For a small business, it is highly unlikely that there is a full-fledged cybersecurity team due to budgetary constraints. However, this does not mean that small businesses are not attacked.
In a previous role as a Detective Sergeant leading the Covert Operations and Cyber Crime teams, the number of successful attacks that my team and I were aware of was always high. The attack methods also varied, but what was consistent was that we saw relatively smaller amounts stolen, under £5k. This isn’t newsworthy, but it’s a significant blow to smaller businesses and a huge payoff for cybercriminals who likely spent minimal time on the attack.
Small businesses that lack the basics are the perfect target for cybercriminals. With a lack of security measures (including effective policies and procedures) and regular payments coming in and out of their bank accounts, it’s easy to see why smaller businesses are a prime target.
This high number of incidents means that, despite budgets, SMBs have no choice but to address cybersecurity. While having a large cybersecurity team in the same vein as an enterprise may be an unrealistic expectation, there are options for smaller organizations that want to show leadership when it comes to cybersecurity.
Cyber Security Advisor, CyberSmart.
In-house or outsourced
That smaller companies cannot afford to hire a full-time senior cybersecurity position means they have to make decisions. Do they hire a junior position or outsource cybersecurity leadership to a virtual CISO? The decision depends on the cybersecurity knowledge currently available within the company and the strategic vision of the company.
A junior role would allow the company to hire a full-time member of staff who would learn the business and its culture. This role would also have the opportunity to influence the culture and become the expert point of contact for cybersecurity questions; having someone in-house means they can be a visible point of contact and answer questions on mundane topics such as emails.
However, it is clear that this option has its drawbacks. The more junior position may lack experience and may not be able to deal with complex situations. Again, this could impact the progress the company makes in improving its cybersecurity position. There would also be additional costs associated with a more junior role, such as training and development requirements, although some organisations may view these as an investment.
Conversely, engaging the services of a virtual CISO means that the individual can hit the ground running, gain immediate experience and, most importantly, develop a strategy for the business. The flexibility in this outsourced, part-time role allows the business to use the CISO as and when they need them. If compliance is a business requirement, the CISO can ensure that relevant security regulations are adhered to.
But here too there are disadvantages. The CISO would complete his work with less available time and would have no team to delegate work to. This means that they would either have to carry out the more mundane cyber security tasks themselves, or employ unskilled staff to carry out this work as a secondary responsibility. The CISO would also likely have to pay higher hiring costs, and the fact that they work part-time could impact their responsiveness.
The final option to consider is a Managed Security Service Provider (MSSP). This could be a cost-effective way to have cybersecurity expertise available around the clock. The MSSP gets to know your business and can provide additional resources as the business grows.
However, it’s worth noting that by using an MSSP the company is essentially handing over control of its security to a third party, so they need to recruit wisely. Depending on the MSSP used, the company may lose the benefit of a customized cybersecurity posture, as some MSSPs will use certain products for all their customers. The last point worth considering is the additional costs. Additional charges may apply for some services and if an incident occurs at the company that requires expertise and additional resources.
When to take the cyber leap
The answer to this question varies by company. Smaller companies should look at Cyber Essentials to ensure they have the basics covered and are no longer the low hanging fruit.
Smaller companies that have achieved Cyber Essentials should then consider obtaining Cyber Essentials Plus. This acts as a third-party verification that the controls within Cyber Essentials have been implemented correctly. Most importantly, this standard must be maintained throughout the year.
As your business grows, it’s even more important to understand what assets are important to you, how you protect them, and what processes you have in place should the worst happen. This is when the workload increases and can become too much for the person(s) currently responsible for cybersecurity.
Other factors to consider are the industry you operate in. If you operate in a highly regulated industry, it may be wise to engage a cybersecurity specialist sooner. They will help ensure that your business meets the standards required to maintain compliance and keep your business running.
Often, businesses will recruit cybersecurity staff after a breach has occurred. While this is understandable, this is not the ideal time. Most businesses would have already spent a significant amount of money responding to and recovering from the breach, and recruiting staff at this stage will likely mean rushing things; this can lead to hasty, incorrect and expensive decisions.
Promoting a culture of safety
One of the biggest challenges facing organizations of all sizes, but especially smaller organizations, is cybersecurity awareness. Ensuring that everyone in the company is aware of the latest threats and how they could impact their role is critical.
A company can spend a significant amount of money to protect itself, but if one person is unaware of the latest threat and clicks on a phishing email or is tricked by an AI-powered fake call, those controls are likely to be ineffective.
Creating a culture where cybersecurity is both important and a consideration in day-to-day operations is difficult to achieve, but easier to achieve when a company is smaller, as it can be easier to communicate, especially messages from senior leaders who are likely to be closer to the front lines of the organization.
A strong culture within a small business promotes shared responsibility among limited resources, giving the company a level of security appropriate to any specific workforce they may hire.
We have listed the best cloud antivirus programs for you.
This article was produced as part of Ny BreakingPro’s Expert Insights channel, where we showcase the best and brightest minds in technology today. The views expressed here are those of the author and are not necessarily those of Ny BreakingPro or Future plc. If you are interested in contributing, read more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro