For resource-strapped small and midsize businesses, staring down the gargantuan and ever-evolving cybersecurity threats might make them feel like David staring down Goliath.
The good news is, like David’s expert use of a slingshot to defeat his towering foe, SMBs can still use the limited money and tools at their disposal to mount a respectable defense, according to experts in both cybersecurity and finance.
Without large amounts of cash to spend on a robust cyber program or the ability to hire an army of internal experts, smaller firms tend to think of cybersecurity as “an afterthought,” Travis Wong, VP of customer engagement at cyber insurance company Resilience, told CFO Brew. The truth is, threat actors will target any organization, regardless of size, if they see opportunity, he said.
“What we recommend, and what we encourage all our clients to recognize, is that cyber risk isn’t just an IT risk. It is a holistic business risk,” Wong said. Those who fail to view cyber as an enterprise risk, he added, “may be underestimating the overall impact that a cyber event could have on their ability to sustain business and satisfy their customers’ needs.”
Warning signs. Research shows the threat to SMBs is very real. According to a report from cybersecurity firm Barracuda, employees of small businesses receive 350% more social-engineering attacks, such as phishing, than employees of larger firms.
“It’s really clear that small and medium businesses are really waking up to the fact that they need to take cybersecurity seriously and they’re not under the radar,” Karen Walker, CFO of cloud security firm Sysdig, told CFO Brew.
It seems that smaller businesses are getting the message. According to a report from password manager LastPass and research firm InnovateMR, 9 of 10 IT leaders and 4 in 5 non-IT leaders at SMBs said they were paying more attention to cybersecurity from a year ago, while 82% of SMBs reported that their cybersecurity budgets have grown year over year.
Spend wisely. For SMBs, putting together a comprehensive cybersecurity program might feel like an impossible task given their limited budgets. But there are steps they can take to maximize their investment, experts said.
News built for finance pros
CFO Brew helps finance pros navigate their roles with insights into risk management, compliance, and strategy through our newsletter, virtual events, and digital guides.
Walker provided three “top priorities” that SMBs should accomplish, including: complete a risk assessment; invest in security vendors; and train employees on best practices in cybersecurity.
A risk assessment is an important first step, Walker said, because it will show a firm what its most critical digital assets and greatest risks are, and what the financial impact would be if those were compromised.
“This is something that if companies start with, then they’ll be able to better prioritize their risks, customize their program, and allocate their resources effectively,” Walker said.
Wong, too, recommended all organizations at least have some form of employee awareness and training as part of their programs. The training could include a fake email phishing attempt generated in-house to test how well their employees can spot malicious emails.
“From an attack vector perspective, humans are still the No. 1 weakness, but can also be the greatest strength of an organization,” he said.
Common oopsies. While no two small businesses are the same, there are fairly common mistakes they make, according to experts.
One issue that Resilience frequently encounters is that access controls systems, which manage who has access to what in a network, will have only one or two sets of permissions across the entire organization, Wong said. This lax protection opens up opportunities for threat actors to move around data or install programs or software. He recommended SMBs follow a “least privilege model…so that only those who need to do something, have the ability to do.”
SMBs can also mistakenly think that, if they’re on the cloud, they’ll be adequately protected with the tools that cloud service providers (CSP) give them, according to Walker.
“They need to actually take security into their own hands, even if they’re outsourcing it,” she said. “They can’t just rely on CSPs to be safe in the cloud.”