4 Tips to Improve Small and Medium Business (SMB) Security

by Kevin Ford

Working in the third-party risk space, CyberGRX deals with businesses of every shape and size.  It may not come as a surprise that we often see the cybersecurity and privacy protection capabilities of small and medium sized businesses (SMBs) lagging behind larger businesses.  So, while I am dying to write a blog filled with thought leading platitudes like “let’s tear down the firewalls and build fire bridges,” those Ted Talky deep cuts will have to wait for another time (plus I’m still workshopping the “fire bridges”).

SMB Cybersecurity Series:

Instead, I’m writing something that, in my estimation, is much more important in promoting the overall health of our shared cyber ecosystem, cybersecurity, and privacy shop manual for SMB leaders. Here are some tips on how to improve your cybersecurity and privacy protection:

Tip #1: Do Cyber Hygiene!

My number one tip to everyone in the cyber community is… Do cyber hygiene!   Cyber hygiene is the collection of basic activities that will greatly increase your security posture.  Key cyber hygiene activities include:

  • Developing an inventory of your technology,
  • Deploying and updating antimalware protection on your technology,
  • Updating your systems (hardware, firmware, operating systems, and applications),
  • Knowing where your critical data are and tracking them,
  • Making unique IDs for your employees, and unique system processes,
  • Making quality passwords and regularly changing them,
  • Not giving employees or customers more access to systems and information than they need,
  • Documenting and communicating the expectations you have for your employees regarding how they use your company’s information systems and information, and, most importantly,
  • Training your employees.

Once you are done doing these cyber hygiene activities, do them again!  Cybersecurity and privacy are processes, not set-it-and-forget-it propositions.

Tip #2: Do Cyber Hygiene First!

Do cyber hygiene before you do anything else!  Cyber hygiene creates a solid foundation upon which to establish more advanced cybersecurity and privacy protections.  You would be shocked at how many organizations, large, medium, and small, I’ve seen that have super advanced AI malware tools, but no inventory of systems.  You may have great protection, but without an inventory, how would you know if your systems are protected?

Related: The ONE Thing All Modern Third-Party Cyber Risk Management Programs Do

Tip #3: Use your Size to your Advantage!

The Better Business Bureau estimates that small businesses spend thirteen times more per employee on cybersecurity than large businesses.  This is a daunting statistic, but one that I think can be overcome by companies unable to achieve the same economies of scale as the big boys. I know this sounds a little cliché, but small can be good.

Focus on administrative controls like policy and standards, and make sure your company follows them. Promoting a culture of security is just as important as fancy tools (probably more so). As a small company, socializing security should be a lot easier for you than the big guys.  You should be able to achieve a healthy security culture at a cost that will make larger companies green with envy.

Focusing on culture will also make lower cost tool deployments more effective.  I know many security professionals at big companies that would trade their state of the art AI tools for more rudimentary signature-based tools if their employees knew how to identify and not click phishing emails.

As far as tools are concerned, you should only buy the security tools you need.  Be careful to prioritize hybrid tools, like firewall – IPS/IDS – UTM combos, as there is generally a lot of value to be had there.  Additionally, seek out commercial, off the shelf solutions with sensible dashboards and simplified command and control.

A good reseller will be able to guide you to solutions that fit these descriptions.  While dedicated and advanced functionality can provide more room to scale your business, you might not have the opportunity to scale if you suffer a breach because you pitched your security toolset beyond your team’s capabilities and bandwidth.

Tip  #4: Punch Above your Weight!

You can greatly multiply your effectiveness by leveraging mature tools and processes offered to you by your business partners.  Perhaps, for instance, you filled out a CyberGRX assessment for a partner. You just received a state of the art cyber and privacy risk assessment at no cost.

CyberGRX has some of the best cybersecurity and privacy assessors in the industry, and the information in your report and dashboards is highly valuable and actionable. Check out the risk gaps table on your CyberGRX report and start destroying risk!  Or examine your top threats and start a tactical campaign to limit your exposure to them.

You should also squeeze every drop of value you can from your relationship with your customers.  If you are asked to mitigate any risks on your report by a partner, embrace that process. You are getting expert opinions on how to simultaneously improve your cybersecurity and look more attractive to customers.

Remember, every risk you squash adds value to your organization. If you document your progress in your CyberGRX assessment and share it with potential customers, you are making a state of the art process work for you for next to nothing.

If this information has been useful to you, please stay tuned to our blog where I will be dishing the privacy and security dirt on a regular basis.  I’ll be focusing on providing discreet, actionable advice, particularly for the small and medium businesses looking to improve their cybersecurity and privacy protection programs.

Continue Reading: Massive Risk and Limited Resources; What’s A Vendor Risk Manager To Do?


analytics third-party risk management (TPCRM)