A guide for smaller businesses and the companies who service them.
Let’s face it, whenever you talk cybersecurity to smaller companies they raise their eyes to the heavens. If you’re lucky, they’ll repeat the reasons why they have not and cannot embrace protection that cybersecurity offers. Then I thought, wait a minute, there’s a simple solution to this. This article addresses their legitimate concerns and proposes a viable path to reduce risk at or even below the level of the largest organizations.
This article is Part 1 of three activities. Part 2 is a free interactive workshop and Part 3 is a Virtual CSO service offered to bring you the expertise you’ll need to execute the ideas long term.
Audience
This article is not written just for small to medium-sized organizations. In line with ISE’s readership, it’s written for those service providers, system integrators and suppliers who have banged their head against this wall until it hurts.
The Background: Why SMBs Have Not Protected Themselves
Executives are not aware of the persistent, growing and damaging dangers of cybersecurity. It’s War! Even if they are motivated to act, they are at a loss regarding what actions they can take:
They think: “it probably won’t happen to us.” The facts are at odds with this. 73% of businesses with <1,000 employees were attacked last year with costs averaging $200k, 41% of small businesses were breached in 2023—43% up from 2022. 60% folded within six months of an attack.
Top-end solutions are beginning to use AI to offer defenses for the largest corporations, but threat actors are using Generative AI to dramatically increase the level of attacks, targeting smaller businesses, right now. These state-run attackers have become an essential part of their country’s economies. This is no passing fad. However, knowing this doesn’t alter the fact that smaller organizations just don’t have the expertise, budget, or resources to defend themselves.
Lack of Expertise
When we say: “Small to Medium Businesses” (SMBs), it’s less about their size and more where they sit in the markets they serve. Many don’t have IT expertise let alone cybersecurity understanding. Many outsource IT, or networking to cloud providers or managed service providers who also provide security. Unfortunately, this effectively abdicates responsibility and does not delegate it. Whoever is responsible for IT can become overwhelmed with no way to prioritize actions. They are confronted with expensive “complete solutions” that they are told they must have yet these still leave critical weak links.
No Budget
As long as cyberattacks are viewed as an unproductive irritation then budgeting for it will be an unsupportable cost. However, the presence of a well-defined security policy may become an essential competitive advantage when selling to or serving SEC regulated organizations, an insurance cost-saving and to meet new legislative requirements. However, as we cover below, surprisingly, the majority of risk reduction does not require any additional outside spend!
No Resources
Yes, even new non-technical tasks will increase pressure on resources but at least these can be absorbed.
No Holistic Approach
Anyone who has read my articles in ISE Magazine is aware of my passion regarding Holistic Cybersecurity across the organization. This lack of awareness is what has led to the majority of ransomware breaches. If it’s not understood at the executive level, then the risks will remain.
Now the Good News: Methodology and Actions
Let’s break required tasks into those with zero external spend, those that can reduce risk easily with a little acquired knowledge, those that add simple low-cost software already likely in place and then potentially adding software to defend sophisticated attacks. About 92% of actions reduce risk without significant outside cost. To put it another way, spending large amounts on expensive solutions only addresses a small percentage of the vulnerabilities and has significant costs (see table).
Now What? Most information and insights are useless unless they convert to action. So, here’s my offer to help you with a free SMB Two-Hour On-Line Workshop to go into all the details:
- A detailed review of all above listed no cost actions and best practices and those at Cybyr.com Virtual CSO Service (or others) can help you acquire at minimal cost to create a solid plan, to be competitive, reduce insurance cost and measure improvement.
- Five types of simple, low-cost security products that you likely already have.
- Discussion on where you have issues, have found solutions and consensus on where you are looking for help. This is why it’s not just a webinar.
- List of “types” of solutions needed for protection against advanced attacks.
I really hope you found this useful and will enroll in my all-new free workshop. Simply visit cybyr.com/workshop.
