Small- and medium-sized businesses (SMBs) are often characterized by their abilities to move quickly and remain agile. Without an excess of layers or restrictive processes to bog down decision making, small teams or groups of individuals can easily pivot and make substantial adjustments to the business on an as-needed basis. That said, for all the benefits an SMB may offer, larger companies have the advantages of more staff, bigger budgets, and an extensive pool from which to draw lessons learned.
When it comes to cyber crime, perpetrators don’t care what resources you have at your disposal; if the company has sensitive data from which adversaries can profit, or if your company offers third-party access to a “jackpot” company, the organization is a target. But where larger organizations may be able to purchase and implement all the latest and greatest security solutions, assign staff to monitor alerts and act on indicators of compromise, and run testing against the network, what is a company with limited (or no) staff and budget to do?
SMBs can’t just throw up their hands at cybersecurity, despite a probable dearth of resources. In fact, according to the 2017 State of Cybersecurity in Small- and Medium-Sized Businesses (SMBs) study, cyber attacks against SMBs are on the rise. Sixty-one percent of SMBs reported being affected last year (up from 55% the previous year), and according to respondents, the cost to clean up after an attack tops out at over $1,000,000 USD (which may be a cautious estimate: A mid-sized medical center recently reported a $10m price tag to clean up after an unsuccessful ransomware attack). What this means is that, even if a company has a sub-$1 million security budget (and most SMBs do), the liability and risk of not doing anything is too big to bear.
Since most SMBs aren’t likely to magically receive a multimillion dollar cybersecurity budget windfall, we’ve provided our top 6 tips for how to manage security on a limited budget.
Create an incident response plan
Even for the best-resourced companies, creating an incident response plan is a massive undertaking. It requires knowledge of the company’s technology infrastructure, coordination and collaboration with non-security business units, and an understanding of how to identify, declare, manage, and recover from a cybersecurity incident. That said, a cyber incident response (IR) plan is one of the best tools a company can use to prepare for an incident. Plus, the creating, itself, can help uncover systemic vulnerabilities.
While the crafting of an IR plan won’t stop cyber attacks, thinking through your company’s preparation and response strategy can be extremely useful; it can serve as a quasi-roadmap for the security program, if you have one, and help recruit non-security colleagues to think about and be responsible for certain areas of security, if you need the extra help (and who doesn’t).
Instead of modeling the most comprehensive IR plan you can find online, start small and create a barebones plan that outlines who is responsible for what if a security incident is identified, whom to call (external resources: law enforcement, forensics investigators, etc.), and what your communications strategy will be (internally, if network resources/applications become unavailable; externally, if necessitated by compliance or responsibility to shareholders and customers).
Patch management is a controversial topic regardless of your company’s size or resources, but all security wisdom says to install critical updates regularly and quickly. While it might not be possible for an SMB to tackle a complete patch management program, make sure vendor-issued updates are handled forthwith. Unpatched systems and software continue to be some of the most common entry points for attackers, so cut off some of that low-hanging fruit and raise the bar for exploitation.
Back up your data
With all of today’s cloud options, maintaining current backups is neither a monumental nor an expensive task. It can, however, save your company from enormous headaches, loss of productivity, and costs to recreate your data if you’re the victim of a ransomware attack or other cyber attack that renders systems unavailable, or if a natural disaster strikes.
Consider backing up business-critical data nightly to remote, secure locations, and develop a weekly or monthly backup plan for other data which, if lost, won’t cripple normal business operations.
Run vulnerability scans
Any die-hard security professional will tell you that running a network vulnerability scan doesn’t equal a thorough security program—and that person would be right. But for SMBs with limited resources or in-house expertise for penetration testing, using a free vulnerability scanner will help identify some of the most obvious vulnerabilities in your network. Granted, you can’t leave this task to your water cooler vendor, and if the company can’t fix any found vulnerabilities the activity will be for naught. But for SMBs with some capability, running scans regularly and attending to identified vulnerabilities can help harden your network against the most obvious attack opportunities.
Write a security policy
In this day and age, every company should have a strong security policy it reviews then distributes to all employees and current contractors on a yearly basis. This policy should include acceptable use (e.g., strong passwords, different passwords for personal and business use, 2FA/MFA, least privilege, no removable media, etc.), and simply state repercussions for failure to comply. Write your security policy in such a way that it recruits security advocates rather than drops the hammer on dissenters. Especially for SMBs with small security teams, it’s imperative to accept the help you can get instead of isolate anyone who isn’t security-savvy.
Talk to an MSSP
SMBs often think that outsourcing work to a service provider is out of reach financially. “Consultant” carries a certain association that implies “budget busting,” but the reality is that managed security service providers (MSSPs) can offer a level of expertise and economy of scale that may be unattainable for the SMB to build in-house. Says Jason Riddle, President at LBMC Information Security, “Many smaller companies think that working with an MSSP is going to be too costly. Normally, that simply isn’t the case. A rule of thumb for smaller organizations is that 24x7 security operations services from an MSSP should typically cost slightly less than it would be to hire one mid-career cybersecurity full time employee.”
To sweeten the pot further, keep in mind that MSSPs are specialists in operational security, and they bring with them a worldview of vulnerabilities, threats, and how to handle cyber incidents. Plus, in addition to handling your day-to-day security, an MSSP can be an invaluable partner during and after an active incident when/if need be. They’re the “been there, done that” team that can soothe the hassle and lessen the costs of cleaning up after an attack.
Want to learn more tips and tricks for managing your SMB security team? Attend "Big Things, Little Packages -- Making a Difference with a Small Team" InfoSec World 2018, March 19-21st