When you run a small business, outsourcing for services like IT and security makes a lot of sense. While you might not have the budget for a full-time professional on staff to do these jobs, you still need the services.
However, while it might be helpful to have a managed service provider handle your software and computing issues, cybersecurity for small and medium businesses (SMBs) also requires a personal, hands-on approach. While you can continue to outsource some areas of cybersecurity, every SMB needs to develop an internal cybersecurity program to address the small problems before they escalate into data breaches and other major cyber incidents.
Getting Started With a Cybersecurity Program
You can’t put together a cybersecurity program without knowing what it entails. An information security program is a collection of policies and processes, as well as deploying tools to monitor and protect your company’s data and network assets, explained Patrick Keating, a 20-year security expert, to an (ISC)2 Security Congress audience. Although monitoring and protection services may be something you outsource to a Managed Security Service Provider (MSSP) or to an experienced consultant, you are responsible for defining the processes and policies of your SMB cybersecurity program. You want a program that will “protect the confidentiality, integrity and availability of your company’s data,” Keating advised.
To successfully carry out this process, first, you need to know what your data assets are. Simply said, you can’t protect what you don’t know. Many organizations do not know how much data they accumulate on any given day, what types of data are on hand or where the data is stored.
Next, you need to know what type of security is already in place and what type of technology you are using. How many devices are connected to the network, including IoT and personally owned devices, and how are they protected? For an SMB, it can even come down to knowing what operating systems are used across the company and if they are still under protection. As Keating pointed out, there are a lot of people who think that cybersecurity is simply adding anti-virus software to your computer and maybe your smartphone. While that’s one component of your security program, it’s just one step in the process.
This process can feel overwhelming, but with an expanding threat landscape and a growing number of data privacy regulations, protecting all of your assets is necessary.
Small Business Cybersecurity Framework
According to Keating, the most organized method to begin building a small business cybersecurity program is to use a security framework.
“Security frameworks consist of standards, guidelines, best practices that are collected and organized in such a way that’s easily achievable and a great way to communicate what you’re trying to do,” Keating says.
Frameworks can help you identify where your company currently measures up in cybersecurity policies and the potential for where your organization can scale. The frameworks are written in plain language so even non-technical individuals can understand why cybersecurity is vital to business operations and how to implement a program.
Most business leaders, no matter the size of the organization, do not understand how big their security holes are or where the lapses in security standards are. For example, a financial services company might have a great incident response program in place, but may not have the correct detection tools in place, or could be unaware of what an anomaly within the organization looks like.
Several security frameworks you can reference to get you started include the National Institute of Standards and Technology (NIST) and the International Organization for Standardization (ISO) and the Center for Internet Security (CIS). The type of framework you follow will depend on the type of industry you are in and where your organization is on your cyber security journey.
Once the framework is in place, the next step is to find the gaps in your system. This process will pinpoint the vulnerabilities in your infrastructure. You may find patterns that occur where those gaps are identified, which brings your security system into a sharper image. This is a part of the process where outside help is needed, such as the MSSP or a Penetration Testing vendor. After you discover gaps, then you can decide on a direction for your security roadmap and build your program.
The Small Business Cybersecurity Program Structure
In order to create a successful cybersecurity program, everyone in your organization must be aware of the program. Additionally, you need to create buy-in from employees to adhere to the program. For that to happen, your employees need to understand what their role will be.
It is easiest to spell it out in a formal structure, like this:
- Purpose. What is the purpose behind your cybersecurity program? What are your valuable assets? Why do you need limits on data access?
- Policy statements. Do you have written policies on topics such as remote work and personal device security behaviors, saving company data on non-company storage devices and the use of unapproved IT?
- Monitoring and Assessments. Who is responsible for working with MSSPs or other security vendors on governance, data monitoring and reporting and auditing? What level of these jobs do you want—or are you required to have for compliance and industry regulations—to deploy?
- Security awareness training. Security education is a key part of any cyber security program, and the more education you provide the better. Anyone who touches your data should be able to recognize a phishing email and know when to report suspicious situations.
“Hope is not a strategy,” said Keating. “You hope for the best, but plan for the worst.” This can be a guiding star for your cybersecurity program. No one wants to be the victim of a cyber incident, but when you build a small business cybersecurity program, you are investing in the security of your business and taking the necessary steps to best protect your most valuable assets.