In 2022, 98% of cybersecurity insurance claims were made by small and mid-sized businesses. The leading threat? Ransomware. It's addressable, it's containable, and it's something that small business owners are not getting their arms around. In speaking with small business leaders, it seems like cybersecurity is just an overwhelming topic. Without hiring an in-house expert, how could it be possible to secure against threats like business email compromise and social engineering? Particularly when employees of small businesses receive 350% more social engineering attempts than those at larger businesses. Cybersecurity is not the terrifying, insurmountable topic you think it is. It does have to be addressed. It does not require a new hire. It does require your attention for a moment. Here are three quick, simple ways small business leaders can address cybersecurity for maximum impact at a strategic level.
Know Your Risks
How does your company operate from day to day? What software does your team use? Who decides this, and how is it documented? If you know the answers to these questions, you are well ahead of the pack. Many small businesses suffer from software sprawl or a general lack of documentation. After all, the key to making money is definitely not stopping to write things down. Tactic: identify a scribe or operations leader who is in charge of documenting processes and procedures, and who will keep documentation together in a centralized place. How does this help? Once you know what you have, you can see your risks. If your process for handling customer information is to put in a shared document that is stored in your public web folder, when you complete your documentation, this will jump out at you as a high risk situation. Considering that 87% of small businesses hold consumer data that could be compromised, and 75% of SMBs couldn't continue operations if they were hit by ransomware, identifying these risks is arguable more critical to the smaller operation than it is to the larger organization. The main-street consumer now knows enough to care. More than half of the US consumer base (55%) would be less likely to continue their business with a brand that suffered a cyber attack. Tactic: partner with a firm to put technical solutions in place to compensate for the risks you identified. This doesn't have to be an on-going operation, and doesn't need to be especially costly.
Know Your Regulators
What regulations do you fall under - US State data privacy? GDPR? FTC Safeguards? NYCRR 500? UK GDPR? Are you sure? Understanding regulatory posture is not exciting for most people. If you do not have in-house resources to take an evaluation of your standing, Tactic: partner with a firm to produce a regulatory posture analysis quickly and efficiently for you. It should lead to a simple report that tells you not only where you fall on the spectrum of requirements but what those requirements are. This is a one-and-done analysis. But regulations are always changing. A good partner will keep you apprised on developments based on the analysis they performed. Tactic: engage periodically with your partner to get updates to your report based on changes to your business. Even gaining new clients in new areas can change your regulatory posture, so doing this once in a while is a very smart step and can proactively head off more work later.
Think About Your Supply Chain
It's not just the software vendors who are a meaningful part of your supply chain, although they really are. Tactic: your IT vendor can help you secure your software supply chain. In thinking about your regulatory posture, you are going to be thinking up your supply chain to your customers, prospects and clients. But what about the rest of your supply chain? Your employees are a huge part of what drives your overall production. Where are they in your cybersecurity framework? Some people would argue they are everything, the thin line separating you from chaos. With the rise of AI-based vishing attacks and other advanced social engineering, experts agree that training employees is critical. Most regulators are looking at this as a requirement. Tactic: train employees based on role. Role-based training is designed for the job the person has, and focuses on the risks of that particular role. For instance, finance and HR professionals are targeted differently from sales professionals. They are at risk in different ways from different types of attacks, so they are trained differently. Offering role-based training is a tactical advantage that many small businesses overlook, thinking it's awfully expensive and bespoke, when in reality it's easy to implement and very reasonable. So, strategic cybersecurity. Hopefully not the worst thing a small business owner has to tackle during the week, because it's a strategic and operational imperative. It requires a reliable partner, and a bit of focus initially to set up risk analysis. With those two items out of the way, this is in your wheelhouse. Small businesses can handle cybersecurity.
Related Posts
