This article is particularly for small and medium-sized businesses as they wonder how all these recent cyber-security headlines could impact their organization. I don’t like the term small business – but for the sake of clarity, I’ll refer to “SMB” (small and medium businesses) as companies that are not on the Fortune 2,000 list and have fewer resources than larger enterprises.
SMBs are facing challenges on multiple fronts:
- global competition
- digital transformation
- cyber security threats
- among other disruptions
For an owner, or senior manager, there is hardly enough time in the day to concentrate on any one of these challenges. Meanwhile, large corporations seem to be able to withstand massive disruptions. Take for example breaches in security – like what happened to Target with customer data loss. Or stepping outside of IT and into health hazards – Chipotle recently faced E. coli related trouble and a loss in the trust of protecting its customers’ well-being. Nonetheless, these large corporations continue to forge ahead.
However, a SMB that would have faced a loss in trust from a data breach or data loss would have a much more difficult time recovering.
It seems that headline making cyber security threats are becoming so commonplace that at times a business might not give it the attention it deserves.
Just because a business ignores threats doesn’t mean they don’t exist. “It won’t happen to us because we aren’t a big enough target”, is an excuse that is inexcusable! More phishing and identity theft criminals are going after innocent senior citizens because they are easy targets. In the same way, cyber criminals can find easier ways to break into a SMB’s IT system than they could within a much larger organization.
The challenge for SMBs, with few and strained resources, is how to invest and protect themselves, their data, and their clients.
The British Chambers of Commerce did a study that brings some insight and possible solutions to light.
The study found that 1 in 5 businesses were hit by a cyberattack in just the past year. If you are in an office complex, you very well may have more than 5 businesses just in your building. The danger hits very close to home.
Of the attacked businesses, 2 in 5 were at least 100 employees in size.
Many of these medium-sized businesses (with over 100 employees) don’t have the proper security in place. Security posture consists of:
- Regulation Compliance
Security tools run the gambit, since the security threat landscape is so broad.
I asked Nikesh Kalra at Equinix, one of the world’s largest data center providers for perspective, given he and his company’s prominent position in the market. We use Equinix facilities ourselves. They are on 5 continents, and last I checked, have over 100 data centers in over 40 markets worldwide. Thus, I thought I’d ask Nikesh about cloud services.
He said, “As businesses of all scale adopt cloud services, public internet access to cloud providers becomes a major security risk point. Using private connectivity to bypass the public internet is a more secure option to reach data and applications in the cloud. Equinix offers multiple private connectivity options, including Cloud Exchange and cross connects, to the world’s leading cloud service providers, in the most locations.”
Thus, running workloads in a big public cloud and using public internet is relatively less secure. Since we are connected via Equinix to these big public cloud providers, we can link to private connections via the Equinix Cloud Exchange. These security considerations take planning and expertise with someone that has been in the industry or has certifications in the technology. For a SMB, having security personnel is an expensive proposition because the work is not always constant. Of course, the threat and monitoring has to be continuous, but the skills to monitor, remediate, and manage vary so much that SMBs would have to retain a team of security staff. This is usually not an item on everyone’s budget.
Since the threat landscape is so broad, having just one security expert doesn’t cut it. This means, on top of the team of functional roles you need to have, you also need experts versed in different types of security threats. This allows you to ensure they stay up-to-speed on the specifics of each threat.
Depending on who you ask, you’ll get different categories of security threats, but just as a sample, here are a few ways to look at threats:
- Endpoint protection
- Information protection, data leakage
- Network security
- Intrusion prevention
- Email and messaging security
- Website and application security
Rather than trying to hire a Chief Information Security Officer (CISO) and a team of security experts, most SMBs can turn to one or more security vendors to help them prioritize and protect the areas that might be most susceptible or that are most critical to their business.
Another expert in the field is Adi Dar, CEO of Cyberbit. He shared the following comments:
“Businesses who don't have the capacity to run their own in-house security team and SOC (Security Operations Center) should consider outsourcing to a Managed Security Service Provider (MSSP) or a Managed Service Provider (MSP) that has security expertise and can custom tailor a solution to your needs and budget.”
Specifically, Adi pointed out a recent headline making threats. “Unlike large enterprises, which are susceptible to losing valuable data via high profile breaches, or to brand damage via defacement attacks or downtime, the main threat on small businesses today is ransomware.”
Adi confirmed that, “Small businesses typically lack the adequate backup, patching procedures, and security tools needed to handle these attacks. They also lack employee awareness to phishing emails and are therefore highly vulnerable.”
If you haven’t already developed relationships with a security provider, here are a few things to consider:
- Perform an assessment
- Prioritize gaps, weaknesses
- Implement a solution as a service
- Set a time table to evaluate other items on the priority list
Larger institutions will go as far as finding different providers for different phases to ensure there is no conflict of interest. They will get one provider to do the assessment and make recommendations while disclosing to them that they will not qualify for any future work. Then they go with the results of the assessment to another set of providers who implement the solution. Finally, they find a third party to audit the work. Again, these are nice luxuries for large companies, but not practical for a smaller one. Not only is this expensive, but very time consuming due to having to evaluate multiple vendors.
The important take-away from this article is to be proactive. Waiting to see if you can dodge the bullet is never a prudent approach. It isn’t easy for a business owner, or an executive, to pick up the phone and start calling providers. After all, you aren’t sure if they have been vetted. I recommend speaking with a few different companies before deciding which security provider can guide you with a good plan.
The earlier you start, the better. Adi shared a Ponemon Institute study which found that it takes more than 6 months to even identify a threat within the organization and typically 2 months before it can be contained.
Ali Din is, GM and CMO, dinCloud
Image Credit: ESB Professional / Shutterstock