#CyberAware for Small to Medium Sized Business: Cybersecurity is More Than Compliance
Cyber warfare is real, is here, and America is losing. Military personnel, law enforcement, and private security use bulletproof vests to protect themselves in hostile zones. These vests minimize injury and provide a means of security and safety of life. Additionally, they use intensive training, mindfulness, and combat skills to defend successfully against an enemy. This combination enables them to be effective in combat. Make no mistake, the Internet is a hostile zone and in a state of cyber warfare. Being compliant is simply the bulletproof vest, and needs a cybersecurity program to provide the training, visibility, and techniques to combat cyber threats.
Several small to medium -sized businesses (SMBs) use insurance (compliance and reduced liability), ignorance (too small of a business to be hacked), or inappropriate justifications (cybersecurity cost too much to carry out; pay for incidents when they occur) to manage cyber risks to the business, resulting in a false sense of security. These uninformed actions lead to lack of common sense measures. Military personnel, law enforcement, and private security do not rely on vests to prevent incoming bullets (insurance), place bulletproof vests on after they are shot (ignorance), or not buy one because the cost is too high (inappropriate justifications). Businesses should move beyond compliance and become #CyberAware by understanding the ever-growing dangers throughout the enterprise.
According to the 2018 Verizon Data Breach Investigation Report, 58% of breaches hit small businesses. The report identified 30 percent more incidents than the previous year associated with Point of Sale (POS) breaches targeted at hotels and restaurants (most are small businesses). Many SMB companies do not have trained security staff, trusting heavily on their PCI certification to manage threats, which results in several unmanaged vulnerabilities.
Only using controls defined by compliances such as HIPAA, PCI, and ISO are not efficient methods to manage cybersecurity threats against the attacks today or forecast for tomorrow. Especially for small businesses that identify themselves as too small to attack, or simply do not have suitable funds to build a cybersecurity program. Compliance is not the end of cybersecurity but a part of it. If SMBs do not begin using cybersecurity best practices, they will be susceptible to hacks and breaches resulting in steep fines, damaged reputation, or loss of business.
#CyberAware because it’s the law
In just 20 years since introducing ecommerce and SSL encryption, some of the largest businesses are mostly virtual. The past five years have shown an exponential increase of businesses that depend on Internet-enabled services to include ecommerce, the cloud, online marketing, etc. However, cyber threats and hackers bent on exploiting a business’ weaknesses have also exponentially increased. Conducting malicious acts as they try to compromise business operations, reveal intellectual property to reduce competitive advantage, or simply breach customer data.
The U.S. and abroad have begun integrating Cybersecurity into law and changing how companies approach business practices with electronic data. The many proposals of Bills, Policies, and Laws by states, governments, and nations have surged in the last couple of years. According to the National Conference of State Legislatures, more than 36 states are introducing more than 265 bills around cybersecurity. This includes providing funds for cybersecurity initiatives, increasing penalties for cybercrimes, promoting security awareness and training programs, or enforcing security best practices and controls on critical infrastructures. Also, several laws such as the NYCRR and GDPR are setting directives enforcing businesses to complete cybersecurity programs to manage enterprise risks while achieving industry-wide cybersecurity objectives.
For instance, the NYCRR enforces businesses to develop a Cybersecurity Program to include assigning a CISO, completing periodic risk assessments, conducting a security awareness and training program, and applying suitable controls to safeguard nonpublic information and information. GDPR wants businesses to define policies and procedures to comply with an EU Citizen’s Right to Erasure, to impose security measures to ensure minimal personal data is used for each specific business process, and to record and preserve all user data processing.
SMBs can do it too…
Small to medium -sized businesses (SMBs) are critical to the nation’s economy. According to the Small Business Association, SMBs provide 66 percent of the nation’s net new jobs and employ 47.5 percent of the private workforce. It’s time to take Cybersecurity Awareness seriously, and each year introduces more methods to aid businesses. Most recently, the government has passed into law Bill S.770 “To require the Director of the National Institute of Standards and Technology to disseminate guidance to help reduce small business cybersecurity risks….” Also, the bill will update the National Institute of Standards and Technology Act to incorporate small businesses and provide resources to lessen cybersecurity risks.
The NIST has published a guide for small businesses entitled: Small Business Information Security: The Fundamentals, which provides guidelines using the NIST Cybersecurity Framework (CSF) for basic security of information, systems and networks. This guide contains programmatic information on setting up an information security program, and includes nine key practices to begin strengthening the safety and security of data that drives the business:
- Pay attention to the people you work with and around;
- Be careful of email attachments and web links;
- Use separate personal and business computers, mobile devices, and accounts;
- Do not connect personal or untrusted storage devices or hardware into your computer, mobile device, or network;
- Be careful downloading software;
- Do not give out personal or business information;
- Watch for harmful pop-ups;
- Use strong passwords; and
- Conduct online business more securely.
The increase in cybersecurity awareness across the globe should drive all organizations to adopting basic standards and principles to combat the threats currently attacking our way of life. However, many businesses are still falling victim to the ignorance, mind-set of insurance, or inappropriate justifications to not set up healthy cybersecurity programs. Large businesses such as Verizon, Target, SONY, and Experian have the resources in place to bounce back and continue business operations, customer base, incomes, and image after experiencing a cybersecurity incident. Murphy’s Law suggests that what can happen will happen. A breach is unavoidable and small to medium sized businesses must be #CyberAware and prepare for when an instance occurs.
What to do
Focusing on defining people, processes, and technology within the organization is the first step in becoming #CyberAware. This leads to identifying what drives the business, what risks pose a threat to revenue, and suitable steps to building a strategy for tracking and managing incidents when they occur. Gartner’s Six Principles of Resilience highlights these ideas.
Principle No. 1: Stop Focusing on Check Box Compliance, and Shift to Risk-Based Decision Making
Principle No. 2: Stop Solely Protecting Infrastructure, and Begin Supporting Business Outcomes
Principle No. 3: Stop Being a Defender, and Become a Facilitator
Principle No. 4: Stop Trying to Control Information; Instead, Determine How It Flows
Principle No. 5: Accept the Limits of Technology and Become People-Centric
Principle No. 6: Stop Trying to Perfectly Protect Your Organization, and Invest in Detection and Response
Consider Principle No.1 “Stop Focusing on Check Box Compliance and Shift to Risk-Based Decision Making.” This principle implies an understanding of business risks associated with the people, processes, and technologies that enable the business to function, and not exclusively IT risk. Simply put, examine ‘what do we do and why,’ identify business risk profile, then apply appropriate protections that enable the organization to meet customer expectations (product quality, company trust, service confidence, etc.). Remember, compliance is not sufficient protection, it is only a tool, a bulletproof vest.
Each of these Principles are used to change an organization’s culture and approach to managing their digital footprint. One of the key elements within the six principles is the determination of how data within the enterprise flows, a concept many organizations have trouble documenting. Obtaining visibility into network infrastructure, end-user interaction with data, and how data is printed, emailed, transferred, and modified should be identified to begin establishing appropriate protection mechanisms.
Security Assessment services can provide visibility into data movement and guidance in developing a strategy and roadmap for implementing cybersecurity within an organization. These services can demonstrate how to combine compliance requirements with other cybersecurity program elements. These program elements include frameworks, threat intelligence, security awareness, vulnerability assessments, log management, audit reviews, hardening techniques, change control, forensics, policy development, etc. Such a cybersecurity program will increase productivity, align with compliance requirements, enhance security posture, and combat cyber threats. With an understanding of how to implement a cost-effective cybersecurity program SMBs can become #CyberAware and turn tide on cyber warfare for America.
Compliance is only the beginning… Cybersecurity Program is in demand