In this feature article for MIS Training Institute (MISTI), Cybermaxx’s Jason Riddle weighs in on the topic of how to manage your small-to-medium business IT strategy on a limited budget, specifically focusing on the advantages of working alongside a managed security services provider (MSSP).
Small- and medium-sized businesses (SMBs) are often characterized by their abilities to move quickly and remain agile. Without an excess of layers or restrictive processes to bog down decision making, small teams or groups of individuals can easily pivot and make substantial adjustments to the business on an as-needed basis. That said, for all the benefits an SMB may offer, larger companies have the advantages of more staff, bigger budgets, and an extensive pool from which to draw lessons learned, which can be helpful when crafting a SMB cybersecurity strategy.
What if there’s a limited budget for your small business IT strategy?
When it comes to cyber crime, perpetrators don’t care what resources you have at your disposal; if the company has sensitive data from which adversaries can profit, or if your company offers third-party access to a “jackpot” company, the organization is a target.
But where larger organizations may be able to purchase and implement all the latest and greatest security solutions, assign staff to monitor alerts and act on indicators of compromise, and run testing against the network, what is a company with limited (or no) staff and budget to do?
SMBs can’t just throw up their hands at cybersecurity, despite a probable dearth of resources. In reality, cyber attacks against SMBs are on the rise. Research from Ponemon has shown that 67% of SMB’s now experience a cyberattack and 58% have experienced a data breach in the last 12 months.
Since most SMBs aren’t likely to magically receive a multimillion-dollar cybersecurity budget windfall, we’ve provided our top 6 tips for how to manage a cybersecurity strategy on a limited budget.
6 Tips to Improve Your SMB Cybersecurity Strategy
- Create an incident response plan
Even for the best-resourced companies, creating an incident response plan is a massive undertaking, yet it is a crucial part of any SMB cybersecurity strategy. It requires knowledge of the company’s technology infrastructure, coordination and collaboration with non-security business units, and an understanding of how to identify, declare, manage, and recover from a cybersecurity incident.
That said, a cyber incident response (IR) plan is one of the best tools a company can use to shore up their cybersecurity strategy. Plus, the creating itself can help uncover systemic vulnerabilities.
While the crafting of an IR plan won’t mean your cybersecurity strategy is complete, thinking through your company’s preparation and response strategy can be extremely useful; it can serve as a quasi-roadmap for the security program, if you have one, and help recruit non-security colleagues to think about and be responsible for certain areas of security, if you need the extra help (and who doesn’t).
Instead of modeling the most comprehensive IR plan you can find online, start small and create a barebones plan that outlines who is responsible for what if a security incident is identified, whom to call (external resources: law enforcement, forensics investigators, etc.), and what your communications strategy will be (internally, if network resources/applications become unavailable; externally, if necessitated by compliance or responsibility to shareholders and customers).
- Install updates
Patch management is a controversial topic regardless of your company’s size or resources, but all security wisdom says to install critical updates regularly and quickly. While it might not be possible for an SMB to tackle a complete patch management program, make sure vendor-issued updates are handled forthwith. Unpatched systems and software continue to be some of the most common entry points for attackers, so cut off some of that low-hanging fruit and raise the bar for exploitation. This is a quick win for any SMB cybersecurity strategy.
- Back up your data
With all of today’s cloud options, maintaining current backups is neither a monumental nor an expensive task. It can, however, save your company from enormous headaches, loss of productivity, and costs to recreate your data if you’re the victim of a ransomware attack or other cyber attack that renders systems unavailable, or if a natural disaster strikes.
Consider making a systematic backup of your businesses critical data part of your cybersecurity strategy. You should backup nightly to remote, secure locations, and develop a weekly or monthly backup plan for other data which, if lost, won’t cripple normal business operations.
- Run vulnerability scans
Any die-hard security professional will tell you that running a network vulnerability scan doesn’t equal a thorough SMB cybersecurity strategy —and that person would be right. But for SMBs with limited resources or in-house expertise for penetration testing, using vulnerability risk management technology will help identify some of the most obvious vulnerabilities in your network.
Granted, you can’t leave this task to your water cooler vendor, and if the company can’t fix any found vulnerabilities the activity will be for naught. But for SMBs with some capability, running scans regularly and attending to identified vulnerabilities can help harden your network against the most obvious attack opportunities.
- Write a security policy
In this day and age, every company should have a strong security policy it reviews then distributes to all employees and current contractors on a yearly basis. This policy is an essential part of any cybersecurity strategy and should include acceptable use (e.g., strong passwords, different passwords for personal and business use, 2FA/MFA, least privilege, no removable media, etc.), and simply state repercussions for failure to comply. Write your security policy in such a way that it recruits security advocates rather than drops the hammer on dissenters.
Especially for SMBs with small security teams, it’s imperative to accept the help you can get instead of isolate anyone who isn’t security-savvy.
- Talk to an Managed Security Service Provider
SMBs often think that outsourcing their SMB cybersecurity strategy to a service provider is out of reach financially. “Consultant” carries a certain association that implies “budget busting,” but the reality is that a managed security service provider (MSSP) can offer a level of expertise and economy of scale that may be unattainable for the SMB to build in-house. Says Jason Riddle, President at Cybermaxx, “Many smaller companies think that working with an MSSP is going to be too costly. Normally, that simply isn’t the case. A rule of thumb for smaller organizations is that 24x7 security operations services from an MSSP should typically cost slightly less than it would be to hire one mid-career cybersecurity full-time employee.”
To sweeten the pot further, keep in mind that MSSPs are specialists in operational security, and they bring with them a worldview of vulnerabilities, threats, and how to handle cyber incidents. They can help you tailor you cybersecurity strategy to the current threats that you might not be aware of. Plus, in addition to handling your day-to-day security, an MSSP can be an invaluable partner during and after an active incident when/if need be. They’re the “been there, done that” team that can soothe the hassle and lessen the costs of cleaning up after an attack.
If you're interested in learning more about how you can tighten your cybersecurity plan at your SMB, get in touch with a CyberMaxx expert today.
To view the original MIS Training Institute article by Katherine Teitler, click here.
Originally Published in MIS Training Institute