Small and midsize businesses (SMBs; organizations with fewer than 1,000 employees) are often unprepared for cyber attacks due to the erroneous belief that hackers are only concerned with attacking large enterprises with deep pockets. In fact, 43% of all data breaches involve SMBs. These organizations are an attractive target for ransomware, financial fraud, and supply chain attacks due to often having less mature cybersecurity practices. Organizations not taking precautions against cyber threats are at risk of significant interruptions to financial and business continuity, not to mention a tarnished reputation. Additionally, breaches may affect clients, customers, or residents’ expectations and rights, particularly if compliance requirements are not met. But SMBs need not have Fortune 500-sized IT budgets to protect their data and keep it out of the hands of hackers. Following, Dudek’s Chief Information Officer Brian Nordmann outlines three ways small and midsize organizations can reduce cyber risks.
Perform a Gap Analysis
In general, performing a gap analysis involves identifying the current situation, determining where you want to be, evaluating the gaps (hence gap analysis) between where you are and where you want to be, and then establishing a plan to close those gaps to reduce the risk of cyber attack. In the case of a cyber security gap analysis, the process may look as follows:
- Identify the current situation by creating an information security program document. This should document where you are currently and mature over time. Describe your firm’s approach to risk management and clearly outline roles and responsibilities, security policies, and controls.
- Determine where you want to be by adopting a security framework. Pick a framework to benchmark against based on industry compliance requirements. If there aren’t any requirements for your industry, you can benchmark to requirements from the Center for Internet Security, National Institute of Standards and Technology, or Cybersecurity Maturity Model Certification.
- Evaluate the gaps by revisiting the standards established in your framework. Analyze how your organization is meeting, exceeding, or failing against these benchmarks. The gap analysis should document the firm’s current state via free self-assessment resources or a third party if the budget allows.
- Establish a plan to close the gaps by synthesizing all of the above. Your plan should take into consideration your organization’s ideal future state and IT goals in the context of the established security framework. Periodically, you should review the gaps between your organization’s current state and goals, in order to prioritize remedies.
Nordmann said, “It’s important to document and discuss current cyber risk gaps with leadership, and plan to address cyber-vulnerability priorities. The conversation should be about acceptable risk tolerance and continual improvement over time.”
Start with Quick Wins for Cyber Risk Reduction
Once your plan is in place, you can start taking action. Though many initiatives in your plan may have a longer time horizon, there are simple actions you can take immediately to realize some quick wins. Nordmann said, “Address the low-hanging fruit first and then plan for more involved projects and programs. Focus on security solutions that will have the biggest bang for the buck.” There are many no- or low-cost solutions that can have a major impact on cyber-security, including:
- Patch now!
- Enable 2FA/MFA
- Put baseline security policies in place
- Document what you do when faced with security situations and include an incident response plan in your security program document
- Conduct low-cost pen tests and vulnerability assessments to identify risks to infrastructure such as misconfigured VPN/firewalls, cloud services, or web apps
- Conduct a security awareness program/training
Develop a Roadmap for Continual Improvement
Don’t stop once your plan is in place and you’ve achieved some quick wins. Long-term cyber security requires constant vigilance and upkeep. Maintenance requires building an annual roadmap outlining initiatives for the year based on perceived cyber risks. Then, you should revisit your roadmap annually, adjusting your plan as needed.
There are various resources you can rely on to enact the initiatives in your cyber-security roadmap that don’t require endless coffers of cash. Managed cyber security services offer a variety of security tools and services that scale based on the number of end-users/computers compared to larger, upfront capital expenditures traditionally associated with building a security capability. Additionally, there are many free resources available, including:
- FRSecure: checklists, playbooks, policy templates, cheat sheets
- Cybersecurity and Infrastructure Security Agency: cybersecurity assessments
- Microsoft Security Partners: Microsoft (and many other vendors) offer trusted advisors and solutions when working with their cybersecurity partners.
As technologies advance, it’s critical for businesses to remain vigilant and flexible. Reducing cyber risks doesn’t require a large IT budget; an actionable cyber-security strategy can be established without significant financial investment, and still reap measurable results and rewards. SMBs can confidently step into 2022 with a solid plan in place to reduce cyber risks this year and well beyond.