From Awareness to Action: Cybersecurity Strategy for Small Businesses
Larry Ponemon knows better than most that small businesses can find themselves in the crosshairs of hackers, especially after his cybersecurity research firm, Ponemon Institute, was struck by a ransomware attack.
“It spread laterally in a matter of seconds,” Ponemon said in an interview. After an employee opened a malware email, staff were locked out across the network, and Ponemon had to make a decision.
“Do we pay the extortionist and basically have access to the data?” he said. “Or do we try to fight it?”
As companies around the globe grapple with similar scenarios, analysts predict annual losses from cyberattacks will hit $6 trillion by 2021. While small businesses’ financial losses for cybersecurity breaches may seem small compared to the multimillion- or multibillion-dollar losses of large companies like Equifax, the consequences can be more severe for small businesses. A recent survey by the Better Business Bureau found that only 35 percent of small businesses could remain profitable for more than three months if they permanently lost access to essential data.
“It might not be a million-dollar hit, but it’s going to be tens of thousands, maybe $100,000,” said Ken Walsleben, professor of entrepreneurial practice at the Martin J. Whitman School of Management. “And to a small business, that might as well be a million-dollar hit — it’s a kill shot sometimes.”
Global cybersecurity spending is expected to reach $170 billion by 2020, but aside from basic measures like antivirus software and firewalls, big spends on infrastructure and personnel are often unrealistic for small businesses. With the significant risks that weak cybersecurity poses for small businesses, leaders must identify their unique vulnerabilities and set up a lean, consistent threat-prevention framework for their network and their employees.
Guidelines for Effective Cybersecurity
For small business owners, understanding cybersecurity standards can be a strategic starting point for pinpointing their own vulnerabilities and formulating a strategy moving forward.
Organizations like the National Institute of Standards and Technology (NIST) have developed detailed cybersecurity frameworks, offering hundreds of individual security controls that companies can adopt. For businesses that handle financial transactions, the Payment Card Industry Security Standards Council suggests end-to-end data encryption and tightly controlled access to customer information. While these standards exist primarily to heighten cybersecurity, companies can also leverage compliance to set themselves apart from competitors.
“If you as a business make yourself more cybersecure, and if you can do that in a demonstrable way, that’s something you can market to your customers,” said Bill Fanelli, chief security officer for the Council of Better Business Bureaus.
Businesses that are tight on resources and lack the expertise to implement these frameworks can partner with vendors for cost-effective, customized service in setting up cybersecurity infrastructure.
“A small business is not going to have the budgetary wherewithal to hire its own security staff,” said Walsleben. “There are too many other pressing needs for its limited cash supply.”
Vendors can manage more complex operations like email encryption, network monitoring and data loss prevention. Businesses can also buy insurance to cover loss of customer information and recovery help. Ultimately, they should consider which tasks are appropriate to keep in house, and which can be delegated externally.
“What can you do in a cost-effective way?” Fanelli said. “If it takes deep expertise and it doesn’t happen very often, that’s someplace where, at a minimum, you ought to have a relationship with some vendor.”
Another strategy is threat-sharing. This exchange of intelligence among business peers and with organizations like NIST allows companies to pool cybersecurity data and collectively enhance preparedness. But companies are often reluctant to share this knowledge as it means revealing their vulnerabilities and breaches.
“It’s not easy psychologically for them to do,” Ponemon said. “But essentially, it gives you information at a very low cost that could be very valuable.”
Preparing Employees With Education and Good Habits
General staff regularly handle sensitive company information, making them targets for hackers. As the vast majority of data breaches originate with targeted phishing emails — malicious messages meant to trick unwitting employees into divulging their credentials or downloading infected files — small businesses should make employee vigilance a priority with any cybersecurity initiative.
“If you’re not constantly thinking about that and you’re just bored or you’re not really paying much attention, you just click on it,” Walsleben said. “The damage is oftentimes done before you can unclick it, so to speak.”
Informing employees of the threats they’re likely to face and outlining best practices to mitigate risk are key. Whether these efforts are informal team “lunch-and-learns” or business-wide seminars, management can simultaneously convey actionable strategies and help create employee investment in sustainable, secure habits.
“Ultimately, it’s all about changing the behavior of the employee so that they actually take the security issues more seriously,” said Ponemon.
In dealing with the cyberattack on his own organization, Ponemon ultimately decided not to pay the hacker holding his data ransom. Fortunately, his company had measures in place to protect against data loss.
“We had fantastic backup so we were very lucky,” he said. “We were able to restore in a matter of a couple hours.”
For Ponemon, a cybersecurity expert, this was still a teachable moment.
“We said goodbye to the extortionist,” he said. “But the lesson learned is, vigilance is very important.”
Citation for this content: MBA@Syracuse, Syracuse University’s online MBA program