Small business owners face unique challenges in many areas of their profession. Cybersecurity is no exception. From understanding their risk to finding appropriate resources for mitigating that risk, many small business owners struggle to keep their small enterprise cyber-safe.
Their struggle to stay cyber-safe is attributable to the need for small business owners to work within a budget. Budget restraints often mean that they are responsible for making decisions in areas for which they may lack expertise. Being the best plumber, consultant, or dentist in the world does not necessarily include the knowledge needed to negotiate shark-infested cyber waters.
This article will provide suggestions for keeping small businesses safe from the ever-growing catalog of cyber threats.
Small Businesses Are Attractive Targets
Small business owners walk around with a metaphoric target on their backs. At least, that is how cyber threat actors may see it.
According to the Small Business Administration (SBA), 99.7 percent of U.S. employer firms are small businesses. These independent businesses, each having less than 500 employees, account for 49.2 percent of private-sector employment
Small businesses are a critical part of the US economy, and cyber attacks are a growing threat against them. Small businesses are an attractive target because they have information that cybercriminals can leverage, and they often lack the security infrastructure of larger enterprises.
Sometimes the gains to be had from attacking a small business are smaller than what the results could be if a larger enterprise were the focus of a cyber-attack. But, because of the corresponding lack of security controls, bad actors can see small businesses as “easy pickings.”
Other times, however, a small business is viewed as a critical component of the attack vector into a large enterprise. Large firms of every type use small business vendors. The SBA incentivizes large companies to use small business suppliers. Cybercriminals have found that attacking a large firm through their small business partners can be a successful strategy.
According to a recent SBA survey, 88 percent of small business owners felt their business was vulnerable to a cyber attack. Yet many companies can’t afford professional IT solutions, they have limited time to devote to cybersecurity, or they don’t know where to begin.
How to Evaluate Cyber Risk
Before a small business owner can make any informed decisions about improving their cybersecurity posture, he or she must have a clear picture of their cyber risk.
An understanding of this risk will guide the implementation of security strategies, process changes, and justify security-related expenditures. Without understanding risk, any security decisions are nothing more than a shot in the dark, hoping to hit the mark.
While there are many definitions of risk, each requires an understanding of threats, vulnerabilities, and criticality or impact.
The basic equation is Risk = Threat x Vulnerability x Impact.
Although the risk is represented here as a mathematical formula, it is not about numbers; it is a logical construct. For example, suppose a small business owner wants to assess the risk associated with the threat of hackers attempting to plant ransomware (a likely threat) on a system containing essential data.
If the network is particularly vulnerable (perhaps because it has no firewall and no antivirus software), and this system is critical (a loss would constitute a negative impact on the company’s ability to maintain its operation), then their risk is high. However, if the small business has good perimeter defenses in that situation, their risk would be medium.
Security vendors crowd the industry with often competing claims of the best way to stay safe online or to protect sensitive data. To be generous, the credible vendors are not wrong in their claims, but their solutions are not always a good fit for small businesses.