Why SMBs Need to Take Cybersecurity Seriously
Information security is one of the top priorities of IT departments at companies in every industry — and with good reason. Cyberattacks are on the rise, and they are becoming increasingly sophisticated.
In this continuing series of security articles, we are looking at specific security issues and challenges facing a number of industries and types of companies. This installment focuses on one of the sectors most vulnerable to security breaches: Small and Medium Businesses (SMB).
The less-publicized risk
The data breaches you’re most likely to hear about are those launched against the biggest enterprises: Anthem, Home Depot, Sony Pictures Entertainment and Target, to name a few. Most people are familiar with these companies and many do business with them, so naturally when they suffer a security intrusion, it’s going to garner a lot of attention and be covered extensively in the media.
Larger organizations are natural targets for attackers. They generally handle lots of money, hold huge stores of valuable data and can bring a lot of attention to the “hacktivists” who go after them.
That doesn’t mean smaller companies are immune to attacks by hackers and other cyber criminals, however. Businesses of all sizes and in all industries are vulnerable to data breaches. In fact, SMBs might be especially attractive targets because in many cases they lack the resources to hire full-time cybersecurity experts, and purchase the latest and most effective security technologies.
A different type of exposure
Small companies that conduct much of their business online, and professional-services firms with high-stakes clients can be victimized by opportunistic hackers. And while large enterprises can be significantly affected by a data breach, a smaller company could actually go out of business or lose a devastating number of customers because of a major attack.
With new and more sophisticated security threats emerging every day, protecting critical business data must be a high priority for any SMB. This includes learning about the various types of security threats and vulnerabilities, and adding multiple layers of protection, including a comprehensive disaster recovery strategy.
The problem is, often smaller businesses can’t afford an enterprise-level portfolio of security technologies, and many of them don’t have a full-time cybersecurity executive or department.
“Outside of the same security threats and risks that all organizations must contemplate, SMBs definitely are further challenged by budget constraints, competing priorities and ensuring they have the most up-to-date knowledge to make the right decisions,” says Ami Kron, director of sales at Insight.
“In many cases, security concerns were not on the planning radar of most SMBs a few years ago. Now the added challenges of server/OS refresh activities have created a significant budget burden that wasn’t well planned for,” Kron says.
“Compromises are being made either to extend or delay OS upgrades and infrastructure upgrades, or take ‘short cuts’ on overhauling the security infrastructure,” he adds.
The SMB space often doesn’t have the resources to best approach the security-buying journey, so that knowledge gap, along with all the competing priorities, can lead to poor buying decisions, Kron notes.
An outside solution
One answer to the resource issue is to hire a managed security services provider, which can take on many of the information security functions of the organization. This is certainly a viable option, because it enables companies to protect their assets against cyberthreats at all levels while focusing on business.
Before moving ahead with this strategy, SMBs need to first gain an understanding of what types of threats target their businesses and what weaknesses exist within their own infrastructures. This can be accomplished via a security assessment, which not only provides an excellent security baseline but also can help companies select the best service provider to protect their organizations.
Research firm Forrester has developed a maturity model that provides functional explanations and evaluation criteria for all aspects of a complete information security organization. It provides the foundation for Forrester’s IT security and risk program assessment engagements and offers clients a comprehensive self-assessment tool.
The Forrester Information Security Maturity Model (October 2014) provides a framework that describes all of the required functions and components of a comprehensive security program. With a three-tiered hierarchy, it also offers a methodology for evaluating the maturity of each component of the framework on a consistent and prescriptive maturity scale. This enables reporting to a level of detail that can be adjusted for various audiences.
Engaging in assessments helps close “the knowledge gap that can lead to money being thrown at the wrong problem,” Kron says. “There are a number of vendors, resellers and independent security-solutions providers that offer various assessment types.”
One of the more common is penetration testing, which can help identify vulnerabilities and/or weak points. “Similar offerings exist by different names, but they share the same focus. Identifying risk, assessments vary in pricing depending on the size of the environment being tested,” says Kron.
“Some rudimentary tests can even be found at no cost,” Kron says. “If a business feels that they are at particular risk or bound by regulatory rules to protect any data or transactions they have stored anywhere, there will be a need to seek out an assessment offering that will specifically cover those areas of risk.”
In some cases, it may be best to obtain assessment services from an independent party that doesn’t sell the products or from a reseller that can offer a broad-based solution that covers all aspects of security solutions, Kron says.
“Many of those companies may also offer response planning, an action plan for an individual business in the event a security incident or breach occurs,” he adds.
A leading concern is new emphasis on how much due diligence is required to extend and trust IT infrastructure services to a party such as a Managed Services Provider (MSP).
“That said, there are great advantages for SMBs to engage IT-as-a-Service companies that can take ownership of protecting and securing IT infrastructure,” Kron says. “The challenge is that a lot of business owners aren’t armed with the knowledge they need to vet the right providers.”
But the effort is worthwhile if the end result is forging a relationship with a reliable MSP that can help eliminate the worry associated with protecting critical assets.
If you need an extension to your IT staff to help secure your SMB, contact Insight at 1.800.INSIGHT. To learn more about emerging security solutions and how they can impact your organization, visit us online. Ready to get down to business with security? Take the Forrester assessment here.