When you run a small business, outsourcing for services like IT and security makes a lot of sense. While you might not have the budget for a full-time professional on staff to do these jobs, you still need the services.

However, while it might be helpful to have a managed service provider handle your software and computing issues, cybersecurity for small and medium businesses (SMBs) also requires a personal, hands-on approach. While you can continue to outsource some areas of cybersecurity, every SMB needs to develop an internal cybersecurity program to address the small problems before they escalate into data breaches and other major cyber incidents.

Getting Started With a Cybersecurity Program 

You can’t put together a cybersecurity program without knowing what it entails. An information security program is a collection of policies and processes, as well as deploying tools to monitor and protect your company’s data and network assets, explained Patrick Keating, a 20-year security expert, to an (ISC)2 Security Congress audience. Although monitoring and protection services may be something you outsource to a Managed Security Service Provider (MSSP) or to an experienced consultant, you are responsible for defining the processes and policies of your SMB cybersecurity program. You want a program that will “protect the confidentiality, integrity and availability of your company’s data,” Keating advised. 

To successfully carry out this process, first, you need to know what your data assets are. Simply said, you can’t protect what you don’t know. Many organizations do not know how much data they accumulate on any given day, what types of data are on hand or where the data is stored. 

Next, you need to know what type of security is already in place and what type of technology you are using. How many devices are connected to the network, including IoT and personally owned devices, and how are they protected? For an SMB, it can even come down to knowing what operating systems are used across the company and if they are still under protection. As Keating pointed out, there are a lot of people who think that cybersecurity is simply adding anti-virus software to your computer and maybe your smartphone. While that’s one component of your security program, it’s just one step in the process.

This process can feel overwhelming, but with an expanding threat landscape and a growing number of data privacy regulations, protecting all of your assets is necessary. 

Small Business Cybersecurity Framework

According to Keating, the most organized method to begin building a small business cybersecurity program is to use a security framework. 

“Security frameworks consist of standards, guidelines, best practices that are collected and organized in such a way that’s easily achievable and a great way to communicate what you’re trying to do,” Keating says. 

Frameworks can help you identify where your company currently measures up in cybersecurity policies and the potential for where your organization can scale. The frameworks are written in plain language so even non-technical individuals can understand why cybersecurity is vital to business operations and how to implement a program.

Most business leaders, no matter the size of the organization, do not understand how big their security holes are or where the lapses in security standards are. For example, a financial services company might have a great incident response program in place, but may not have the correct detection tools in place, or could be unaware of what an anomaly within the organization looks like.

Several security frameworks you can reference to get you started include the National Institute of Standards and Technology (NIST) and the International Organization for Standardization (ISO) and the Center for Internet Security (CIS). The type of framework you follow will depend on the type of industry you are in and where your organization is on your cyber security journey.

Once the framework is in place, the next step is to find the gaps in your system. This process will pinpoint the vulnerabilities in your infrastructure. You may find patterns that occur where those gaps are identified, which brings your security system into a sharper image. This is a part of the process where outside help is needed, such as the MSSP or a Penetration Testing vendor. After you discover gaps, then you can decide on a direction for your security roadmap and build your program.

The Small Business Cybersecurity Program Structure

In order to create a successful cybersecurity program, everyone in your organization must be aware of the program. Additionally, you need to create buy-in from employees to adhere to the program. For that to happen, your employees need to understand what their role will be.

It is easiest to spell it out in a formal structure, like this:

  • Purpose. What is the purpose behind your cybersecurity program? What are your valuable assets? Why do you need limits on data access? 
  • Policy statements. Do you have written policies on topics such as remote work and personal device security behaviors, saving company data on non-company storage devices and the use of unapproved IT?
  • Monitoring and Assessments. Who is responsible for working with MSSPs or other security vendors on governance, data monitoring and reporting and auditing? What level of these jobs do you want—or are you required to have for compliance and industry regulations—to deploy?
  • Security awareness training. Security education is a key part of any cyber security program, and the more education you provide the better. Anyone who touches your data should be able to recognize a phishing email and know when to report suspicious situations.

“Hope is not a strategy,” said Keating. “You hope for the best, but plan for the worst.” This can be a guiding star for your cybersecurity program. No one wants to be the victim of a cyber incident, but when you build a small business cybersecurity program, you are investing in the security of your business and taking the necessary steps to best protect your most valuable assets. 

More from Mobile Security

Third-Party App Stores Could Be a Red Flag for iOS Security

Even Apple can’t escape change forever. The famously restrictive company will allow third-party app stores for iOS devices, along with allowing users to “sideload” software directly. Spurring the move is the European Union’s (EU) Digital Markets Act (DMA), which looks to ensure open markets by reducing the ability of digital “gatekeepers” to restrict content on devices. While this is good news for app creators and end-users, there is a potential red flag: security. Here’s what the compliance-driven change means for…

A View Into Web(View) Attacks in Android

James Kilner contributed to the technical editing of this blog. Nethanella Messer, Segev Fogel, Or Ben Nun and Liran Tiebloom contributed to the blog. Although in the PC realm it is common to see financial malware used in web attacks to commit fraud, in Android-based financial malware this is a new trend. Traditionally, financial malware in Android uses overlay techniques to steal victims’ credentials. In 2022, IBM Security Trusteer researchers discovered a new trend in financial mobile malware that targets…

How the Mac OS X Trojan Flashback Changed Cybersecurity

Not so long ago, the Mac was thought to be impervious to viruses. In fact, Apple once stated on its website that "it doesn't get PC viruses". But that was before the Mac OS X Trojan Flashback malware appeared in 2012. Since then, Mac and iPhone security issues have changed dramatically — and so has the security of the entire world. In this post, we'll revisit how the Flashback incident unfolded and how it changed the security landscape forever. What…

Switching to 5G? Know Your Integrated Security Controls

5G is a big leap in mobile technology. It presents enterprises and service providers with capabilities for advanced applications, content delivery and digital engagement anywhere. It enables businesses with new use cases and integrated security needs to have a trusted network and application/data delivery function. How does one build a secure 5G network that provides the level of trust required by users today and in the future? The Benefits of 5G 5G's new use cases come from: Customized network slices…