the rise of insider threats from within an organization is a growing concern. In 2023, the average cost of a data breach caused by an insider reached $4.90 million, 9.6% higher than the global average data breach cost of $4.45 million. To effectively combat this danger, integrating advanced analytics into data security software has become a critical and proactive defense strategy. Understanding insider threats Insider threats come from users who abuse authorized access to…

One simple way to cut ransomware recovery costs in half

4 min read - Whichever way you look at the data, it is considerably cheaper to use backups to recover from a ransomware attack than to pay the ransom. The median recovery cost for those that use backups is half the cost incurred by those that paid the ransom, according to a recent study. Similarly, the mean recovery cost is almost $1 million lower for those that used backups. Despite this fact, the use of backups is actually falling. This was one of the…