CYBERSECURITY FOR SMALL & MEDIUM ORGANIZATIONS

A guide for smaller businesses and the companies who service them

This page, the New SMB Workshop and Virtual CSO services are continuation the article published in ISE magazine in August 2024.

A simple solution

Whenever you talk cybersecurity to smaller companies they’ll repeat the reasons why they have not and cannot embrace protection that cybersecurity offers. This new methodology addresses their legitimate concerns and proposes a viable path to reduce risk at or even below the level of the largest organizations.

Audience

This is not just created for small to medium-sized organizations. It’s written for those service providers, systems integrators and suppliers who have banged their head against this wall until it hurts.

Three Steps to Risk Reduction

Step 1 (this page) lays out the framework.

Step 2 is a free interactive workshop.

Step 3 is a Virtual CSO service brings you the expertise you’ll need to execute the ideas.

Four Reasons Why Small and Medium Business (SMBs) Have Not Protected Themselves

(1) Little Awareness of the Danger or what’s required to reduce risks (2) No Budget, (3) No Expertise and (4) No Resources

Relying on Third Parties without dealing with the fundamentals is not the Answer

Lack of Understanding of the Holistic nature of cybersecurity
leads to use of costly solutions, Cloud providers and Managed Service Providers and a false sense of security

The Challenges

Lack of Awareness of the Danger

Executives are not aware of the persistent, growing and damaging dangers of cybersecurity. It’s War! Even if they are motivated to act, they are at a loss regarding what actions they can take:

They think: “it probably won’t happen to us.” The facts are at odds with this. 73% of businesses with <1,000 employees were attacked last year with costs averaging $200k, 41% of small businesses were breached in 2023—43% up from 2022. 60% folded within six months of an attack. In 2024, 70% who survived were attacked again and again.

Top-end solutions are beginning to use AI to offer defenses for the largest corporations, but threat actors are using Generative AI to dramatically increase the level of attacks, targeting smaller businesses, right now. These state-run attackers have become an essential part of their country’s economies. This is no passing fad and it’s constantly evolving. However, knowing this doesn’t alter the fact that smaller organizations just don’t have the expertise, budget, or resources to defend themselves. Our intention is to eliminate this problem.

Lack of Expertise

When we say: “Small to Medium Businesses” (SMBs), it’s less about their size and more where they sit in the markets they serve. Many don’t have IT expertise let alone cybersecurity understanding. Many outsource IT, or networking to cloud providers or managed service providers who also provide security. Unfortunately, this effectively abdicates responsibility and does not delegate it. Whoever is responsible for IT can become overwhelmed with no way to prioritize actions. They are confronted with expensive “complete solutions” that they are told they must have yet these still leave critical weak links. Our intention is to provide the necessary expertise.

No Budget

As long as cyberattacks are viewed as an unproductive irritation then budgeting for it will be an unsupportable cost. However, the presence of a well-defined security policy may become an essential competitive advantage when selling to or serving SEC regulated organizations, an insurance cost-saving and to meet new legislative requirements. However, as we cover in this methodology, surprisingly, the majority of risk reduction does not require any additional outside spend!

No Resources

Yes, even new non-technical tasks will increase pressure on resources but at least these can be absorbed with our help.

Also, there's a 5th reason: No Understanding of Holistic Cybersecurity

Anyone who has read my published work is aware of my passion regarding Holistic Cybersecurity across the organization. The belief that cybersecurity is something handled within the walls of IT has led to the majority of ransomware breaches. If it’s not understood at the executive level, then the risks will remain.

It leads to outsourcing cybersecurity to outside companies and assuming that it’s all handled. Use of Cloud providers and Managed Service Providers gives a false sense of security, usually with a considerable price tag. Selective use of advance tools is valuable but only after the vast majority of risks are eliminated by use of common sense best practices shown in this program.

Now, the Good News

When you break down the processes in your organization it becomes apparent where there are potential vulnerabilities and what are the most important to strengthen. 

More Good News

To start you off our CybyrScore software steps you through the process to discover your vulnerabilities, make recommendations and prioritize the steps in your journey. Unlike GenAI where you ask the questions and hope its data gives correct answers, CybyrScore actually provides the best practice outcomes one step at a time. 

Now, the Best News!

Looking at the actions, it becomes obvious that reducing risk requires neither technical expertise or expensive software. It just requires common sense.

Does That Mean Cybersecurity is Free or Already Paid For? 

Surprisingly, mostly the answer is yes! There are two exceptions: 1) some simple software that you likely already have purchased – for example firewalls, VPNs, anti-malware, or anti-phishing software or use of two factor authentication that is already built into your systems 2) Some software to detect threats that may have already happened or may happen in the future – but that comes later.

Finally, cybyr.com provides a means to measure your progress and measure risk reduction over time.

Holistic Cybersecurity Methodology

The following table breaks the tasks into those with (a) zero external spend, (b) those that can reduce risk easily with a little acquired knowledge, (c) those that add simple low cost software already likely in place and then (d) potentially adding software to defend sophisticated attacks. About 92% of actions reduce risk without significant outside cost. To put it another way, spending large amounts on expensive solutions only addresses a small percentage of the vulnerabilities.

Methodology No Incremental External Cost/Expertise With Non-Technical Cybersecurity Expertise Acquired From Cybyr.com
Executive Oversight Executive Commitment to Holistic Approach (4*) Network Considerations (1)
Security Oversight Security Policy, Threat  Awareness, Threat Tolerance, (3) Security Planning, CybyrScore AI/ML Based Recommendations & Measurement, Continuous Review (4)
Asset Curation Automated Backup, Updating, Resilience Testing of All Data and System Assets (8)
Executive Commitment to Holistic Approach (4*) With Acquired Expertise With Software Subscriptions
Threat Avoidance HR (5), Sales, Marketing & Support (4), Finance, Admin (3), Manufacturing, OT, Product & Service Development (3) Finance, Conformance, Contracts & Legal. Verified Supply Chain Management (4) Low-Cost Basics: Anti-Phishing, Anti-Malware, Firewall Service, VPN, ID Management (5)
Threat Prevention Many of the Above (HR Training, Insider & Social Threat Strategy, MFA, etc.) HR: Least Privilege, Access Control (2) Secure Cloud Containers, Micro-Segmentation (3) ID Management, ZTNA
Threat Detection & Removal Partly Addressed Extended Detection & Removal, Advanced Persistent Threat Defense.
Monitoring Continual Monitoring, Notification

* Indicates the number of action areas in each category. Around 30 require no incremental cost, 15 can be achieved with expert, non-technical assistance from Cybyr.com and 5 with low-cost likely already purchased software. Many more sophisticated software solutions are available to add to your defenses – but only after the basic work is completed. Items in bold are unique concepts. All terms are explained at cybyr.com/cyberpedia.

Next Steps? 

Most information and insights are useless unless they convert to action. So, the work continues with a free SMB Two-Hour On-Line Workshop to go into all the details.

Work is also ongoing provide guidance to small businesses within the Cloud Security Alliance’s Zero Trust working group on providing guidance to small and medium organizations to which cybr.com contributes. When published, the reference to the work will be posted on this site.