Small- and medium-sized businesses: don’t give up on cybersecurity

In today’s increasingly hostile environment, every enterprise, be they big or small, should be concerned about cybersecurity and have access to protection from hackers, scammers, phishers, and all the rest of the host of bad actors who seem to be sprouting up around the world.

Yet time and again, we see small- and medium-sized businesses (SMBs) left out in the cold, an unaddressed market segment that finds real protection either too expensive or far too complex to adopt. Thus, cybersecurity becomes an “afterthought” or “add when we can” kind of service that leaves SMBs far more vulnerable than the corporate giants — just reading the news every day shows even they aren’t immune to ransomware, intrusions, and data theft.

It might be tempting to think that it’s too late at this point for an enterprise with limited resources to start investing in cybersecurity — after all, if the bug guys still get hit, what’s the point in trying to catch up?

If you haven’t already, start thinking about security now

Actually, there are plenty of reasons to start thinking about cybersecurity right now. The advice from industry and government to SMBs is united in this regard and aligns with the Chinese proverb: “The best time to plant a tree was 20 years ago; the second-best time is today.”

At the recent RSA Conference, I had the occasion to speak with Candid Wüest, vice president of cyber protection and research at Acronis, about cybersecurity for the SMB and how a resource-strapped entity should be looking to protect themselves. He spoke pragmatically about the situation small companies find themselves in and suggested the following low-cost, high-return fundamental strategies (along with the basic rubric of don’t defer, get the car moving, and revise as you are able):

• Maintain visibility into your network — if an SMB has one, then it is incumbent upon administrators to know every item touching the network.
• Implement multifactor authentication (MFA) everywhere possible.
• Ensure all network access is role-based — no one who doesn’t need to see a system should be able to touch it (again, with access granted through MFA).

Verify where your data is coming from

This sound advice was echoed by Utimaco CTO Nils Gerhardt, who availed himself to be interviewed during the same RSA Conference. SMBs must start somewhere, and the first step is to implement multifactor authentication everywhere, Gerhardt said. From the point of view of a Europe-headquartered entity, he further recommended that companies put in place the ability to verify the provenance of their data.

That’s just smart practice for any business, and why many countries are looking to keep tabs on where data comes from, regulate what data should be protected, and in some cases determine how it should be treated. Small business operators should be aware that regulatory regimes are also for their protection, not just the big guys — regimes such as GDPR and the European Data Act (EDA), which details data ownership and “gives individuals and businesses more control over their data through a reinforced data portability right, copying or transferring data easily from across different services, where the data are generated through smart objects, machines, and devices.”

There’s more government help available for SMBs than might be immediately apparent. Recent United States and United Kingdom government efforts are timely and readily available to address shortcomings and bring resources to the table for the SMB.

US help for small and medium-sized businesses

The United States has created a “Small Business Cybersecurity Community of Interest” (COI) within the rubric of the National Cybersecurity Center of Excellence (NCCoE). The NCCoE, established in 2012, provides businesses with practical information on securing their information technology. At the inaugural community of interest event in March 2023, US Deputy Secretary of Commerce Don Graves commented that: “This initiative will help to make sure that NIST’s guidance is both meaningful and practical for smaller companies and other organizations to put into use. Beyond benefiting the NCCoE and its participants, this new community of interest promises to improve the return on all of NIST’s investments in cybersecurity research, standards, guidelines, and practices.”

The NIST COI initiative is designed to get SMBs into the mix and to bring to the forefront resources so they may become cybersecurity aware and hardened. Couple this with the plethora of resources provided by the Cybersecurity and Infrastructure Security Agency (CISA) and every SMB has a healthy slate of resources to advance their knowledge considerably. Topics addressed by CISA for the SMBs include securing supply chains and assessing vendors and vendor security posture. 

UK help for small and medium-sized businesses

The UK’s National Cybersecurity Centre (NCSC) offers its own cyber action plan, which includes a free assessment for small organizations. The online assessment normally takes between three-to-five minutes to complete. The assessment walks the user through a basic cyber hygiene survey. The results are analyzed immediately, and the user is given a “personalized action plan” that the business can do right now to heighten its cybersecurity posture as their takeaway.

Lindy Cameron, NCSC CEO, noted that while small businesses are the backbone of the UK economy, “we know that cybercriminals continue to view them as targets. That’s why the NCSC has created the Cyber Action Plan and Check Your Cyber Security to help them boost their online defenses in a matter of minutes. I strongly encourage all small businesses to use these tools today to keep the cybercriminals out and their operations on track.”

Other governments offering cyber help for SMBs

The US and UK are not alone in providing sound advice and resources for smaller enterprises. The Canadian Centre for Cyber Security has a small-business information portal as well as offering Cybersecure Canada, a cybersecurity certification program for small and medium-sized organizations. Australia also has guidelines for its SMB owners.

SMBs who avail themselves of advice from industry professionals such as Gerhard and Wüest and research the resources available to them from national and local governments will find that they are able to achieve a modicum of cybersecurity at little or no cost. Then, as advised, continually assess their situation, and as able to close those gaps which carry the highest risk. The important message is that these resources are out there to get you started, but you might have to do a little digging to find them. It’s absolutely worth the effort.