The U.S. Small Business Administration recently launched a new pilot program to help small businesses improve their cybersecurity infrastructure. As business owners everywhere face increasing cyber risks and challenges that could cripple their operations, the SBA has committed to awarding millions in grants to help entrepreneurs defend against cyberthreats.
The program should also serve as a wake-up call for small-business operators across the country, many of whom think they are simply not big enough or visible enough to be victimized by cybercriminals. This is not true. Small businesses are just as likely to be targeted by cybercriminals as large enterprises.
Of course, a lot of small-business owners do understand the threat they’re up against. But many of them don’t know where to begin when it comes to building an effective and practical cybersecurity program. If that describes you, here are three easy steps your company can take to better defend your business.
1. Prioritize your risk areas.
No organization in the world has enough money or expertise to eliminate every single cyberthreat. That’s why it’s so important, especially for small businesses, to prioritize risk areas. For example, is there a risk to human life if your business is attacked? For most small businesses, the answer is no. But if you run a small healthcare company such as a hospital, you might have internet-connected health-monitoring devices that, if tampered with, could cause direct harm to your patients. If this is the case, then those systems must be prioritized. You must protect the health and safety of your patients first and foremost.
Another priority risk, which is shared by all small businesses, is revenue risk. If cybercriminals attack your e-commerce site or your point-of-sale systems, for instance, that can devastate your business. So it’s important to focus on protecting those assets before almost anything else.
Other high-priority risks include reputational risk and regulatory risk. If you experience a breach, are you capable of taking all the necessary steps required by state and federal regulatory rules? If you can’t, you could be out a lot of money. Last year, for example, the New York Department of Financial Services began taking action on companies that fail to comply with its cybersecurity regulations by imposing millions of dollars in civil penalties. This is one of many states such as California, Virginia and Illinois to apply such laws. Others, such as the SEC, are applying to broader groups nationally.
2. Align your cybersecurity strategy with the expertise on your team.
Many small businesses hire a single cyber expert, typically more hands-on, thinking that person can handle their entire security program. The problem is that no one person will be able to do all that needs to be done. A person might be an expert practitioner in the use of tactical tools like firewalls, for example, but they might not have the experience required to develop and manage a strategic plan that takes into account what your organization needs to be thinking about next or how your security budget should be allocated.
This is why organizations with the ability to hire cyber experts need to balance their strategy and alignment with their hands-on experts. In other words, defining a strategy with the appropriate experience is key.
For companies without an in-house team, you can consider hiring a virtual chief information security officer on a part-time basis. (Full disclosure: My company provides vCISO services, as do others.) A vCISO can bring a broad range of expertise and capabilities to your business, as well as ensure alignment with regulatory requirements, without the burden of paying a high salary.
3. Lay a stronger cyber foundation.
Cyber insurance can help cover losses and penalties that result from a data breach or cyberattack, such as ransomware. This type of insurance is important for every sort of business, especially when you consider that the average cost of a data breach in 2021 was $4.24 million, according to IBM and the Ponemon Institute.
The problem is that some companies applying for cyber insurance are rejected because they don’t meet the requirements. A company not able to get cyber insurance is often a distraction for investors, mergers and acquisitions, downstream customer contract requirements, etc. Doing some basic homework and understanding what those requirements are in advance will go a long way toward getting coverage.
For instance, having certain cybersecurity programs in place such as multifactor authentication may help your small business get ahead of the curve and prove to insurance providers you’re a worthwhile risk. MFA is fast becoming a critical security feature for companies because, when implemented, it takes more than just a hacked password to get into your systems and cause damage.
Small businesses continue to make the mistake of thinking they are less attractive to cyberattackers than large enterprises. As a result, they underinvest in security, which can make them sitting ducks. Keep in mind that cybercriminals, most of whom are financially motivated, are not seeking out the biggest targets but the easiest targets. By taking a few basic steps, your small business can thwart would-be bad actors and better protect against the scenario of a successful cyberattack.
By Doug Howard