I get it. It’s tough for a small business to build a cyber program. Understandably, most small businesses are under the impression that cybersecurity solutions and consultants focus only on large enterprise companies. After all, that’s where the money is.
I remember speaking with a member of a top cybersecurity consulting firm, who shall remain unnamed, who told me that any leads under $10,000 is immediately thrown in the garbage. He said, “You can have them all if you want.” The basic premise was that any deal less than that didn’t even exist to them. And there are plenty of firms whose minimum is much greater than $10,000. Compared to large enterprises, many small businesses feel like they are on their own. This is doubly problematic because they often lack the security expertise found in large enterprises. This is probably why 23% of small businesses experienced a cyber-attack in the past 12 months (as of May) for an average cost of just over $25,000, according to Hiscox’s Cyber Readiness Report 2021 cited in Infosecurity Magazine’s article about cyber-attacks on small businesses.
So what’s a small business to do?
Conduct a Risk Assessment
You’re small and potentially unfamiliar with risk registers. So, this doesn’t need to be too intense of a process.
The key is to sit down with as many key people in your business as possible and brainstorm all the possible risks your business faces. Which risks keep you up at night? Which would have the biggest impact on your ability to operate and on revenue? What risks have you perhaps not thought of?
From there, assign a likelihood and impact estimate for each risk. This should be based on a risk’s impact on key operations and revenue, whether through the stoppage of operations, fines or reputation loss.
The output will be a basic risk register that you can use to track your biggest risks over time and ensure that your security program stays focused on risks that pose the greatest impact on your operations and revenues.
Implement a Framework
For businesses of all sizes, the next step is the same. Pick a framework, and then implement it. Unfortunately, most of the frameworks can be large and unwieldy for many small businesses.
For small businesses just starting their cybersecurity programs, I recommend the CIS Top 18 (perhaps better known by its previous name, the CIS Top 20) Implementation Group 1. This is a smaller, more manageable list of controls to implement, which will hit the basics of most of the key areas.
As your security program matures, you can then consider Implementation Group 2 or another framework.
Consider Small Business Consulting Firms and Platforms
While third-party help can seem cost-prohibitive for many small businesses, there are some consulting firms and software platforms that cater specifically to small businesses.
One firm, Trava, specializes in protecting small and medium-sized businesses from the potential damage of cyber threats. Trava co-founder and CEO Jim Goldman was inspired to build a cybersecurity solution dedicated to SMBs when he served as the task force officer on National Security and Criminal Cyber Squads at the FBI. “One of the things I learned,” said Goldman, “was that when an enterprise-scale company experienced criminal activity, they were able to address the event and would typically recover financially. But when a small business experienced criminal activity, they would likely not recover.”
When involving a third-party firm, it’s important to ensure they’re reputable and experienced in working with small businesses. Your needs will be much different than large companies, and recommendations that might be valuable to a large enterprise often won’t apply to you.