With all the threats, risks, and vulnerabilities, small to medium businesses (SMBs) are easy targets for cyber criminals. 60% of small businesses crash after a cyber attack. Let’s dive into why you need a risk management plan and a cyber security strategy.
In this episode of the tea on cybersecurity, Jim Goldman, CEO and Co-Founder of Trava Security, shares why having a risk management plan and creating a cybersecurity strategy is crucial for small to medium businesses.
Why do SMBs need cyber security?
Many small businesses believe that they will not be targeted by cyber attacks. Much like burying their heads in the sand, SMBs think that they don’t have anything of value, so why would cyber criminals waste resources on them?
Unfortunately, sand won’t protect a business. SMBs get attacked all the time. Phishing, malware, ransomware, and data breaches – are all very real and costly threats. Cyber criminals are just like anyone else: they’re lazy and prefer easy targets. They cast wide nets and often go for newer, weaker companies that they know they can find vulnerabilities in.
Data is valuable. Even if your SaaS has only been around for a year, you still have data that may be personally identifiable and protected under data privacy laws. Succumbing to a data breach isn’t simply a loss of data anymore. It’s potentially years of lost revenue, lost customer trust, lost work, and lawsuits.
What is a watering hole attack?
Another reason smaller businesses get targeted is that even if they genuinely have no data to protect, they still interact with other organizations. Let’s say someone logs onto a bank computer and visits a TV news station’s website, which has been unknowingly infected by malicious software. That software will then be transferred to the bank computer, thereby posing a huge problem for the bank.
This is called a watering hole attack. Like all the animals innocently coming to a watering hole to drink water, they end up drinking poison instead. You don’t want to be the poisoned animal, and you don’t want to be the watering hole, either. Larger enterprises know this, and they may grant SMBs certain business opportunities only if they know you have a strong security posture.
Where to begin a cyber security plan?
Cyber security inaction is often worsened by the uncertainty of where to begin, not just a lack of education or communication. It’s true that cyber security is not one size fits all, which makes it hard for companies to start a plan.
Each business has its own digital assets that need protection, operates in different environments, and has different risks. Installing a basic security software or tool might be optimal for one business and utterly useless for another. That is why a risk assessment is such a great way to begin your cyber security. It tells you what vulnerabilities you need to prioritize plugging.
Risk assessment is key
A cyber risk assessment typically works based on a particular framework best suited to a business’s industry and niche. Suppose an organization works in the healthcare sector. In that case, the risk assessment will take into account the HIPAA framework because that is the most relevant data privacy law for medical data. These best practices are called control families, and it essentially does a qualitative assessment against the chosen framework.
The next part is a technical risk assessment. Your cyber environment undergoes careful scanning: the edges of your network, your servers, and your cloud infrastructure. The scan will find holes and insecure configurations that make your data vulnerable. Technical issues can usually be easily fixed as long as they are found because, unlike lacking an entire control family that needs to be built up, a technical problem can be solved as easily as patching an inaudible device.
How much should an SMB invest into cyber security?
This is the golden question everyone managing a budget wants to know. It’s important to understand that cyber security isn’t just a one and done deal, and the cost is generally around 10% of a business’s annual revenue.
Strong cyber security is risk management done on a daily basis, across every level of an organization. You need to plan and strategize continuously.
Enterprises rarely go out of business after a cyber attack. If they’re publicly traded, they end up hiring a PR firm to polish up their reputation or give free credit checks to their customers. After two years, people forget it ever happened. Small businesses don’t have the luxury of rushing people into moving on. They may have 50 or 100 customers who simply leave, not wanting to get caught in the mess. Once trust is eroded, it’s hard to get back, especially for cyber-based small businesses.
The difference maker of cyber insurance
Cyber insurance has become increasingly harder to get in recent years because the industry is in upheaval due to heavy losses. Still, it is a good idea to look into getting cyber insurance for both first-party losses and third-party insurance. They can protect your organization from an otherwise devastating attack.
Simplify your cyber security strategy
If there’s one thing to remember about planning your cyber security, it is to begin with a risk assessment. It’s like a map and compass to guide your path. Trava offers a free risk assessment tool, and we also help our clients bolster their cyber security posture through detailed guidance.