When you run a small business, outsourcing for services like IT and security makes a lot of sense. While you might not have the budget for a full-time professional on staff to do these jobs, you still need the services.

However, while it might be helpful to have a managed service provider handle your software and computing issues, cybersecurity for small and medium businesses (SMBs) also requires a personal, hands-on approach. While you can continue to outsource some areas of cybersecurity, every SMB needs to develop an internal cybersecurity program to address the small problems before they escalate into data breaches and other major cyber incidents.

Getting Started With a Cybersecurity Program 

You can’t put together a cybersecurity program without knowing what it entails. An information security program is a collection of policies and processes, as well as deploying tools to monitor and protect your company’s data and network assets, explained Patrick Keating, a 20-year security expert, to an (ISC)2 Security Congress audience. Although monitoring and protection services may be something you outsource to a Managed Security Service Provider (MSSP) or to an experienced consultant, you are responsible for defining the processes and policies of your SMB cybersecurity program. You want a program that will “protect the confidentiality, integrity and availability of your company’s data,” Keating advised. 

To successfully carry out this process, first, you need to know what your data assets are. Simply said, you can’t protect what you don’t know. Many organizations do not know how much data they accumulate on any given day, what types of data are on hand or where the data is stored. 

Next, you need to know what type of security is already in place and what type of technology you are using. How many devices are connected to the network, including IoT and personally owned devices, and how are they protected? For an SMB, it can even come down to knowing what operating systems are used across the company and if they are still under protection. As Keating pointed out, there are a lot of people who think that cybersecurity is simply adding anti-virus software to your computer and maybe your smartphone. While that’s one component of your security program, it’s just one step in the process.

This process can feel overwhelming, but with an expanding threat landscape and a growing number of data privacy regulations, protecting all of your assets is necessary. 

Small Business Cybersecurity Framework

According to Keating, the most organized method to begin building a small business cybersecurity program is to use a security framework. 

“Security frameworks consist of standards, guidelines, best practices that are collected and organized in such a way that’s easily achievable and a great way to communicate what you’re trying to do,” Keating says. 

Frameworks can help you identify where your company currently measures up in cybersecurity policies and the potential for where your organization can scale. The frameworks are written in plain language so even non-technical individuals can understand why cybersecurity is vital to business operations and how to implement a program.

Most business leaders, no matter the size of the organization, do not understand how big their security holes are or where the lapses in security standards are. For example, a financial services company might have a great incident response program in place, but may not have the correct detection tools in place, or could be unaware of what an anomaly within the organization looks like.

Several security frameworks you can reference to get you started include the National Institute of Standards and Technology (NIST) and the International Organization for Standardization (ISO) and the Center for Internet Security (CIS). The type of framework you follow will depend on the type of industry you are in and where your organization is on your cyber security journey.

Once the framework is in place, the next step is to find the gaps in your system. This process will pinpoint the vulnerabilities in your infrastructure. You may find patterns that occur where those gaps are identified, which brings your security system into a sharper image. This is a part of the process where outside help is needed, such as the MSSP or a Penetration Testing vendor. After you discover gaps, then you can decide on a direction for your security roadmap and build your program.

The Small Business Cybersecurity Program Structure

In order to create a successful cybersecurity program, everyone in your organization must be aware of the program. Additionally, you need to create buy-in from employees to adhere to the program. For that to happen, your employees need to understand what their role will be.

It is easiest to spell it out in a formal structure, like this:

  • Purpose. What is the purpose behind your cybersecurity program? What are your valuable assets? Why do you need limits on data access? 
  • Policy statements. Do you have written policies on topics such as remote work and personal device security behaviors, saving company data on non-company storage devices and the use of unapproved IT?
  • Monitoring and Assessments. Who is responsible for working with MSSPs or other security vendors on governance, data monitoring and reporting and auditing? What level of these jobs do you want—or are you required to have for compliance and industry regulations—to deploy?
  • Security awareness training. Security education is a key part of any cyber security program, and the more education you provide the better. Anyone who touches your data should be able to recognize a phishing email and know when to report suspicious situations.

“Hope is not a strategy,” said Keating. “You hope for the best, but plan for the worst.” This can be a guiding star for your cybersecurity program. No one wants to be the victim of a cyber incident, but when you build a small business cybersecurity program, you are investing in the security of your business and taking the necessary steps to best protect your most valuable assets. 

More from Mobile Security

Quishing: A growing threat hiding in plain sight

4 min read - Our mobile devices go everywhere we go, and we can use them for almost anything. For businesses, the accessibility of mobile devices has also made it easier to create more interactive ways to introduce new products and services while improving user experiences across different industries. Quick-response (QR) codes are a good example of this in action and help mobile devices quickly navigate to web pages or install new software by simply scanning an image.However, legitimate organizations aren’t the only ones…

Juice jacking: Is it a real issue or media hype?

4 min read - You get off a flight and realize your phone is almost out of battery, which will make getting an Uber at your destination a bit challenging. Then you see it — a public charging station at the next gate like a pot of gold at the end of the rainbow. As you run rom-com style to the USB port, you may briefly wonder if it’s actually safe from a cybersecurity perspective to plug in your phone. The answer is technically…

Third-party app stores could be a red flag for iOS security

4 min read - Even Apple can’t escape change forever. The famously restrictive company will allow third-party app stores for iOS devices, along with allowing users to “sideload” software directly. Spurring the move is the European Union’s (EU) Digital Markets Act (DMA), which looks to ensure open markets by reducing the ability of digital “gatekeepers” to restrict content on devices. While this is good news for app creators and end-users, there is a potential red flag: security. Here’s what the compliance-driven change means for…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today