Small and mid-sized business (SMBs) are unique in their security needs. They have received very little attention from the security industry by anything more than a drive by hardware or software salesman. Their uniqueness doesn’t come from any special security situation, but from size and resource availability.
Most security standards, frameworks, and guidance are focused on large businesses, governments, and financial institutions where resources are more abundant and attacks have been prevalent for decades. SMBs have only started seeing attacks in the last several years. They are having to catch up to the big guys very quickly. However, they are also under much tighter resource constraints. That doesn’t mean we can’t use these standards, frameworks, and guidance. However, it does mean that we need to adapt them to meet the needs of that different environment.
With both people and money, SMBs cannot afford to throw seemingly unlimited resources at the problem. Because of this, we must work to implement industry standards and best practices in a cost-effective and unobtrusive manner. Good news, though, it can be done! The following four areas are key to a successful security foundation in an SMB:
1. Planning
Planning is key to any implementation. A company security plan sets the tone for the secure operation across the company. It prescribes a level playing field for all users and demonstrates to clients, partners, and other stakeholders that your company takes the security of its information and computing resources seriously. In planning for incidents and disasters, it also defines processes to be followed in hectic and stressful times that guide your team through the difficult events quicker and with greater chance of success.
2. Secure Architecture
Much of the technical portion of cyber security can be accomplished through a secure architecture, including hardened baseline configurations for computer and network systems. A few other key systems include a boundary firewall and anti-malware protection for each computer system. While there are other types of security systems available, these are the only two I recommend across the board for all environments. Other types of systems may be useful in unique situations, but not for everyone.
3. User Awareness
Many modern cyber attacks targeting SMBs are actually targeting the users. While some of these attacks will be caught by your anti-malware software, much of it will slip through. This is where an educated and aware workforce can greatly bolster your defenses. Through foundational training and periodic updates, people are much better than computers at spotting phishing, ransomware, and social engineering attempts.
4. Vulnerability and Risk Management
To manage your risk you must know your risk. Security is about risk management. There isn’t a simple yes or no answer. You are secure when the remaining risk is within your tolerance. To know your risk, though, you must regularly assess your environment for risk. Since security is a rapidly changing risk, a monthly or quarterly risk assessment is recommended. This helps you decide how to manage that risk through reduction (using the prior three focus areas), transfer (using cyber liability insurance), or acceptance of that risk. Assessments are the key to management. You must have current, high quality information to make good decisions.
If you see the need in your company but think you might need help with the implementation, feel free to call or email.