Monday, we covered the results of our survey of more than 600 IT decision-makers at medium-sized companies in the U.S., U.K., and Australia. Participants shared valuable insights into their cybersecurity understanding and preparedness, and I gave my own analysis of what the numbers indicate. In case you missed Part 1 of our two-part series, click here.
I’ve been in the security industry for more than 20 years, and the survey results brought to light some discrepancies I think are worth further consideration. To review:
- 96% of those surveyed believe they are susceptible to cyber threats.
- 80% use third-party IT security resources (mixed-use IT and security teams).
- 29% think they are ready to handle a cybersecurity-related incident.
If 80% of the businesses we surveyed outsource their cybersecurity to trusted MSPs, shouldn’t all 80% feel confident they have the resources to manage a cybersecurity breach? Why did just 29% of respondents report they feel ready to handle that incident?
To me, these numbers indicate many companies are paying for security resources, but still need to train their internal teams to improve confidence that they could triage an incident successfully. So, what can businesses do to reduce their risk of exposure and prepare themselves for a cybersecurity-related incident?
Three quick processes to help small businesses:
- Cyber Hygiene: get back to basics. Approximately 80% of the risk facing your organization from the majority of cyber threats can be minimized drastically if you take care of the basics correctly and continuously. You need antivirus and antimalware on all of your endpoints, and you need to make sure they stay up to date. Patch all corporate asset applications and operating systems in a timely manner, particularly critical security patches. (The industry standard is normally 2 weeks after issuance to allow for field testing.)Don’t forget to back up all critical data securely and keep it offsite. Test your backups at least once a quarter. Include a strong firewall for your network, segment your network to protect critical operations, and turn on the personal firewall software on your desktop computers. Below are some useful links to guide you in this process:
- S. Cert list of resources to assist small businesses in recognizing their cybersecurity risks: https://www.us-cert.gov/ccubedvp/smb
- S. Federal Trade Commission list of 10 practical lessons for small businesses: https://www.ftc.gov/tips-advice/business-center/guidance/start-security-guide-business
- Training: don’t hate, educate. For small businesses to manage the impact of a cyberattack, they need to train. I recommend using a good threat intelligence feed to help train IT and security personnel on the threats facing the business and then have them meet periodically to go over the procedures to manage a real-world incident. The company needs to build good muscle memory into its incident response team, even if these types of requirements have been contracted out to an MSP. In the latter case, small businesses should work with their MSPs to determine how their in-house staff should support the MSP during an incident.
- Cyber Insurance: i.e. cover yourself. After a small business has assessed their risks, mitigated, and done as much planning as possible, they should look into cyber insurance policies. The policy would likely be different for each company, depending on the services they require. Remember the costs I listed above. The largest costs post-incident are notifying all affected customers and engaging forensics/data recovery services. Having insurance goes a long way toward helping your business recover quickly and cleanly in the event of a breach.
Today’s online landscape is incredibly dynamic and changes every day. To manage risks in the face of increasing changes and challenges, we recommend small and medium businesses partner with MSPs that can provide critical security services, and work with their in-house teams on education and business continuity strategies. Businesses should also maintain security basics correctly and on a continuous basis, while doing extensive worst-case scenario planning. By taking these types of steps, we can ensure a safer, more secure online experience for all of our respective businesses and customers.
The post Cyber Threats to Small Businesses, a CISO’s View (Pt. 2) appeared first on Webroot Threat Blog.