Realistic Cybersecurity for Small- and Mid-Sized EnterprisesPresident and CEO of Center for Responsible Enterprise and Trade
In June of this year, a data analytics firm working for the Republican National Committee left databases of 198 million U.S. citizen voter files exposed to the Internet without security, making the RNC susceptible to theft by cyber criminals for 10 to 14 days. Following the incident, the RNC suspended its relationship with the third-party firm.
Reading the headlines, it’s no surprise that cyber threats are on the increase and attacks are becoming increasingly sophisticated. While a breach may be a setback for a multinational, a cyberattack could be devastating for small- and mid-sized enterprises. The loss of critical business information, such as coveted trade secrets, or exposure of confidential customer information, like in the RNC breach, could easily put a small company out of business.
For many SMEs, there isn’t a sense of urgency about the threat. Many executives believe that attackers are more interested in targeting larger multinationals, rich with bounties of personally identifiable information and higher-value corporate data, such as innovative research and trade secrets. However, a recent study suggests that 61 percent of 2017 data breach victims (thus far) have been businesses with fewer than 1,000 employees.
Regardless of size, every company faces similar threats, and SMEs may actually be prime targets for a variety of reasons. A small retail company may be targeted due to the credit card data it possesses. Or, a small company that is part of a larger value chain can be viewed as easier prey to get into the backdoor of a multinational—as was the case of a major retailer in which attackers entered the network via a heating vendor’s credentials to an electronic billing link. Smaller companies may also be hit with a malicious software—malware—attack and have their systems turned into “zombie computers,” which can be used in larger attacks. Ransomware attackers also target smaller organizations, many of which will pay the ransom due to not having established protocols for data backups.
The risks are high, yet SMEs still fall short when it comes to cybersecurity. The 2016 State of SMB Cybersecurity study suggests that only 14 percent of small businesses rate their ability to mitigate cyber risks as highly effective. Why not be more proactive? For many SMEs, the costs can edge out to other priorities. Others find leading guidance—such as the ISO 27001 information security management system or the Cybersecurity Framework issued by the National Institute of Standards and Technology—is too technical or daunting to implement.
Small- and mid-sized enterprises must address ‘people, processes and technology’ for effective cybersecurity.
Many multinationals recognize the importance of robust cybersecurity among companies in their value chains. The Cyber Readiness Institute was recently launched with a specific focus on “developing cyber risk management content and tools to help small and medium-sized businesses, in order to secure global value chains.”
Ultimately, however, it is incumbent on small- and mid-sized enterprises to address the “people, processes and technology” required for effective cybersecurity.
People: As many reports suggest, insiders represent the greatest threat for sparking cyber breaches. It’s not always intentional—many are tricked into downloading malware by clicking on a link in an email; in other cases, the employee may be using weak passwords or the same ones across many systems. Here are some ways to improve cybersecurity among insiders:
- Train employees, contractors and others on cyber threats and communicate about the role they play in keeping the network secure. All should be vigilant in ensuring that the links they click on in emails and on websites are legitimate, employ strong passwords, and avoid public Wi-Fi networks. Pop-up warnings can also be used to provide real-time messages to users when they engage in computer or network behavior that raises risks.
- Understand who poses the greatest threat to confidential corporate assets—including senior executives, contractors, vendors and others—and ensure there are processes in place to address potential security risks (e.g., access control, monitoring of large data downloads, etc.).
Processes: Many companies have policies in place, yet they aren’t effective unless there are business processes to support adherence. Processes could include:
- Develop policies and associated practices and procedures specific to data security.
- Include data security in on-boarding and off-boarding of employees. When an employee starts at a company, they should be made aware of expected protocols around protecting confidential data and receive training to avoid common cyber “traps.” When departing, employee or contractor credentials should be inactivated and access denied to all systems.
- Prepare—every company should have a business continuity and incidence response plan in the event that systems are compromised. This includes system and data backups, communication plans, and cross-functional collaboration.
- Enforce strong standards for user identities and passwords.
Technology: The National Institute of Standards and Technology offers a helpful cybersecurity guide for small- and mid-sized enterprises, which aligns to the categories in the NIST Framework. A few actions that all companies can take:
- Automatically apply software security patches to help avoid missing an important update. Also keep security and all other software current.
- Build up technology defenses including the use of network firewalls and data encryption and segregated server storage for sensitive information. It’s also wise to block user access to untrustworthy Internet sites, among other actions.
- Use and enforce password protection and “need to know” access to confidential information.
- Collect data on all devices with network access, and ensure that all devices with Internet connectivity are protected from viruses and malware.
Whether a company has 10 or 1,000 employees, taking proactive steps that engage “people, processes and technology” will go a long way to building cyber resiliency and securing SMEs—the companies that are driving the economy and critical to global value chains.