Today’s SMB cyber security MUSTS

Cyber threats are at an all-time high, and smaller organizations continue to bear the brunt of the assault for two main reasons. 

One, malware has become more available to small-time, wanna-be criminals. Now anyone, regardless of technical savvy, can purchase sophisticated phishing and ransomware encryption packages.

These do-it-yourselfers have little overhead and are happy hooking smaller fish 🎣 (you).

Two, larger organizations have by now invested in IT modernization (much more on this later), which makes them harder to catch, so smaller fish with poor security hygiene are more likely to pay up.

The good news for SMBs: it doesn’t have to be this way. Read on, and I’ll tell you precisely what you can do now to reduce your attack profile and make your business less likely to get caught.

Cyber threats exploded

At the outset of the pandemic, every business—large corporation, SMB, non-profit, government agency, university, and healthcare system—all found themselves on the same starting line: a once-in-a-century world healthcare crisis that forced businesses to transform the way they provide products and services.

This pressure for change meant an untested, immediate transition to a home-based workforce for many businesses just to stay afloat.

Security was not a priority.

A lot of businesses couldn’t make the switch quickly enough and never recovered. 

Many market segments could not provide services remotely. “Non-essential” public-facing businesses were the first to be shuttered—restaurants, malls, airlines, retailers, sporting events, theaters, hair salons, fitness centers—the list goes on and on. 

These were ordered closed to prevent the spread of a novel coronavirus we didn’t yet understand. The rest of the business community was left to figure it out themselves.

Initial financial help for SMBs

The U.S. Small Business Administration’s $953M Paycheck Protection Program (PPP) guaranteed employee paychecks through this digital transformation.

It helped many small- to medium-sized businesses rebound from the edge of the abyss. Most SMBs got through the worst of it during the spring and summer of 2020. 

Still, many small businesses did not survive.

Businesses react to the pandemic

Not every business sector experienced difficulties throughout the pandemic.

Many market segments adapted and thrived. Large retailers like Amazon and Walmart experienced substantial growth.

Personal grocery shopping and delivery services took off.

Hard-working “essential” technology services companies weathered the storm well enough, helping other SMBs successfully transform into a home-based workforce. 

What no one saw coming was the triple-digit growth of criminal activity in the cyber security world. 

Ransomware and financial theft were big-business long before the pandemic.

These criminal groups were already well-positioned to take advantage of how we collectively rushed to create new work from home (WFH) business models without giving much thought to security. 

With security an afterthought, cybercrime exploded in 2020.

That growth continues today, often at the expense of smaller organizations.

Size matters

Nearly all large organizations have taken a proactive, defensive posture for combating today’s relentless phishing and ransomware assaults.

How did they accomplish this?

It’s no mystery; they invested resources, made difficult decisions, and significant changes to their infrastructure. 

Most larger businesses continue to operate securely, even as a high percentage of their knowledge workers will continue working from home long after Covid-19 moves to the rearview mirror.

So what can smaller businesses do?

Now that a proven path has been forged by larger organizations, we can simply follow this course, use the main concepts, and adjust to our particular industry or unique business need.

☑️ IT Modernization Checklist

The following initiatives have been essential for ensuring a solid baseline for good cyber security.

1. Migrate to a cloud-hosted architecture that eliminates the need for workers to connect to office systems remotely
2. Make use of next-generation firewalls and secure VPNs for those that still remote into office systems
3. Implement strict protocols for securely connecting to 3rd-party customer and vendor IT systems
   • Least Privileged Access 
   • Zero Trust Model
4. Enforce Multi-Factor Authentication for all accounts
5. Data encryption both at rest and in transit 
6. Encrypted email
7. Off-site backups

Additional strategies for cyber success

• Have well-documented breach recovery/remediation plans. As in written down, up-to-date, and thoroughly vetted through regular simulation. 
• Recruit and retain talented, experienced security professionals—including a breach coach—who can defuse a ransomware bomb, reduce its blast impact on business operations, or negotiate ransom amounts with cybercriminal organizations.
• Invest in cyber insurance policies to reimburse ransom payments or the cost of rebuilding entire business systems.
• Understand that employees are the weakest link in any security chain and adopt ongoing, required security training for their people.

Why are SMBs still so vulnerable to business disruption?

Many small- to medium-sized business owners say it’s a combination of the high cost of implementing solutions and an overwhelming lack of trusted guidance for security best practices.

For larger organizations, the expense of this advanced cyber toolkit is much less significant compared to the organization’s size. Big businesses have deep pockets. For them, it’s just “the cost of doing business.” 

Today’s security solutions for SMBs cost less than you might think

So, rolling into next year, how exactly can SMBs harden up their security profile without breaking the bank? More good news: security practices and technologies have continued to evolve since the beginning of the pandemic and now effectively scale for smaller organizations to reap the benefits.

7 Steps for SMBs to modernize their cyber security

Let’s look at the above IT modernization checklist for big companies and see how it can scale for smaller businesses, point by point.

1. The term “cloud-hosted architecture” sounds complicated, but it’s entirely practical. Migrating to enterprise software to run your business will take some elbow grease, but the accumulated sweat equity will pay dividends immediately. Cost is usually per person, per month, so small businesses can achieve maximum value.
2. If any of your WFH staff still need to connect to your in-office network, next-gen security is available in a good-better-best cost model.
3. Communicate with your vendors and customers via a secure web portal. You can have a custom portal built just for you, but existing secure portal services are available. Costs vary depending on complexity requirements and the number of users. Here’s a great secure web portal comparison.
4. Dual-Factor Authentication is FREE and universally available for most platforms.
5. Data encryption is about rendering files to make them unreadable by unauthorized users. Encryption has evolved considerably during the pandemic. Microsoft provides FREE BitLocker drive encryption in Windows 10 Professional edition. If you have Windows 10 Home Edition, upgrading to Professional costs $99 per computer.

6. Encrypting your email will help guard against supply chain attacks, social engineering, and phishing attacks. There are FREE services available. Paid accounts with feature-rich services can run from $10-$30 per month per user. Here’s a great review of what’s available.
7. Cloud data backup may already be FREE for many small businesses as they are included in systems you may already use. Google Drive, Microsoft OneDrive, Apple iCloud, and many others. Here’s a great offsite backup cost comparison tool.

Cost for offsite backups scales by how much data needs to be backed up and your business’s tolerance for how long you can afford to be down during recovery operations (aka Recovery Time Objective). 

No business is too small for BIG cyber security

Virtually every large business today has a C-Level Chief Information Security Officer (CISO) responsible for establishing security strategy and managing a large team of security specialists to protect corporate data assets.

That’s a big chunk of change—out of reach for most of today’s businesses. So what can an SMB do to keep pace with today’s cyber security horror show?

Reach out and establish a trust-built relationship with an experienced managed IT security solutions provider. Take immediate advantage of a deep bench of some of the best security minds in the business. Initial engagements typically begin with a security vulnerability assessment project, often at a low fixed cost. 

It’s a cloudy crystal ball as to how cyber warfare will continue to evolve. It may or may not get better for businesses in the coming year, but it will surely get interesting.