I would love to say that the most common comment I hear from smaller businesses is that they are struggling to implement proper cybersecurity controls. Following such a statement I'd normally burst into action quizzing them about where the pain is and how I can help!
But, I can't say that.
Sadly, the most common statement I hear is "we don't think we are a target, so we don't do any cybersecurity."
Assuming a sensible amount of consideration has gone behind that statement, I can only applaud the risk/cost benefit analysis that has happened to reach that conclusion. Considering that most view, and not just in the business world, cyber attack as a top five global threat to our interests it's good that organizations look at it seriously from a risk management perspective. Sarcasm sometimes intended!
So why is the statement itself so flawed?
Personally, I don't believe there's a business out there that has zero cybersecurity measures in place. There are very few exceptions to the need for such measures, and there are a lot of basic and commonly used measures that are absolutely a part of cybersecurity prep but aren't necessarily called out as such. Organizations with any significant IT estate will employ password strength and rotation policies. Most will use things like cloud-based email services that include malware detection. As most understand, though perhaps not consciously, cyber measures aren't "all/some/none". They are more of a "how far/how much" type question. It's genuinely difficult to do nothing! Good IT people have security hardwired.
Perhaps the most concerning part is the belief that it's possible to not be a target. Colleagues often reference "you don't outrun the bear" when talking about this. The bear, our cyber-adversary in this instance, is out for blood (assets/data). The theory being that you only need to out-run the slowest of your peers to save yourself, i.e. don't be the easiest or most obvious target and you're safe. If there was only a single bear, that could only eat one of us, the approach might just work!
Whilst the analogy holds to a point in the world of cyber, I prefer describing the situation more like that of the impending zombie apocalypse. Presuming for a moment that everyone has seen or heard of at least one zombie film, the threat is hordes of zombies out to get you with very little intelligence. There's the inevitable super-zombie, a state-backed hacker group if you like, that can think and feel but they're probably not the biggest problem for most.
In this vein, cybersecurity feels a lot more like a constant struggle for survival than a carefully executed wargame. Whilst some organizations will be interesting enough that they attract specifically tailored attacks, they are few and far between. The majority of cyber incidents are one of the great hordes finding its way through your defenses and taking a chunk out of your leg (exfiltrating priority assets). The idea that you only need to outrun your slowest mate just doesn't work when the threat is everywhere and doesn't mind who it stumbles upon.
Small businesses look at cybersecurity as something massively complex and hugely expensive. They largely see it as unobtainable to them. Only the large enterprise can afford such protections.
I'm not going to say that cyber technology, nor teams are cheap, but small businesses have two major advantages that make running a secure business easier.
Agility. Often viewed as a bad influence on security – being fleet of foot is a barrier to reaching security maturity – it also allows for critical business changes to happen more quickly. For example, a small business may identify an authentication, email or storage solution that provides more inherent security. They are in a much better position to make that change quickly. On the other hand, enterprise business is large and slower to change. Complex processes, complex team structures, complex mixes of integrated technology can make a business good at what it is doing now, but complexity is the enemy of cybersecurity – making even small changes extremely hard to make. The best-conceived cybersecurity program with unlimited budget can take years to implement and yet, a small business may be able to make a similar improvement in their security standing with smaller changes in a fraction of the time. Staying current is a large part of the battle!
Complexity also increases the attack surface. More systems to protect, more updates to install, more of everything makes the remit of cyber teams vast. Small businesses often have significantly smaller surfaces and can more easily achieve the same level of protection without the same expense in time and resources required for layer upon layer of security.
Agility also allows small businesses to make better use of point solutions or new technologies. Keeping pace with security tools or using narrower, more targeted tools can get smaller, simpler organizations much further than with a larger enterprise.
Human element. Small businesses should not underestimate the vast advantage they have over adversaries using their human element. People are fundamentally and profoundly awful at security. It's non-intuitive and heavily contextual to most. In smaller businesses, teams are closer. They interact more; know each other better; and they instantly recognize what's abnormal in their environment. Training is more easily delivered and more effective because of the more personal connection between every individual, each other and the business. While application of security technologies clearly has significant benefit, security really starts with users. Yes, users are also often the security weak link but good users get you a really long way down the road in combination with some basic security controls.
So, small businesses, while you may not be a priority target for an attacker, you are absolutely a target for the great horde of cyber zombies that can do serious harm if they stumble upon you.
But it's not hopeless and it's not just for big business. Small businesses can achieve so much more in the security space than their big business competitors… and faster.
Embrace security, make it a part of your small business family, adopt some basic technical controls and make yourself much less appetizing.
As a starting point, if you haven't already, use multi-factor authentication (MFA) for everything. It is your tall, armored perimeter wall replacing your dodgy username and password fence!
# # #
Join the #TalkingDigitalRisk conversation on Twitter and social media by following @RSAsecurity
Author: Russel Ridgley
Category: RSA Point of View, Blog Post
Keywords: Cybersecurity, Digital Risk, Digital Risk Management, Business Driven Security, Business Risk Management